Apache 2.4 OpenSSL – How to Disable Everything but TLSv1.2 on Ubuntu 16.04

apache-2.4opensslubuntu-16.04

i am having a little issue with my Server. I want to Disable tlsv1 and tlsv1.1 but… My settings don't take hold. I specified the protocols in mod_ssl and tried to set them in the openssl config file, but to no avail.

Here are some configuration excerpts with hope that someone can point me to a solution. It's driving me nuts…

apache2/mods-available/ssl.conf
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

If more information are required, do not hesitate to ask.

Best regards!

Best Answer

Try: SSLProtocol -all +TLSv1.2

Related Solutions

Ubuntu – Install openssl-dev on Ubuntu server

If the likelihood that the dependencies for the version of a package that is in the release of Ubuntu (or other Debian derived arrangements) is the same as the deps for the version you are trying to build, you could run apt-get build-dep nginx or aptitude build-dep nginx - this will not install the nginx package but will instead install all those listed as dependencies (and their dependencies, as usual) which includes libssl-dev (the package that you are currently looking for).

In most cases this will allow the build of the other (presumably newer) version to be completed successfully, and it saves you installing each library and its header files one by one yourself. Even if there are new dependencies in the other version you are trying to build, build-dep <package> is a good place to start as it means that you only have to manually install the extra new dependencies.

As an example, the result on one of my servers is:

user@host:~$ sudo aptitude build-dep nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initialising package states... Done
The following NEW packages will be installed:
  autotools-dev cvs{a} debhelper gettext{a} html2text{a} intltool-debian{a}
  libcroco3{a} libmail-sendmail-perl{a} libpcre3-dev libpcrecpp0{a}
  libssl-dev libsys-hostname-long-perl{a} po-debconf{a} zlib1g-dev
0 packages upgraded, 14 newly installed, 0 to remove and 19 not upgraded.
Need to get 7,217kB of archives. After unpacking 22.9MB will be used.
Do you want to continue? [Y/n/?]

It is intending to install some libraries and headers, to enable an nginx build, but not nginx itself.

One thing to note is that if you are compiling your own copy because you want different build options rather than needing a different version for some reason, you may be better of compiling from the repository's source for the package rather than using the upstream sources directly. This SO question is the first useful page that came out of a quick search, though you are likely to find more detailed tutorials easily if you need that.

_{An other small thing to note: the packages installed as a result of apt-get build-dep will be marked as manually installed as if you have done this by hand as you are currently doing. That means you can't remove them all in one go (there is no apt-get unintall-dep or similar) - though that is no different from the situation you'll get from manual library/header installs anyway (I only mention the fact as some people expect there to be a one-step way to undo a build-dep operation, and there is not).}

How to enable SSI in Ubuntu 16.04

You need to enable mod_include, execute this form terminal:

sudo a2enmod include 
sudo systemctl restart apache2

Best Answer

Related Solutions

Ubuntu – Install openssl-dev on Ubuntu server

How to enable SSI in Ubuntu 16.04

Related Topic