By default TLSv1.0 and TLSv1.1 is, for good reasons, disabled on RHEL 9. However when there is a legacy client that does not support TLSv1.2 this is a problem.

Just adding ssl_protocols TLSv1 TLSv1.1 TLSv1.2; in the nginx configuration is not enough on RHEL 9. It’s still not possible to get a TLSv1.1 or below handshake to go through.

After some digging around on the internet I found the following resources:

• Chapter 3 in Security hardening Red Hat Enterprise Linux 9
• Ticket 2250 on nginx trac

Combining these to sources I found that setting the system crypto policy to LEGACY

1

[root@trinity ~]# update-crypto-policies --set LEGACY

And adding @SECLEVEL=0 to the ssl_ciphers in the nginx configuration

1
2

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:@SECLEVEL=0;

This solved my problem!