Enable TLSv1.0 and TLSv1.1 in nginx on RHEL 9

A small guide how to, against better judgment, enable TLSv1.0 and TLSv1.1 in nginx on RHEL 9

Warning

Following these instructions will make your system less secure and potentially open it for known issues and vulnerabilities.

Only do this if your sure you need it.

By default TLSv1.0 and TLSv1.1 is, for good reasons, disabled on RHEL 9. However when there is a legacy client that does not support TLSv1.2 this is a problem.

Just adding ssl_protocols TLSv1 TLSv1.1 TLSv1.2; in the nginx configuration is not enough on RHEL 9. It’s still not possible to get a TLSv1.1 or below handshake to go through.

After some digging around on the internet I found the following resources:

Combining these to sources I found that setting the system crypto policy to LEGACY

1
[root@trinity ~]# update-crypto-policies --set LEGACY

And adding @SECLEVEL=0 to the ssl_ciphers in the nginx configuration

1
2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:@SECLEVEL=0;

This solved my problem!