Disable TLS 1.0/1.1

I’ve followed the quick install guide on a vanilla Ubuntu.
It all works.
When i test the domain with sslabs.com i get a grade 'B` because TLS 1.0 and 1.1 are still enabled.
Disabled those TLS versions in

  • /etc/nginx/sites-available/my-domain.conf -> no result
  • /etc/nginx/nginx.conf -> no result
  • 60-jitsi-meet.conf -> no result
    Any idea where i can/should disable those TLS versions for the port:443 listener?

Did you get your cert from LetsEncrypt?

If so, does your /etc/nginx/sites-available/my-domain.conf reference /etc/letsencrypt/options-ssl-nginx.conf?

If it does, you’ll probably want to adjust that too (perhaps using suggestions from the mozilla SSL config generator).

Yes, a let’s encrypt cert with the .sh script that’s provisioned with the install.

That reference doesn’t exist. The options-ssl-nginx.conf also doesn’t exist on my (Ubuntu) system.

Other suggestions are welcome.

1 Like

I’m strugling withe the same issue (running Nginx with LE ssl). As of the SSL Report for my installation, this server would supports TLS 1.3. therefore the B grade makes no sense to me.
Are there any configuration we can adjust ?

I solved the B Grade Rating issue.
After the quickstart installation my /etc/turnserver.conf looked like this in terms of ssl:

cert=/etc/coturn/certs/meet.my.com.fullchain.pem
pkey=/etc/coturn/certs/meet.my.com.privkey.pem

I commented these self genereated cert/key files and added beside the LE cert/key files the following lines:

cert=/etc/letsencrypt/live/meet.my.com/fullchain.pem
pkey=/etc/letsencrypt/live/meet.my.com/privkey.pem
dh-file=/etc/nginx/certs/dhparam.pem
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
no-tlsv1
no-tlsv1_1

At least this change gave me a A Grade rating at https://www.ssllabs.com/

1 Like

Hi tzumbrunnen,

Thanks for this - we’ve now disabled TLS 1.0 and 1.1 but the SSL Labs tool now caps us at a ‘B’ because “This server does not support Forward Secrecy with the reference browsers.”.

We lifted your cipher-list verbatim. Do you have any suggestions as to how we can support Forward Secrecy and get a rating of higher than B?

Many thanks,
tdm

Hello,

We too have edited our coturn config and cant get past a B, I also not found any other sites that have config that will get us past a B.

This site (https://cipherlist.eu) had some config, but still not better than a B

Did you check https://ssl-config.mozilla.org/ ? Their recommendations are pretty solid and you can even get ready to use configs for various server versions.

Note that the ssllabs test may be confused if you use coturn on port 443 via ALPN multiplexing – its unclear whether or not the ssllabs test bot sets an ALPN protocol at all and thus it is possible that sslabs only ever test your coturn configuration but not your web server configuration (which is arguably more important, as the traffic that goes over the TURN server is already encrypted). So if you adjust TLS settings in your coturn config, make sure to also adjust your nginx/apache config.