Unable to disable TLSv1/TLSv1.1 in Apache 2.4.18












2















A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



SSLProtocol TLSv1.2


Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
SSLProtocol +all -TLSv1.1 -TLSv1


None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



I have no idea how to proceed.










share|improve this question





























    2















    A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



    I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



    SSLProtocol TLSv1.2


    Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



    SSLProtocol -all +TLSv1.2
    SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
    SSLProtocol +all -TLSv1.1 -TLSv1


    None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



    I have no idea how to proceed.










    share|improve this question



























      2












      2








      2








      A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



      I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



      SSLProtocol TLSv1.2


      Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



      SSLProtocol -all +TLSv1.2
      SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
      SSLProtocol +all -TLSv1.1 -TLSv1


      None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



      I have no idea how to proceed.










      share|improve this question
















      A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



      I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



      SSLProtocol TLSv1.2


      Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



      SSLProtocol -all +TLSv1.2
      SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
      SSLProtocol +all -TLSv1.1 -TLSv1


      None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



      I have no idea how to proceed.







      apache-http-server ssl






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 16 at 0:32









      JakeGould

      31.3k1096138




      31.3k1096138










      asked Jul 11 '18 at 12:40









      elieli

      1111




      1111






















          2 Answers
          2






          active

          oldest

          votes


















          1















          A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




          Here is the appropriate configuration for what you describe.



          SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
          SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
          SSLHonorCipherOrder on
          SSLCompression off
          SSLSessionTickets off


          Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



          You can reduce the list of cipher suites to the following:



          SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


          Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






          share|improve this answer

































            0














            In Apache, this will not take effect if you have Virtual Hosts enabled.



            To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



            i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



            The common setting that does works for me is:



            SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
            SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
            SSLHonorCipherOrder on
            SSLSessionTickets off





            share|improve this answer

























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1338252%2funable-to-disable-tlsv1-tlsv1-1-in-apache-2-4-18%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              1















              A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




              Here is the appropriate configuration for what you describe.



              SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
              SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
              SSLHonorCipherOrder on
              SSLCompression off
              SSLSessionTickets off


              Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



              You can reduce the list of cipher suites to the following:



              SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


              Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






              share|improve this answer






























                1















                A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




                Here is the appropriate configuration for what you describe.



                SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
                SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                SSLHonorCipherOrder on
                SSLCompression off
                SSLSessionTickets off


                Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



                You can reduce the list of cipher suites to the following:



                SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


                Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






                share|improve this answer




























                  1












                  1








                  1








                  A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




                  Here is the appropriate configuration for what you describe.



                  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
                  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                  SSLHonorCipherOrder on
                  SSLCompression off
                  SSLSessionTickets off


                  Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



                  You can reduce the list of cipher suites to the following:



                  SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


                  Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






                  share|improve this answer
















                  A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




                  Here is the appropriate configuration for what you describe.



                  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
                  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                  SSLHonorCipherOrder on
                  SSLCompression off
                  SSLSessionTickets off


                  Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



                  You can reduce the list of cipher suites to the following:



                  SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


                  Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Jan 16 at 0:34









                  JakeGould

                  31.3k1096138




                  31.3k1096138










                  answered Jul 11 '18 at 14:40









                  RamhoundRamhound

                  20.2k156085




                  20.2k156085

























                      0














                      In Apache, this will not take effect if you have Virtual Hosts enabled.



                      To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                      i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                      The common setting that does works for me is:



                      SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                      SSLHonorCipherOrder on
                      SSLSessionTickets off





                      share|improve this answer






























                        0














                        In Apache, this will not take effect if you have Virtual Hosts enabled.



                        To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                        i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                        The common setting that does works for me is:



                        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                        SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                        SSLHonorCipherOrder on
                        SSLSessionTickets off





                        share|improve this answer




























                          0












                          0








                          0







                          In Apache, this will not take effect if you have Virtual Hosts enabled.



                          To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                          i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                          The common setting that does works for me is:



                          SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                          SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                          SSLHonorCipherOrder on
                          SSLSessionTickets off





                          share|improve this answer















                          In Apache, this will not take effect if you have Virtual Hosts enabled.



                          To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                          i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                          The common setting that does works for me is:



                          SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                          SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                          SSLHonorCipherOrder on
                          SSLSessionTickets off






                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Jan 16 at 0:33









                          JakeGould

                          31.3k1096138




                          31.3k1096138










                          answered Jan 16 at 0:22









                          Heider SatiHeider Sati

                          1011




                          1011






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1338252%2funable-to-disable-tlsv1-tlsv1-1-in-apache-2-4-18%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

                              Mangá

                              Eduardo VII do Reino Unido