Minimum TLS 1.2 is set - but domain SSL scan is showing TLS 1

tls

#1

Using https://www.ssllabs.com/ssltest/ to test my domain - and even though I have set TLS to be at a minimum of 1.2, I see TLS 1 reported. I need to remove TLS < 1.2 from our PCI scan. Moreover a seperate PCI scan (using AlertLogic) shows TLS 1.1. Neither should be reported or supported.

The NGINX settings have TLS below 1.2 removed.

Any idea how to have TLS < 1.2 disabled?

(Both scans combined in attached image)


#2

Is this NGINX on your server? By default Cloudflare always talks with your server over 1.3/1.2, if you want to disable 1.0/1.1 you’ll need to set minimum version on the CF dashboard Crypto tab:


#3

Right - that is what I have set (Minimum TLS Version set to TLS 1.2) - hence the confusion over why TLS 1 and 1.1 are even showing up in a scan.

As far as I can tell, that setting is in place on the Cloudflare side and NGINX settings likewise disallow 1 and 1.1 - so why are they showing as enabled?


#4

Interesting, see my results - 1.2 minimum and different results.

The detection of 1.0 without SNI might be a one-off issue, try using curl in bash to simulate lower protocols and see if your actual website is ever returned:

$ curl --tlsv1.2 https://evilsite.cf
$ curl --tlsv1.1 https://evilsite.cf
$ curl --tlsv1.0 https://evilsite.cf

(replacing evilsite.cf with your domain)


#5

You are right - curl to my site does what it is expected (1.2 only returns a page, others return curl: (35) gnutls_handshake() failed: Error in protocol version). But then your results don’t show the 1.0 listing marked in orange like mine.

I wonder if I am missing another setting on Cloudfare or my side?

Side-note:
What version is used if you run 1 (not 1,0):

$ curl --tlsv1 https://evilsite.cf

This works against your site as well


#6

From the curl docs: https://curl.haxx.se/docs/manpage.html#-1

Tells curl to use at least TLS version 1.x when negotiating with a remote TLS server. That means TLS version 1.0 or higher

So it’ll use the highest-available TLSv1 version, 1.3/1.2 depending on your curl. Your website should be PCI compliant at least based on tls 1.0/1.1 failing.


#7

Thanks for the help Judge - the curl testing does give me something to show that the site is PCI compliant… now hopefully Cloudflare can help with why your results have No for TLS 1.0 and mine have Yes!