How can I disable TLS 1.0 and 1.1 in apache?

Question

Does anyone know why i can't disable tls 1.0 and tls1.1 by updating the config to this.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1 and 1.0 are supported. I would like to remove these?

HBruijn · Accepted Answer · 2017-05-04T08:24:37.170

72

When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of the SSLProtocol directive are used for the whole server and/or all name-based VirtualHosts supporting TLS¹.

So check your main httpd.conf (and all included snippets from for instance conf.d/*.conf and similar includes) for more occurrences of the SSLProtocol directive.

You syntax is correct, although I agree with ezra-s' answer that, when you expand the all shorthand, you can slightly improve upon:

 SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

by simply using:

 SSLProtocol TLSv1.2

edited May 04 '17 at 08:24

answered May 04 '17 at 08:17

HBruijn

72,524
21
127
192

This all makes sense however I did what you recommended. I grep'd my /etc/httpd directory for all references of "SSLProtocol" . I then updated it to SSLProtocol TLSv1.2, then did a restart and it still shows that tls 1.0 and 1.1 is supported. I also tried it on another one of my servers and same issue. Any ideas? – David May 04 '17 at 23:09
2

False alarm, this was indeed cached by comodo and ssllabs reports. It seems to be reporting correctly now. Thank you. – David May 04 '17 at 23:25
9

I think I would recommend using "all" with minus for the protocols you don't want. Future versions of apache define "all" differently as new standards are developed and old standards are found to be insecure. – bobpaul Oct 20 '17 at 21:56
19

if you are using Letsencrypt, do not forget to check `/etc/letsencrypt/options-ssl-apache.conf` – Memes Nov 25 '19 at 09:15
2

As `/etc/letsencrypt/options-ssl-apache.conf` is outside of `/etc/apache`, it is easily overseen by anyone relying on `grep -r`. I just ran into that problem myself and therefore cannot emphasize @Memes' statement enough. – Marcel Waldvogel Jul 27 '20 at 13:02
5

I would not use `SSLProtocol TLSv1.2` variant, as it will miss new TLS protocol when it comes. You will have to remember that somewhere you explicitly set protocol, and have to add new one once TSLv1.4 comes. It's not future-proof. – Vincas Dargis Sep 10 '20 at 05:43
I was going to say the same thing as Vincas: don't limit yourself to one protocol. It will bite you down the road. – mikebabcock Dec 04 '20 at 20:32

score 11 · Answer 2 · answered May 04 '17 at 07:52

11

that you have specified is enough, it shouldn't show any other protocols. Remember SSLLABS caches recent tests. Although knowing that there are no other protocols defining it like you did is kind of convoluted on purpose.

In any case you can use that or simply:

SSLProtocol TLSv1.2

answered May 04 '17 at 07:52

ezra-s

2,215
1
7
13

Is there any difference if you specify `-ALL +TLSv1.2`? – Chazy Chaz Sep 05 '17 at 10:43
"All" expands to "+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2". I don't see a benefit to using "-All". Actually, from the documentation it's not clear that "-all" is even valid syntax. You can do [+/-]protocol but all isn't a protocol: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html – bobpaul Oct 20 '17 at 21:35
3

`SSLProtocol TLSv1.2` is indeed shorter than the common approach with negative lists of outdated protocols. However, you will not be able to automatically take advantage of newer protocols like TLSv1.3. – Marcel Waldvogel Jul 27 '20 at 12:31

score 8 · Answer 3 · answered Mar 21 '19 at 17:22

I was struggling with this issue as well, modifying configs with the SSLProtocol directive wasn't working. I ended up adding the following to my virtual host configuration:

SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"

Which worked perfectly. You can read more about the SSLOpenSSLConfCmd directive here.

score 7 · Answer 4 · edited Dec 12 '18 at 11:20

Disable TLS1.0 version in Apache.

If you have multiple virtual hosting then you have to update all configurations file, otherwise,ssl.conf is enough.

To check TSL supporting version:

# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:

Modify the Apache configuration file vi /etc/httpd/conf.d/web.conf remove all TLS and allow only TLS1.2.

SSLProtocol TLSv1.2

Validate after the modification.

# grep SSLProtocol /etc/httpd/conf.d/web.conf
SSLProtocol TLSv1.2

# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
|   TLSv1.2:
# service httpd restart

score 2 · Answer 5 · answered Aug 17 '20 at 22:12

2

You can enable both TLS 1.2 and 1.3 this way and have everything deprecated disabled.

  SSLProtocol +TLSv1.2 +TLSv1.3
  SSLCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES

answered Aug 17 '20 at 22:12

Mathieu J.

462
4
6

score 0 · Answer 6 · answered Jul 22 '20 at 06:12

There are a lot of fine answers here, but they did not work for me or were actually overkill. The following suggestions were tested on Ubuntu 16.04 Apache 2.

A key observation is that the first virtual host on that port dictates the setting... even if its configuration doesn't explicitly specify a SSLProtocol value.

To determine the first virtual host:

bash
source /etc/apache2/envvars
apache2 -t -D DUMP_VHOSTS
exit

On CentOS, only one line will probably be needed:

httpd -t -D DUMP_VHOSTS

When you do this you should see a list of the virtual hosts and it might include a 443 section something like

*:443                  is a NameVirtualHost
     default server example.com (/etc/apache2/sites-enabled/example.com-le-ssl.conf:2)
     port 443 namevhost sample.com (/etc/apache2/sites-enabled/sample.com-le-ssl.conf:2)
     port 443 namevhost another.org (/etc/apache2/sites-enabled/another.org-le-ssl.conf:2)
     port 443 namevhost lucky.com (/etc/apache2/sites-enabled/lucky.com-le-ssl.conf:2)
             alias test15a.zzzzpost.com

When you see this, you might find that it's sufficient to update the SSLProtocol config for just that "default server" virtual host.

Another complication that you might run in to with earlier suggestions is that if you grep for occurrences of SSLProtocol in your /etc/apache2/ or /etc/httpd/ tree, you will not find configuration in other parts of your file system. This can be important if your configuration has Include directives. For example, if you've used the Let's Encrypt installer, it often adds these:

<IfModule mod_ssl.c> 
<VirtualHost *:443>  
    ServerName mydomain.com
    ...
    Include /etc/letsencrypt/options-ssl-apache.conf 
    ...
</VirtualHost>

So my suggestions are:

1. Determine the first virtual host on the given port.  See my example above 
   for details.
2. Inspect the configuration for that virtual host carefully.    
   a. If you find that config file explicitly sets SSLProtocol, make your change there.
   b. If not, but you find it includes a config file that is setting SSLProtocol, 
      consider setting it there.
   c. Otherwise, it's likely that setting it in your ssl.conf file would work.
   d. If not, consider creating your own config file with your SSLProtocol setting
      and including it in this first virtual host config, and possibly all virtual 
      host configs.

As mentioned by others, the configuration you want is

SSLProtocol             TLSv1.2

After you make your change, you can quickly confirm it via:

systemctl reload apache2    
# This ^^^ must be done before vvvv
nmap --script ssl-enum-ciphers -p 443 sample.com | grep TLSv

If you've been successful, this lists only TLSv1.2.

JSiegele · Answer 7 · 2020-05-22T06:19:58.607

I faced this problem too. I couldn't disable TLSv1 or TLSv1.1 for just one VHost by configuring it within this Vhost.

We found two solution:

1 -

Since we run several IP addresses within one Instance I disabled TLSv1 and TLSv1.1 per IP address, and so for the defined Vhosts too.

2 -

When we only configure strong ciphers, then it seams that only TLSv1.2 is available

  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
  SSLHonorCipherOrder on

Apache 2.4.23, openssl 1.0.2.

Maybe someone can verify my observations.

score -1 · Answer 8 · answered Nov 13 '19 at 10:01

You need to restart the Apache service using the following command to reflect the changes.

sudo service apache2 restart

Below code will work fine for me, you can check this article to get more details, https://karthikekblog.com/how-to-disable-enable-ssl-tls-protocols-in-ubentu-apache-linux-server/

<VirtualHost *:443>
ServerName www.yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol +TLSv1.2
SSLCertificateFile /etc/apache2/certificates/certificate.crt
SSLCertificateKeyFile /etc/apache2/certificates/certificate.key 
SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt
</VirtualHost>

This will not disable anything. It will only enable TLSv1.2. And how to restart varies from distribution to distribution, and even between versions in the same distribution. — Gerald Schneider, Nov 13 '19 at 10:09

How can I disable TLS 1.0 and 1.1 in apache?

8 Answers8

Linked

Related