Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disabling TLS 1.0 in Apache 2.4

Tags:

apache

tls1.0

I'm a non-technical-but-able-to-read-the-manual website owner. I am running Apache 2.4.10 on a Debian 9.0 server. I would like to disable TLS 1.0. I have read the Apache documentation for the SSLProtocol directive.

In my virtual host file, I used the following directive:

SSLProtocol all -TLSv1 -SSLv3

That didn't work, even after reloading and then restarting Apache. I then added the same directive to the ssl.conf file as well, just to be sure, and still no luck, even after reloading and restarting. I also tried the same things with the following directive:

SSLProtocol +TLSv1.1 +TLSv1.2

Still no luck. I did the following search just to see if I had used the SSLProtocol directive somewhere else in my configuration files, but again, no luck:

grep -R 'SSLProtocol' .

I also checked the .htaccess file for the website to make sure I hadn't overridden anything (though I don't know that you could change this setting in an .htaccess file). Any ideas? Thank you for your help!

like image 711
TedF Avatar asked Apr 16 '17 13:04

TedF


Video Answer


1 Answers

In a large amount of cases for this "bug" it turns out that if you have letsencrypt installed on your server, it's configuration file sets protocols which are superseding ssl.conf or vhosts' settings:

/etc/letsencrypt/options-ssl-apache.conf

Bug 60739 - SSLProtocol settings seem to have no effect

like image 187
Shanebe Avatar answered Sep 25 '22 00:09

Shanebe