Moving on from “should we do it?” (with the answer to most real-world scenarios being “yes, and as a bonus it can help block a lot of spambots“), here’s how to restrict several Internet services — Nginx, Apache, Postfix, and Dovecot — to TLSv1.2 or newer.
As usual, these are not complete guides for any of those servers; I’m assuming you already have them working fine (including TLS encryption), and just want to disable any TLS protocols lower than v1.2. (If you need to add TLS to a non-TLS server, see instructions for Nginx, Apache, Postfix, and Dovecot.)
Nginx:
In each virtual host’s server section — or, even better, if you’re using Let’s Encrypt, in /etc/letsencrypt/options-ssl-nginx.conf or its equivalent –, add the following (or replace any existing ssl_protocols entry):
[pastacode lang=”apacheconf” manual=”ssl_protocols%20TLSv1.2%20TLSv1.3%3B%0A” message=”” highlight=”” provider=”manual”/]
Restart Nginx, and test it on SSL Labs. You should get something like this1:
(Note: if you’re using a very old version of Nginx, it may not accept the “TLSv1.3” parameter and refuse to start; in such a case, remove it — or, better yet, upgrade your system. 🙂 )
Apache:
Similarly to Nginx, you can add one of the following to each Virtual Host, or to the global HTTPS configuration (typically in /etc/httpd/conf.d/ssl.conf), or, if using Let’s Encrypt, to /etc/letsencrypt/options-ssl-apache.conf :
[pastacode lang=”apacheconf” manual=”SSLProtocol%20%20%20%20%20%20%20%20%20%20%20%20%2BTLSv1.2%20%2BTLSv1.3%0A” message=”” highlight=”” provider=”manual”/]
or:
[pastacode lang=”apacheconf” manual=”SSLProtocol%20%20%20%20%20%20%20%20%20%20%20%20%20all%20-SSLv2%20-SSLv3%20-TLSv1%20-TLSv1.1%0A” message=”” highlight=”” provider=”manual”/]
Right now, they’ll do the same thing: allow TLSv1.2 and v1.3 only. Personally, I like the second version (which disables older protocols) better, for two reasons: 1) it’ll work even with some ancient Apache version that doesn’t recognize “TLSv1.3”, and 2) when future TLS versions are added, they’ll be enabled, making it more future-proof.
Again, you can test the new configuration on SSL Labs.
Postfix:
Add the following to /etc/postfix/main.cf (replacing any equivalent entries, if they exist).
[pastacode lang=”apacheconf” manual=”smtp_tls_mandatory_protocols%3D!SSLv2%2C%20!SSLv3%2C%20!TLSv1%2C%20!TLSv1.1%0Asmtpd_tls_mandatory_protocols%3D!SSLv2%2C%20!SSLv3%2C%20!TLSv1%2C%20!TLSv1.1%0Asmtp_tls_protocols%3D!SSLv2%2C%20!SSLv3%2C%20!TLSv1%2C%20!TLSv1.1%0Asmtpd_tls_protocols%3D!SSLv2%2C%20!SSLv3%2C%20!TLSv1%2C%20!TLSv1.1%0A” message=”” highlight=”” provider=”manual”/]
After restarting Postfix, you can test its available protocols with Immuniweb’s SSL Security Test (specify something like yourhostname:25, or yourhostname:465 if not using STARTTLS).
Dovecot:
Add the following (or replace it if it exists) to your SSL configuration (typically /etc/dovecot/conf.d/10-ssl.conf):
[pastacode lang=”apacheconf” manual=”ssl_min_protocol%20%3D%20TLSv1.2″ message=”” highlight=”” provider=”manual”/]
Restart Dovecot, and test it on Immuniweb’s test (use something like yourhostname:143 , or yourhostname:993 if not using STARTTLS).