TLS 1.3 was removed in latest version from nginx

Hello,
since the last mail-in-a-box update, I noticed that the nginx webserver only delivers pages via TLS in version 1.2. I changed the option to “ssl_protocols TLSv1.2 TLSv1.3;” accordingly. Why is TLSv1 and TLSv1.1 still enabled (old entry: “ssl_protocols TLSv1 TLSv1.1 TLSv1.2;”)? Aren’t they also considered insecure?

Thank you.

I don’t know about the previous configurations, but testing with Qualys [1] still gives MiaB an A+.

On a different web server I have only enabled 1.2, and it gets a perfect score in all categories, but it does seem peculiar on MiaB to enable 1 and 1.1 but not 1.3.

[1] https://www.ssllabs.com/ssltest/index.html

As with all security, there is a balance between providing security and providing accessibility. We have long followed the Intermediate compatibility guidance at https://wiki.mozilla.org/Security/Server_Side_TLS. It’s very recently been updated, so we could update our configurations — it now drops TLS through 1.1, but it didn’t used to.

Every time we make a change, we have to be careful about what ramifications it has. So we don’t change our security configuration settings very often.

1 Like

Yes, i do understand this. Security is not everything. But it would still be a good thing to enable TLS 1.3 in the next upcoming Release in my opinion. Openssl und Nginx now fully support this new standard.

Yes, we should update to the current Intermediate guidance on the Mozilla page. Someone just needs to put in the work (updating nginx, dovecot, and postfix — it’s not just nginx).

I can do some Research and update the corresponding configuration files. Is there any kind of GIT or SVN?

1 Like

There is so much git. :slight_smile:

https://github.com/mail-in-a-box/mailinabox

2 Likes