disable old TLS-versions - only TLSv1.2 and TLSv1.3

[Goodfred]

Good evening everyone again! :)

I want to disable older TLS versions.

Am I right when I think, that I only have to remove the not wanted TLS versions in "/etc/nginx/nginx.conf" ?

(at the moment there is "ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;")

(and then I have to restart NGINX?)

Or do I have to do more/other things?

The server is bbb 2.6. We've migrated 2.5 to 2.6 - thats why there is a "greenlight-old" and a "greenlight" folder additional to the "greenlight-v3" folder (the old v2 and the new v3)

I am thankful for answers again! :D

And I wish a good week!

King regards!

Goodfred

[Goodfred]

Hello again! 

I would be happy to know the right way to disable old TLS versions.

Thank you! :)

*push end*

[daniel1s...@gmail.com]

Goodfred schrieb am Montag, 28. August 2023 um 17:51:49 UTC+2:

(at the moment there is "ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;")

nginx is internal.

HAproxy is your friend and with 2.6 there should be just TLSv1.2 and 1.3 active.

Have you verified it with ssllabs.com?

[daniel1s...@gmail.com]

If you need a good start for haproxy and better SSL then default BBB start with this

https://ssl-config.mozilla.org/#server=haproxy&version=2.0&config=intermediate&openssl=1.1.1f&guideline=5.7

[Goodfred]

Hello!

We've upgraded the server from an earlier version to 2.6.

Thats why, the old TLS versions are still active.

Now we have 2.7 and I search now a way, to disable old TLS versions.

Thank you for your answer! :)

Regards

Goodfred

[Goodfred]

Hello again! :)

SSL labs says that only TLS 1.2 and 1.3 are active.

From that: the matter has resolved itself! :D

Good weekend! :)