How to enable back TLSv1 and TLSv1.1 on nginx?

Question

My nginx confid files looks like:

 server {
   listen          80;
   listen [::]:80;

   server_name hostserver.ru www.hostserver.ru;
   return 301 https://hostserver.ru$request_uri;

   server_tokens off;
  }

 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name     hostserver.ru www.hostserver.ru;

   ssl_certificate /etc/letsencrypt/live/hostserver.ru/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/hostserver.ru/privkey.pem;
   ssl_dhparam /etc/ssl/certs/dhparam.pem;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:50m;
   ssl_session_tickets off;
   ssl_protocols TLSv1.2;
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
   ssl_prefer_server_ciphers on;
   add_header Strict-Transport-Security "max-age=31536000" always;
   ssl_stapling on;
   ssl_stapling_verify on;

   root /var/www/html;
   index index.html index.htm;
   server_tokens off;

   ... some location stuff...
}

Ufortunatelly, TLS1.2 not supported by Android 4.0-4.3 and I've chanched config:

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

But after using SSLTest it shows me report that TLS1 and TLS1.1 are not supported.

Did I missed smth to change in config files? Thanks in advance.

UPDATE: I've checked certificates by command:

openssl s_client -tls1 (and so on) -connect example.org:443 < /dev/null

and certificate enabled for each protocol.

Answer 1

I don't know which ciphers work with TLSv1 and TLSv1.1. But I notice from testing sites with SSLTest, that the GCM ciphers are listed against TLSv1.2 only.

You may need to use a more inclusive list of ciphers.

For example:

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

Answer 2

Using Ubuntu 22.04, getting TLS 1.0/1.1 to work is a massive pain, as it appears that Ubuntu's openssl 3.0 build doesn't include TLS 1.0/1.1 support at all.

I was able to get it to work by:

1. Building openssl 1.1.1 branch from source

2. Building nginx from source after uninstalling libssl-dev so it finds the local built openssl - and make sure to enable the modules you need

3. Updating the openssl config

4. Updating the Nginx config

5. Updating my systemd service to use the local nginx build

Caveat emptor. Keep in mind that if you do this you won't get automatic security updates.

Answer 3

On a Debian bookworm server, I had to do the following to enable TLS 1.0 (for Debian squeeze clients):

• configure ssl_ciphers DEFAULT:@SECLEVEL=0; in nginx (and ssl_protocols)
• reconfigure my letsencrypt certificate with the certbot --key-type rsa flag

I had assumed that ssl_ciphers ALL; would enable all the ciphers, but according to the OpenSSL manpage that is not the case.

Since Certbot 2.0, the certificates are ECDSA by default so some RSA ciphers don't work.