Question about configuring NGINX for TLSv1.2 TLSv1.3, other security issues

[Stephen Douglas Scotti]

I have a Docker container running NGINX version: nginx/1.20.2.  I did a security scan using a web service and it returns a few flags that I want to fix.

1.  nginx is prone to an information disclosure vulnerability.

insight

The default configuration of nginx uses world-readable permissions for the access.log and error.log files, which allows local users to obtain sensitive information by reading the files.

Probably not relevant because I am running in Docker container, and I think those files are owned by root on the host in my setup.

SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection

In my .conf file I have:

http {

    ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256-CBC:ECDH+AES128-CBC:DH+3DES:!ADH:!AECDH:!MD5:!kDHE; # !kDHE disables disable DHE key exchange
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

but the scanner still flags Deprecated TLSv1.0 and TLSv1.1 Protocol Detection.

and it also flags:

Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSL/TLS, D(HE)ater)

There are a few more lower priority items flags not so much related to the NGINX config.

Just wondering if those directives need to be in the server blocks, if they are being misread by the scanner, etc.  Seems like I should not be getting the warning about TLSv1.0 and TLSv1.1 ?

Thanks.

[Junlong li]

openresty does not support nginx 1.20 core.

are you using nginx or openresty?

I don't know how the web scanner works.

If connect nginx with the specific tls protocol, you can use tcpdump+wireshark to verify if it is a false positive.