SSL Labs began downgrading website ratings in January 2020 for those still using the TLS 1.0 and TLS 1.1 protocols.
For a small percentage of your audience, disabling TLS 1.1 and 1.1 and improving cipher strength will cause issues: those using deprecated browsers and OS versions.
Should I enable TLS v1.3 if I disable TLS v1.0 and v1.1?
Yes, even if you keep TLS 1.0 and 1.1, you should definitely enable TLS v1.3. TLS 1.3 is faster than TLS 1.2, and most mainstream browsers already support it.
How to disable TLSv1.0 and 1.1 and enable TLSv1.3
At least two different configuration files will be edited:
/etc/nginx/nginx.conf
/etc/nginx/sites-available/example.com (or /default)We may also edit this third configuration file if you use Certbot / Let’s Encrypt:
/etc/letsencrypt/options-ssl-nginx.confStep 1: Edit the nginx.conf
First, we need to backup the nginx.conf configuration file:
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf-backup-tlsThen edit this configuration file, for example with Nano:
sudo nano /etc/nginx/nginx.conf
Find the following line within a http { } block. This line may or may not be commented after a hash as follows:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
Just remove TLSv1 TLSv1.1 from the line. Add TLSv1.3, and the line now should look like this:
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
Save the file by pressing Ctrl + X, then press Y to save and exit.
Reload Nginx:
sudo service nginx reload
Last but not least, use the SSL Labs server testing service to see if TLS 1.0 and 1.1 are effectively disabled on your host. In some cases, Step 1 may already be sufficient.
