3

Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1 in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)

SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.1 +TLSv1.2
SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2

Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other? enter image description here

Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000

wruckie
  • 546
  • 5
  • 18

2 Answers2

2

That just means the file you are configuring is not being loaded.

Try defining SSLProtocol TLSv1.2 in the main config file "apache2.conf" or however it is called.

When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.

ezra-s
  • 2,215
  • 1
  • 7
  • 13
0

It took me a long time to find my answer. I was using Lets Encrypt, and LE has a file in their directory that is seemingly loaded last as the settings there overwrite everything else.

 /etc/letsencrypt/options-ssl-apache.conf

If you are using Lets Encrypt and Apache, pay special attention to what is in this file.

wruckie
  • 546
  • 5
  • 18