Does anyone know why i can't disable tls 1.0 and tls1.1 by updating the config to this.
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1 and 1.0 are supported. I would like to remove these?
Best Answer
When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a
SSLProtocol
directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of theSSLProtocol
directive are used for the whole server and/or all name-based VirtualHosts supporting TLS1.So check your main
httpd.conf
(and all included snippets from for instanceconf.d/*.conf
and similar includes) for more occurrences of theSSLProtocol
directive.You syntax is correct, although I agree with ezra-s' answer that, when you expand the
all
shorthand, you can slightly improve upon:by simply using: