How to disable TLS 1.0, TLS 1.1 on Apache
Ask Ubuntu Asked by Eranga Kapukotuwa on January 18, 2021
I have enabled TLS 1.2 in my web server. But the http://ssllabs.com indicates that, I have enabled TLS 1.0 and 1.1 versions along with the TLS1.2 in my server. I modified my configurations files to disable 1.0 and 1.1 from my server. But it doesn’t help.
/etc/apache2/mods-enabled/ssl.conf
SSLCipherSuite HIGH:!SSLv3:!kRSA:!kECDH:!ADH:!DSS
SSLHonorCipherOrder on
SSLProtocol -all +TLSv1.2
I have multiple virtual hosts in my Apache server. In each file, I have the following configuration.
SSLEngine On
SSLProtocol -all +TLSv1.2
SSLCertificateFile /etc/ssl/certs/certfile.pem
SSLCertificateKeyFile /etc/ssl/private/certfile.pem
3 Answers
Letsencrypt by default will write this in /etc/letsencrypt/options-ssl-apache.conf .
Check to make sure is included in your server configuration.
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
Open this file and edit as below.
SSLEngine on
#we comment out whatever Letsencrypt give here
#SSLProtocol all -SSLv2 -SSLv3
#We disabled TLS 1.0/1.1 and SSL 2.0/3.0 here
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#Comment out whatever Letsencrypt give by default for SSLCipherSuite
#SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 .....
#Add this line instead of what Letsencrypt added as SSLCipherSuite
#This is to ensure the use of SSL encryption with a high degree of protection.
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on
SSLCompression off
Go back to the SSL Server Test and Clear Cache. Then re-run the Test
Answered by ShapCyber on January 18, 2021
With a current Ubuntu 18.04 LTS, we have Apache 2.4.29 and the problem is not reproducible.
The following configuration in /etc/apache2/sites-enables/default-ssl.conf switches off the unwanted protocol versions:
# Suppress TLSv1.0 and TLS v1.1
SSLProtocol +TLSV1.2 +TLSv1.3
I put it close to the end of the file before </VirtualHost>.
Answered by jk - Reinstate Monica on January 18, 2021
Look in the /etc/letsencrypt/ folder for a configuration file. Let's Encrypt adds an entry in the sites-enabled/-le-ssl.conf file:
Include /etc/letsencrypt/options-ssl-apache.conf
You will need to update the SSLProtocol & SSLCipherSuite directives in that file too.
Answered by bernieDog on January 18, 2021
Add your own answers!
Ask a Question
Get help from others!
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?
Recent Answers
- haakon.io on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Peter Machado on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?