TLS 1.0 and 1.1 seem to still be enabled on NGINX

tamerax · May 6, 2024, 9:00pm

Hi there
Got a security alert sent to me by one of my clients that their site which is running on NGINX using the standard Wordpress web template in Hestia is showing TLS 1.0 and 1.1 are still enabled.
I checked two other sites on the same Hestia install and one of them also had 1.0 and 1.1 enabled while the 3rd site had them disabled.
In the main nginx.conf I see that only 1.2 and 1.3 are enabled and I haven’t modified any of the templates so trying to figure out how this is happening.

Any ideas on where I can check this or somehow force them to be disabled on a global level (which I thought it was already doing)?

Thanks!

sahsanu · May 6, 2024, 9:39pm

Hi @tamerax,

You could check if any conf used by your domains has defined different ssl_protocols directive than main nginx conf file:

grep -Ri TLSv1 /etc/nginx/ /home/*/conf/web/*/nginx*

You can also use curl, openssl, testssl.sh, etc. to know what TLS versions support your sites.

You can test it also online:

tamerax · May 7, 2024, 12:09am

Thanks!
The output of that grep:

/etc/nginx/nginx.conf: ssl_protocols TLSv1.2 TLSv1.3;

So basically confirms I believe what I said earlier which is that I don’t have it set anywhere else. I am only using the stock web templates that came with Hestia.

Extra weird that some sites on the server are fine and others are listed as using 1.0 and 1.1. Just unsure how something could be bypassing the NGINX directives.

chiawuese · May 7, 2024, 1:11am

i got it same as you

SSL PCI compliance
ssl_buffer_size 1369;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RS>
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_early_data on;
ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets on;
ssl_session_timeout 7d;
resolver 127.0.0.53 valid=300s ipv6=off;
resolver_timeout 5s;
# Error pages

sahsanu · May 7, 2024, 6:56am

@tamerax and @chiawuese,

Are you using a CDN to proxy those domains? Are you using Nginx+Apache or only Nginx?

Could you please share what are your domains? If you don’t want to share them publicly you can send me a private message.

eris · May 7, 2024, 7:09am

Hestia “only”

Cloudflare

chiawuese · May 7, 2024, 8:07am

please if you can help i installed default configuration so Apache and nginx where installed for me sorry for this reasons here I’m afraid to share links

sahsanu · May 7, 2024, 11:01am

I could help if I’ve info. By default, nginx provided by Hestia only uses TLS 1.2 and 1.3 so I don’t know if you modified something, you are using a CDN, etc.

Devdoit.pl · May 7, 2024, 4:02pm

cloudflare may add legacy support, but this can be easily disabled in their settings:sunglasses:

pluto · May 8, 2024, 3:02am

Can confirm that a domain running on ‘straight hestia’ has 1.0 and 1.1 disabled. But if you add Cloudflare proxy in front of that, it adds 1.0 and 1.1 back in.