How do I disable TLS 1.0 and 1.1 on Shiny server pro

mtie · July 10, 2018, 7:42pm

...

I have a shiny server running and configured so that users can connect to it via https; to do this I followed the guide at: https://support.rstudio.com/hc/en-us/articles/218554798-Shiny-Server-Quick-Start-Host-a-secure-Shiny-Server-Pro-only-

Everything seems fine, but now I want to disable TLS 1.0 and 1.1; I've found a number of posts online that suggest adding a line like the following to my /etc/shiny-server/shiny-server.conf

 ssl_protocols TLSv1.2;

But after adding it, the shiny server fails to launch; shiny.log gives the error:

 Error loading config: Unknown directive "ssl_protocols" (/etc/shiny-server/shiny-server.conf:16:3)

Great; apparently, ssl_protocols isn't the correct directive (seems to be more of an nginx directive), so how do I disable the older TLS protocols?

alandipert · July 13, 2018, 5:52pm

Hi, unfortunately there isn't a way to control SSL settings like this directly with Shiny Server Pro.

I think you're right, the posts you found were talking about running Shiny Server "behind" nginx, which is a fine way to do it. It's definitely the direction I recommend going if you want this degree of control over SSL settings.

There's a good RStudio support article about it that I recommend: https://support.rstudio.com/hc/en-us/articles/213733868-Running-Shiny-Server-with-a-Proxy

jcheng · July 17, 2018, 10:17pm

FYI, we're going to add the ability to disable TLS 1.0 and/or 1.1 in the next version of Shiny Server Pro (1.5.8, expected to ship in late August). Thanks for the feedback.

mtie · July 18, 2018, 1:34pm

Thats awesome. Thank you.

-mtie

alandipert · September 12, 2018, 3:25pm

Update: SSP 1.5.8 is out and there's a new ssl_min_version configuration directive: http://docs.rstudio.com/shiny-server/#ssl_min_version