Server Bug Fix: How can I disable TLS 1.0 and 1.1 in apache?

Original Source Link

Does anyone know why i can’t disable tls 1.0 and tls1.1 by updating the config to this.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1 and 1.0 are supported. I would like to remove these?

When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of the SSLProtocol directive are used for the whole server and/or all name-based VirtualHosts supporting TLS1.

So check your main httpd.conf (and all included snippets from for instance conf.d/*.conf and similar includes) for more occurrences of the SSLProtocol directive.

You syntax is correct, although I agree with ezra-s’ answer that, when you expand the all shorthand, you can slightly improve upon:

 SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

by simply using:

 SSLProtocol TLSv1.2

that you have specified is enough, it shouldn’t show any other protocols. Remember SSLLABS caches recent tests. Although knowing that there are no other protocols defining it like you did is kind of convoluted on purpose.

In any case you can use that or simply:

SSLProtocol TLSv1.2

I was struggling with this issue as well, modifying configs with the SSLProtocol directive wasn’t working. I ended up adding the following to my virtual host configuration:

SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"

Which worked perfectly. You can read more about the SSLOpenSSLConfCmd directive here.

Disable TLS1.0 version in Apache.

If you have multiple virtual hosting then you have to update all configurations file, otherwise,ssl.conf is enough.

To check TSL supporting version:

# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:

Modify the Apache configuration file vi /etc/httpd/conf.d/web.conf remove all TLS and allow only TLS1.2.

SSLProtocol TLSv1.2

Validate after the modification.

# grep SSLProtocol /etc/httpd/conf.d/web.conf
SSLProtocol TLSv1.2

# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
|   TLSv1.2:
# service httpd restart

I faced this problem too.
I couldn’t disable TLSv1 or TLSv1.1 for just one VHost by configuring it within this Vhost.

We found two solution:

1 –

Since we run several IP addresses within one Instance I disabled TLSv1 and TLSv1.1 per IP address, and so for the defined Vhosts too.

2 –

When we only configure strong ciphers, then it seams that only TLSv1.2 is available

  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
  SSLHonorCipherOrder on

Apache 2.4.23, openssl 1.0.2.

Maybe someone can verify my observations.

You need to restart the Apache service using the following command to reflect the changes.

sudo service apache2 restart

Below code will work fine for me, you can check this article to get more details,
https://karthikekblog.com/how-to-disable-enable-ssl-tls-protocols-in-ubentu-apache-linux-server/

<VirtualHost *:443>
ServerName www.yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol +TLSv1.2
SSLCertificateFile /etc/apache2/certificates/certificate.crt
SSLCertificateKeyFile /etc/apache2/certificates/certificate.key 
SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt
</VirtualHost>

Tagged : / /

Leave a Reply

Your email address will not be published. Required fields are marked *