Master Branch disable TLS 1.0 by default

disable TLS 1.0 by default

For HTTPS based sites disable TLS 1.0 as industry is deprecating it in favour of more secure TLS 1.1, TLS 1.2 and soon TLS 1.3 for better security and performance. This is controlled by new variable DISABLE_TLSONEZERO_PROTOCOL='y'. You can re-enable TLS 1.0 if you require it via persistent config file /etc/centminmod/custom_config.inc set DISABLE_TLSONEZERO_PROTOCOL='y' and re-run centmin.sh once and exit from centmin.sh menu to apply the change. You can verify if TLS 1.0 is enabled or disabled via checking /usr/local/nginx/conf/ssl_include.conf to see if TLSv1 is present. If TLSv1 is preset then, TLS 1.0 is enabled. By default only TLS 1.1 (TLSv1.1) and TLS 1.2 (TLSv1.2) is now enabled and TLS 1.3 (TLSv1.3) if OpenSSL 1.1.1 is detected. You can also verify your site's TLS supported protocols via SSLLabs test at https://www.ssllabs.com/ssltest/index.html

Continue reading...

Centmin Mod Github Master branch

Master branch is where most recent commits are made as at May 24, 2015.

• Branch: https://github.com/centminmod/centminmod
• Commit History: https://github.com/centminmod/centminmod/commits/master

 

DISABLE_TLSONEZERO_PROTOCOL='y' was for disabling TLSv1.0 Beta Branch - disable TLS 1.0 by default but needs an update to disable TLSv1.1 too.

Yeah it's a bug which I ran into for my private Nginx HTTP/3 patch branch of 123.09beta01 I tested just recently for SSL - Caddy v2 versus Centmin Mod Nginx HTTP/2 & HTTP/3 HTTPS Benchmarks

So will have to do an update for soon.

 

New variable SSL_PROTOCOL_MODERN='y' to play with to set just TLSv1.2 and TLSv1.3 ssl protocols and disable TLSv1.0 and TLSv1.1 support for Nginx HTTP/2 HTTPS at Beta Branch - add SSL_PROTOCOL_MODERN variable in 123.09beta01

 

yeah seems to not work sometimes, will need to investigate or just disable TLSv1.0 and TLSv1.1 by default