Does anyone know why i can’t disable tls 1.0 and tls1.1 by updating the config to this.
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1 and 1.0 are supported. I would like to remove these?
When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a
SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of the
SSLProtocol directive are used for the whole server and/or all name-based VirtualHosts supporting TLS1.
So check your main
httpd.conf (and all included snippets from for instance
conf.d/*.conf and similar includes) for more occurrences of the
You syntax is correct, although I agree with ezra-s’ answer that, when you expand the
all shorthand, you can slightly improve upon:
SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
by simply using:
that you have specified is enough, it shouldn’t show any other protocols. Remember SSLLABS caches recent tests. Although knowing that there are no other protocols defining it like you did is kind of convoluted on purpose.
In any case you can use that or simply:
I was struggling with this issue as well, modifying configs with the
SSLProtocol directive wasn’t working. I ended up adding the following to my virtual host configuration:
SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
Which worked perfectly. You can read more about the
SSLOpenSSLConfCmd directive here.
Disable TLS1.0 version in Apache.
If you have multiple virtual hosting then you have to update all configurations file, otherwise,ssl.conf is enough.
To check TSL supporting version:
# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv | TLSv1.0: | TLSv1.1: | TLSv1.2:
Modify the Apache configuration file
vi /etc/httpd/conf.d/web.conf remove all TLS and allow only TLS1.2.
Validate after the modification.
# grep SSLProtocol /etc/httpd/conf.d/web.conf SSLProtocol TLSv1.2 # nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv | TLSv1.2: # service httpd restart
I faced this problem too.
I couldn’t disable TLSv1 or TLSv1.1 for just one VHost by configuring it within this Vhost.
We found two solution:
Since we run several IP addresses within one Instance I disabled TLSv1 and TLSv1.1 per IP address, and so for the defined Vhosts too.
When we only configure strong ciphers, then it seams that only TLSv1.2 is available
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 SSLHonorCipherOrder on
Apache 2.4.23, openssl 1.0.2.
Maybe someone can verify my observations.
You need to restart the Apache service using the following command to reflect the changes.
sudo service apache2 restart
Below code will work fine for me, you can check this article to get more details,
<VirtualHost *:443> ServerName www.yourdomain.com DocumentRoot /var/www/html SSLEngine on SSLProtocol +TLSv1.2 SSLCertificateFile /etc/apache2/certificates/certificate.crt SSLCertificateKeyFile /etc/apache2/certificates/certificate.key SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt </VirtualHost>