Minimum TLS 1.2 is set - but domain SSL scan is showing TLS 1

Using SSL Server Test (Powered by Qualys SSL Labs) to test my domain - and even though I have set TLS to be at a minimum of 1.2, I see TLS 1 reported. I need to remove TLS < 1.2 from our PCI scan. Moreover a seperate PCI scan (using AlertLogic) shows TLS 1.1. Neither should be reported or supported.

The NGINX settings have TLS below 1.2 removed.

Any idea how to have TLS < 1.2 disabled?

(Both scans combined in attached image)

1 Like

Is this NGINX on your server? By default Cloudflare always talks with your server over 1.3/1.2, if you want to disable 1.0/1.1 you’ll need to set minimum version on the CF dashboard SSL/TLS app:

1 Like

Right - that is what I have set (Minimum TLS Version set to TLS 1.2) - hence the confusion over why TLS 1 and 1.1 are even showing up in a scan.

As far as I can tell, that setting is in place on the Cloudflare side and NGINX settings likewise disallow 1 and 1.1 - so why are they showing as enabled?

Interesting, see my results - 1.2 minimum and different results.

The detection of 1.0 without SNI might be a one-off issue, try using curl in bash to simulate lower protocols and see if your actual website is ever returned:

$ curl --tlsv1.2
$ curl --tlsv1.1
$ curl --tlsv1.0

(replacing with your domain)

1 Like

You are right - curl to my site does what it is expected (1.2 only returns a page, others return curl: (35) gnutls_handshake() failed: Error in protocol version). But then your results don’t show the 1.0 listing marked in orange like mine.

I wonder if I am missing another setting on Cloudflare or my side?

What version is used if you run 1 (not 1,0):

$ curl --tlsv1

This works against your site as well

From the curl docs: curl - How To Use

Tells curl to use at least TLS version 1.x when negotiating with a remote TLS server. That means TLS version 1.0 or higher

So it’ll use the highest-available TLSv1 version, 1.3/1.2 depending on your curl. Your website should be PCI compliant at least based on tls 1.0/1.1 failing.

Thanks for the help Judge - the curl testing does give me something to show that the site is PCI compliant… now hopefully Cloudflare can help with why your results have No for TLS 1.0 and mine have Yes!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.