SSL – How to Disable TLS 1.0 and 1.1 in Apache

apache-2.4pci-dssssl

Does anyone know why i can't disable tls 1.0 and tls1.1 by updating the config to this.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1 and 1.0 are supported. I would like to remove these?

Best Answer

When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of the SSLProtocol directive are used for the whole server and/or all name-based VirtualHosts supporting TLS¹.

So check your main httpd.conf (and all included snippets from for instance conf.d/*.conf and similar includes) for more occurrences of the SSLProtocol directive.

You syntax is correct, although I agree with ezra-s' answer that, when you expand the all shorthand, you can slightly improve upon:

 SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

by simply using:

 SSLProtocol TLSv1.2

Related Solutions

Apache – How to Disable TLS 1.1 & 1.2 in Apache

Intrigued by this bug (and yes, I've been able to reproduce it) I've taken a look at the source code for the latest stable version of mod_ssl and found an explanation. Bear with me, this is gonna get amateur-stack-overflowish:

When the SSLProtocol has been parsed, it results in a char looking something like this:

0 1 0 0
^ ^ ^ ^
| | | SSLv1
| | SSLv2
| SSLv3
TLSv1

Upon initiating a new server context, ALL available protocols will be enabled, and the above char is inspected using some nifty bitwise AND operations to determine what protocols should be disabled. In this case, where SSLv3 is the only protocol to have been explicitly enabled, the 3 others will be disabled.

OpenSSL supports a protocol setting for TLSv1.1, but since the SSLProtocol does not account for this options, it never gets disabled. OpenSSL v1.0.1 has some known issues with TLSv1.2 but if it's supported I suppose the same goes for that as for TLSv1.1; it's not recognized/handled by mod_ssl and thus never disabled.

Source Code References for mod_ssl:

SSLProtocol gets parsed at line 925 in pkg.sslmod/ssl_engine_config.c
The options used in the above function is defined at line 444 in pkg.sslmod/mod_ssl.h
All protocols gets enabled at line 586 in pkg.sslmod/ssl_engine_init.c whereafter specific protocols gets disabled on the subsequent lines

How to disable it then?

You have a few options:

Disable it in the OpenSSL config file with:
Protocols All,-TLSv1.1,-TLSv1.2
Rewrite mod_ssl ;-)

Nginx – How to Disable TLSv1.0 and TLSv1.1 in Nginx

From the nginx documentation for ssl_protocols directive:

The TLSv1.1 and TLSv1.2 parameters are supported starting from versions 1.1.13 and 1.0.12, so when the OpenSSL version 1.0.1 or higher is used on older nginx versions, these protocols work, but cannot be disabled.`

On newer versions this can be verified by using the openssl commands as follows:

Verify that TLS v1.2 is supported: openssl s_client -tls1_2 -connect example.org:443 < /dev/null
Verify that TLS v1.1 is not supported: openssl s_client -tls1_1 -connect example.org:443 < /dev/null
Verify that TLS v1.0 is not supported: openssl s_client -tls1 -connect example.org:443 < /dev/null

If the nginx configuration includes only ssl_protocols TLSv1.2 directive then only TLSv1.2 is supported. If ssl_protocols TLSv1.1 and TLSv1.2 is configured, then only TLSv1.1 and TLSv1.2 are supported. Tested with openssl 1.0.1e and nginx 1.6.2.