Messages

1

Web Proxy Filtering and Caching / Re: Select TLS version in NGINX

« on: February 24, 2024, 08:09:04 pm »

 

Thank you! I had totally missed that one! Had been looking around several times but missed it, went reading old threads for similar questions that suggested TLS settings were not user/GUI adjustable.

2

Web Proxy Filtering and Caching / [SOLVED] Select TLS version in NGINX

« on: February 24, 2024, 06:18:02 pm »

Hello!

Happy OPNsense user here since a few years, trying to consolidate my homelab.

Question: Is there a way to select the TLS version for the Nginx server?

Background: Recently moved from a standalone Nginx reverse proxy to running the plugin in OPNsense. Works great except for a few older devices (a LG smart TV and Android devices) not working anymore. The problem I've concluded is that they don't accept TLSv1.3, only TLSv1.2.

I can't find a setting in the GUI?

I then tried setting it in /usr/local/etc/nginx/nginx.conf:
...
ssl_protocols TLSv1.3 TLSv1.2
...
and it works, until you reboot after which it is restored to just TLSv1.3 again.

Maybe adjusting something in /usr/local/opnsense/service/templates/OPNsense/Nginx?
Can't wrap my head around it all in there and not sure if that would be persistent across system/plugin updates.

For modern devices and browsers it is not a problem but it means forcing a lot of devices in to obsolescence a bit too early in my opinion. Is there any options here or will I have to go back to my old setup if I don't want to fight against the system?

Versions:
OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

os-nginx 1.32.2
Also using the LetsEncrypt functionality.

Thanks in advance for any suggestions!