Want to subscribe to topics you're interested in?
Become a Member

Master Branch disable TLS 1.0 by default

Discussion in 'Centmin Mod Github Commits' started by eva2000, Sep 2, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    45,420
    10,304
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,983
    Local Time:
    4:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    disable TLS 1.0 by default

    For HTTPS based sites disable TLS 1.0 as industry is deprecating it in favour of more secure TLS 1.1, TLS 1.2 and soon TLS 1.3 for better security and performance. This is controlled by new variable DISABLE_TLSONEZERO_PROTOCOL='y'. You can re-enable TLS 1.0 if you require it via persistent config file /etc/centminmod/custom_config.inc set DISABLE_TLSONEZERO_PROTOCOL='y' and re-run centmin.sh once and exit from centmin.sh menu to apply the change. You can verify if TLS 1.0 is enabled or disabled via checking /usr/local/nginx/conf/ssl_include.conf to see if TLSv1 is present. If TLSv1 is preset then, TLS 1.0 is enabled. By default only TLS 1.1 (TLSv1.1) and TLS 1.2 (TLSv1.2) is now enabled and TLS 1.3 (TLSv1.3) if OpenSSL 1.1.1 is detected. You can also verify your site's TLS supported protocols via SSLLabs test at https://www.ssllabs.com/ssltest/index.html

    Continue reading...

    Centmin Mod Github Master branch

    Master branch is where most recent commits are made as at May 24, 2015.
     
  2. Andy

    Andy Premium Member Premium Member

    477
    77
    28
    Aug 6, 2014
    Ratings:
    +109
    Local Time:
    2:15 AM
    Hi @eva2000
    I just ran a ssl labtest and found that my site still have support for TLS 1.0 and 1.1
    So I edited /usr/local/nginx/conf/ssl_include.conf and removed the old TLS so it only has
    ssl_protocols TLSv1.2 TLSv1.3;

    Then I do centmin.sh and exit.
    Check the ssl_include.conf file again and it's all good.
    Then rescan the Qualys ssl labs test and it still shows as TLS 1 and 1.1 still supported.
    Anything else I need to check?

    EDIT to say everytime I recompiled nginx, TLS v1.0 and 1.1 are added back to the /usr/local/nginx/conf/ssl_include.conf
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,420
    10,304
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,983
    Local Time:
    4:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    DISABLE_TLSONEZERO_PROTOCOL='y' was for disabling TLSv1.0 Beta Branch - disable TLS 1.0 by default but needs an update to disable TLSv1.1 too.

    Yeah it's a bug which I ran into for my private Nginx HTTP/3 patch branch of 123.09beta01 I tested just recently for SSL - Caddy v2 versus Centmin Mod Nginx HTTP/2 & HTTP/3 HTTPS Benchmarks

    So will have to do an update for soon.
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,420
    10,304
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,983
    Local Time:
    4:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  5. Dnyan

    Dnyan Member

    97
    20
    8
    Sep 16, 2017
    Ratings:
    +28
    Local Time:
    11:45 AM
    1.17.8
    10.3.22
    It still not changing protocol, i ran centmin.sh twice and exited.
    finally removed by editing.
    Code:
    /usr/local/nginx/conf/ssl_include.conf
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,420
    10,304
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,983
    Local Time:
    4:15 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yeah seems to not work sometimes, will need to investigate or just disable TLSv1.0 and TLSv1.1 by default :)
     
  7. Sunka

    Sunka Well-Known Member

    1,142
    313
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +510
    Local Time:
    8:15 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Tried and still no working.
    I have also manualy edited file, recompile nginx and still the same
    Code:
    # cat /usr/local/nginx/conf/ssl_include.conf
    ssl_session_cache      shared:SSL:10m;
    ssl_session_timeout    60m;
    ssl_protocols  TLSv1.2 TLSv1.3;
     
  8. Jimmy

    Jimmy Well-Known Member

    1,706
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +923
    Local Time:
    2:15 AM
    1.17.x
    MariaDB 10.3.x
    Would it have something to do with Cloudflare? Doesn't CF have a setting too?