ssl_protocols
The 'ssl_protocols' directive specifies the SSL/TLS protocols that are allowed to be used by NGINX.
Description
The 'ssl_protocols' directive is used within the SSL context in NGINX to define which SSL and TLS protocol versions are permitted for secure connections. This directive enhances security by allowing administrators to specify only the versions that they deem safe and necessary, effectively disabling older, potentially vulnerable protocols such as SSLv2 and SSLv3. Protocol options include 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3', and deprecated options can be omitted to prevent their use. The parameters provided in this directive should reflect current security standards, as the use of deprecated versions can expose servers to various vulnerabilities.
Config Example
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_protocols TLSv1 TLSv1.2;
}Ensure to check compatibility with client browsers when disabling older protocols.
If using a version prior to 1.15.0, do not specify TLSv1.3 as it is not supported.
Make sure to periodically review and update the allowed protocols based on security advisories.