Unable to disable TLSv1/TLSv1.1 in Apache 2.4.18












2















A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



SSLProtocol TLSv1.2


Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



SSLProtocol -all +TLSv1.2

SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1

SSLProtocol +all -TLSv1.1 -TLSv1


None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



I have no idea how to proceed.






apache-http-server ssl







share|improve this question





























    2















    A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



    I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



    SSLProtocol TLSv1.2


    Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



    SSLProtocol -all +TLSv1.2
    
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
    
SSLProtocol +all -TLSv1.1 -TLSv1


    None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



    I have no idea how to proceed.






    apache-http-server ssl







    share|improve this question



























      2












      2








      2








      A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



      I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



      SSLProtocol TLSv1.2


      Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



      SSLProtocol -all +TLSv1.2
      
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
      
SSLProtocol +all -TLSv1.1 -TLSv1


      None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



      I have no idea how to proceed.






      apache-http-server ssl







      share|improve this question
















      A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.



      I have added the directive to /etc/apache2/mods-enabled/ssl.conf:



      SSLProtocol TLSv1.2


      Restarting Apache2 and running a test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:



      SSLProtocol -all +TLSv1.2
      
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
      
SSLProtocol +all -TLSv1.1 -TLSv1


      None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.



      I have no idea how to proceed.






      apache-http-server ssl




      apache-http-server ssl






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 16 at 0:32









      JakeGould

      31.6k1096138




      31.6k1096138










      asked Jul 11 '18 at 12:40









      elieli

      1111




      1111






















          2 Answers
          2






          active

          oldest

          votes


















          1















          A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




          Here is the appropriate configuration for what you describe.



          SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
          
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
          
SSLHonorCipherOrder     on    
          
SSLCompression          off    
          
SSLSessionTickets       off


          Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



          You can reduce the list of cipher suites to the following:



          SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


          Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






          share|improve this answer

































            0














            In Apache, this will not take effect if you have Virtual Hosts enabled.



            To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



            i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



            The common setting that does works for me is: 



            SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
            
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
            
SSLHonorCipherOrder on
            
SSLSessionTickets off





            share|improve this answer

























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1338252%2funable-to-disable-tlsv1-tlsv1-1-in-apache-2-4-18%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              1















              A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




              Here is the appropriate configuration for what you describe.



              SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
              
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
              
SSLHonorCipherOrder     on    
              
SSLCompression          off    
              
SSLSessionTickets       off


              Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



              You can reduce the list of cipher suites to the following:



              SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


              Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






              share|improve this answer






























                1















                A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




                Here is the appropriate configuration for what you describe.



                SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
                
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                
SSLHonorCipherOrder     on    
                
SSLCompression          off    
                
SSLSessionTickets       off


                Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



                You can reduce the list of cipher suites to the following:



                SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


                Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






                share|improve this answer




























                  1












                  1








                  1








                  A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




                  Here is the appropriate configuration for what you describe.



                  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
                  
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                  
SSLHonorCipherOrder     on    
                  
SSLCompression          off    
                  
SSLSessionTickets       off


                  Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



                  You can reduce the list of cipher suites to the following:



                  SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


                  Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2






                  share|improve this answer
















                  A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.




                  Here is the appropriate configuration for what you describe.



                  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1    
                  
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                  
SSLHonorCipherOrder     on    
                  
SSLCompression          off    
                  
SSLSessionTickets       off


                  Source: apache 2.4.18 | modern profile | OpenSSL 1.0.1g



                  You can reduce the list of cipher suites to the following:



                  SSLCipherSuite HIGH:!aNULL:!MD5:!RC4


                  Source: How to force all Apache connections to use TLSv1.1 or TLSv1.2







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Jan 16 at 0:34









                  JakeGould

                  31.6k1096138




                  31.6k1096138










                  answered Jul 11 '18 at 14:40









                  RamhoundRamhound

                  20.6k156286




                  20.6k156286

























                      0














                      In Apache, this will not take effect if you have Virtual Hosts enabled.



                      To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                      i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                      The common setting that does works for me is: 



                      SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                      
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                      
SSLHonorCipherOrder on
                      
SSLSessionTickets off





                      share|improve this answer






























                        0














                        In Apache, this will not take effect if you have Virtual Hosts enabled.



                        To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                        i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                        The common setting that does works for me is: 



                        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                        
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                        
SSLHonorCipherOrder on
                        
SSLSessionTickets off





                        share|improve this answer




























                          0












                          0








                          0







                          In Apache, this will not take effect if you have Virtual Hosts enabled.



                          To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                          i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                          The common setting that does works for me is: 



                          SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                          
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                          
SSLHonorCipherOrder on
                          
SSLSessionTickets off





                          share|improve this answer















                          In Apache, this will not take effect if you have Virtual Hosts enabled.



                          To resolve the issue, please add the settings onto your Virtual Host files, as this can be controlled for each Virtual Host;



                          i.e. under /etc/apache2/sites-enabled/ you would expect to find multiple files, each is for a web where you can have different settings in each file.



                          The common setting that does works for me is: 



                          SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                          
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                          
SSLHonorCipherOrder on
                          
SSLSessionTickets off






                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Jan 16 at 0:33









                          JakeGould

                          31.6k1096138




                          31.6k1096138










                          answered Jan 16 at 0:22









                          Heider SatiHeider Sati

                          1011




                          1011






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1338252%2funable-to-disable-tlsv1-tlsv1-1-in-apache-2-4-18%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              -

                              Popular posts from this blog

                              Сан-Квентин

                              Image
                              Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
                              Read more

                              Алькесар

                              Image
                              Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
                              Read more

                              Josef Freinademetz

                              Image
                              San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
                              Read more