Home / ubuntu / Questions / 1240595
In Process
reivilibre
Asked: 2020-05-18 04:25:29 +0800 CST

Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04

  • 772

I have recently reinstalled my server to Ubuntu 20.04.

A support call came in and after a few days, I managed to notice that TLS v1.0 and v1.1 were not being provided by my web server, nginx. The configuration was fine and explicitly enables TLSv1 and TLSv1.1. Nothing appeared in nginx's logs…

Later on, I notice that nothing seems to work with TLS 1.0 or 1.1 anymore.

openssl s_client -tls1 -connect matrix.org:443 doesn't work (it fails with no protocols available), whereas it does under Ubuntu 18.04.

Someone else at this question is no longer able to connect to their MySQL server that doesn't support TLS v1.2.

I am starting to suspect that this may be an intentional change to Ubuntu, but I can't find anything in the release notes and I also can't find out how to re-enable TLS v1.0 and v1.1 since I really need it to support some older users' devices (mainly Android phones).

How can TLS v1.0 and/or v1.1 be re-enabled?

Many thanks.

I tried modifying /etc/ssl/openssl.cnf (which is symlinked to by /usr/lib/ssl/openssl.cnf) to add

openssl_conf = default_conf

[ default_conf ]
ssl_conf = ssl_sect

[ ssl_sect ]
system_default = system_default_sect

[ system_default_sect ]
MinProtocol = TLSv1
DEFAULT@SECLEVEL = 1

This did not result in any difference when using the openssl command shown before (I tried both 'TLSv1' and 'TLSv1.0' as the MinProtocol).

nginx openssl tls 20.04

2 Answers

  1. I finally found out how to enable for nginx (afraid I don't know how to do it system-wide) and other services with a configuration allowing changing ciphers.

    Source: man ciphers.1ssl

    Edit your nginx configuration and amend your cipherlist to add the pseudocipher @SECLEVEL=1.

    Example:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    becomes

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# seclevel for TLS 1.0 and 1.1
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:@SECLEVEL=1";
    • 9

  2. For GnuTLS, as explained in

    https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8

    create /etc/gnutls/config (both directory and files were missing) with the following content:

    [overrides]
default-priority-string = NORMAL

    This was enough to fix the following error in evolution (due to a pop3 server lacking TLS-1.2 support):

    A packet with illegal or unsupported version was received

    There were other instructions in this link for system-wide openSSL "fix", not tested.

    • 1