SSL – How to Disable TLSv1 in Apache 2.4 for PCI-DSS Compliance

apache-2.4pci-dssssl

What is the best way to see where my SSLProtocols might be overridden on a CentOS 7 server? Apache 2.4.6 (realizing this is quite old as well so i'll have to update this off hours and see if it fixes the issue).

I'm trying to disable TLSv1 using this Apache Directive in my config root (/etc/httpd/conf/httpd.conf)

SSLProtocol -all +TLSv1.1 +TLSv1.2

Yet when I run either nmap --script ssl-enum-ciphers -p 443 <mysite.com> It shows that TLSv1 is still enabled:

ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server

The SSL Labs test reveals the same thing.

No other SSLProtocol directives are provided in the virtual host.

After that I decided to just search all config files using this command sudo grep -rnw '/etc/httpd' -e 'SSLProtocol' and it revealed the following locations:

/etc/httpd/conf/httpd.conf:359:SSLProtocol -all +TLSv1.1 +TLSv1.2
/etc/httpd/conf.d/ssl.conf:74:SSLProtocol ALL -SSLv2 -SSLv3
/etc/httpd/conf.d/ssl.conf:227:SSLProtocol ALL -SSLv2 -SSLv3
/etc/httpd/conf.d/ssl.conf:257:SSLProtocol ALL -SSLv2 -SSLv3
/etc/httpd/conf.d/ssl.conf.rpmnew:75:SSLProtocol all -SSLv2 -SSLv3

So I went into the ssl.conf file and changed line 74 to match, the issue still persists. Lines 227 and 257 are for two virtual hosts that I'm not currently testing but will I'll update later.

EDIT:
Even though the remaining two lines were for Virtual Hosts, granted the answers about the OpenSSL bug, I changed all references to SSLProtocol -all +TLSv1.1 +TLSv1.2 and restarted my server but nothing has changed. Why would this be? I'm wondering if it's a bug in Apache 2.4.6 itself.

Best Answer

I managed to solve this and it was definitely an unexpected fix. The fact that Virtual Hosts inherit their siblings settings is a bad decision in my opinion. Especially that the global file settings don't take precedence. I found this issue on Bugzilla and was going through it when later on someone mentioned that Let's Encrypt has an isolated file /etc/letsencrypt/options-ssl-apache.conf within this file there is a setting: 

SSLProtocol             all -SSLv2 -SSLv3

Certbot automatically installs a reference to this file in the virtual host configuration, and that cert happened to be installed on the first Virtual Host in my server configuration. I changed it to match my previous setting of SSLProtocol -all +TLSv1.1 +TLSv1.2 and it worked perfectly.

Related Topic