1

I'm experiencing something odd on our Load Balancer, I've specifically disabled TLSv1 but using the Qualsys SSL Labs test, it's indicating that TLSv1 is still active. For the next little while until we complete a long migration, I'm stuck on HAProxy 1.4 (which doesn't do SSL termination, so it's configured to hand off to Apache), Apache 2.2.15-31. We're also using mod_ssl 2.2.15-31, and it's all sitting on CentOS 6.5. I'm trying to do this so we don't break our PCI compliance at the end of the month.

I'm using the following SSL settings in our vhost...

  SSLEngine on
  SSLProtocol -all +TLSv1.1 +TLSv1.2
  SSLCompression Off
  SSLHonorCipherOrder on
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

But the response back from Qualsys is always...

TLS 1.2     Yes
TLS 1.1     Yes
TLS 1.0     Yes
SSL 3       No
SSL 2       No

Why is TLS 1.0 still active when I've disabled it and only enabled v1.1 and v1.2?

oucil
  • 445
  • 3
  • 16

1 Answers1

1

This appears to be a bug in Apache which doesn't allow you to specify TLS 1.1 and 1.2. See this answer and the related thread

Community
  • 1
FaCE
  • 201
  • 1
  • 4
  • Yeah came across those discussions, but didn't notice anything saying it was a bug per say, but same outcome. Peachy. Even tried disabling TLSv1.1 and that had no effect either, it looks like it's all or nothing at this point. Hopefully they'll backport further features in the next few weeks, but I'm not holding my breath. – oucil Jun 14 '16 at 15:39