Unable to disable TLSv1/TLSv1.1 in Apache 2.4.18
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
I have added the directive to /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol TLSv1.2
Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
SSLProtocol +all -TLSv1.1 -TLSv1
None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.
I have no idea how to proceed.
apache-http-server ssl
edited Jan 16 at 0:32
JakeGould
31.3k1096138
asked Jul 11 '18 at 12:40
elieli
1111
add a comment |
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
I have added the directive to /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol TLSv1.2
Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
SSLProtocol +all -TLSv1.1 -TLSv1
None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.
I have no idea how to proceed.
apache-http-server ssl
edited Jan 16 at 0:32
JakeGould
31.3k1096138
asked Jul 11 '18 at 12:40
elieli
1111
add a comment |
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
I have added the directive to /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol TLSv1.2
Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
SSLProtocol +all -TLSv1.1 -TLSv1
None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.
I have no idea how to proceed.
apache-http-server ssl
edited Jan 16 at 0:32
JakeGould
31.3k1096138
asked Jul 11 '18 at 12:40
elieli
1111
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
I have added the directive to /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol TLSv1.2
Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
SSLProtocol +all -TLSv1.1 -TLSv1
None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.
I have no idea how to proceed.
apache-http-server ssl
apache-http-server ssl
edited Jan 16 at 0:32
JakeGould
31.3k1096138
asked Jul 11 '18 at 12:40
elieli
1111
edited Jan 16 at 0:32
JakeGould
31.3k1096138
asked Jul 11 '18 at 12:40
elieli
1111
edited Jan 16 at 0:32
JakeGould
31.3k1096138
edited Jan 16 at 0:32
JakeGould
31.3k1096138
edited Jan 16 at 0:32
JakeGould
31.3k1096138
31.3k1096138
asked Jul 11 '18 at 12:40
elieli
1111
asked Jul 11 '18 at 12:40
elieli
1111
asked Jul 11 '18 at 12:40
elieli
1111
1111
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
Here is the appropriate configuration for what you describe.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g
You can reduce the list of cipher suites to the following:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2
edited Jan 16 at 0:34
JakeGould
31.3k1096138
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
add a comment |
In Apache, this will not take effect if you have Virtual Hosts enabled.
To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;
i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.
The common setting that does works for me is:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLSessionTickets off
edited Jan 16 at 0:33
JakeGould
31.3k1096138
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1338252%2funable-to-disable-tlsv1-tlsv1-1-in-apache-2-4-18%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
Here is the appropriate configuration for what you describe.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g
You can reduce the list of cipher suites to the following:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2
edited Jan 16 at 0:34
JakeGould
31.3k1096138
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
add a comment |
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
Here is the appropriate configuration for what you describe.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g
You can reduce the list of cipher suites to the following:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2
edited Jan 16 at 0:34
JakeGould
31.3k1096138
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
add a comment |
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
Here is the appropriate configuration for what you describe.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g
You can reduce the list of cipher suites to the following:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2
edited Jan 16 at 0:34
JakeGould
31.3k1096138
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
Here is the appropriate configuration for what you describe.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g
You can reduce the list of cipher suites to the following:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2
edited Jan 16 at 0:34
JakeGould
31.3k1096138
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
edited Jan 16 at 0:34
JakeGould
31.3k1096138
edited Jan 16 at 0:34
JakeGould
31.3k1096138
edited Jan 16 at 0:34
JakeGould
31.3k1096138
31.3k1096138
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
answered Jul 11 '18 at 14:40
RamhoundRamhound
20.2k156085
20.2k156085
add a comment |
add a comment |
In Apache, this will not take effect if you have Virtual Hosts enabled.
To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;
i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.
The common setting that does works for me is:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLSessionTickets off
edited Jan 16 at 0:33
JakeGould
31.3k1096138
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
add a comment |
In Apache, this will not take effect if you have Virtual Hosts enabled.
To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;
i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.
The common setting that does works for me is:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLSessionTickets off
edited Jan 16 at 0:33
JakeGould
31.3k1096138
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
add a comment |
In Apache, this will not take effect if you have Virtual Hosts enabled.
To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;
i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.
The common setting that does works for me is:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLSessionTickets off
edited Jan 16 at 0:33
JakeGould
31.3k1096138
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
In Apache, this will not take effect if you have Virtual Hosts enabled.
To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;
i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.
The common setting that does works for me is:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLSessionTickets off
edited Jan 16 at 0:33
JakeGould
31.3k1096138
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
edited Jan 16 at 0:33
JakeGould
31.3k1096138
edited Jan 16 at 0:33
JakeGould
31.3k1096138
edited Jan 16 at 0:33
JakeGould
31.3k1096138
31.3k1096138
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
answered Jan 16 at 0:22
Heider SatiHeider Sati
1011
1011
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1338252%2funable-to-disable-tlsv1-tlsv1-1-in-apache-2-4-18%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
