Vulnerability description
The TLS 1.0 and TLS 1.1 protocols use weak encryption algorithms that have major security holes and are vulnerable to downgrade attacks.
Repair plan
Enable support for TLS 1.2 or 1.3, and disable support for TLS 1.0 and TLS 1.1
nginx modify configuration file
ssl_protocols TLSv1.2 TLSv1.3;
Indicates enabling TLSv1.2 TLSv1.3 and disabling other TLS protocols. Note that this configuration can only take effect if configured in the http block or default_server, and other server blocks will read the configuration in default_server.
Verify that the configuration is correct
nginx -t
Hot reloading makes the configuration take effect
nginx -s reload
verify
openssl s_client -connect XXXXX.com:443 -tls1_1 2> /dev/null | grep -i -E "cipher|protocol"
openssl s_client -connect XXXXX.com:443 -tls1 2> /dev/null | grep -i -E "cipher|protocol"
The following figure appears, indicating that the disable is successful
If the following figure appears, it means that the disabling failed
