Disabling TLS 1.0 on Apache web servers

TLS 1.0 is end of life on June 30, 2018. To disable TLS 1.0 on Apache webserver installations, edit the “SSLProtocol” directive in your ssl.conf (typically /etc/httpd/conf.d/ssl.conf), where the ciphers  protocols are listed and remove TLSv1. By restarting the httpd, after updating the SSLProtocol directive TLS 1.0 will be disabled.

Here are steps how to disable TLS 1.0 on an Apache server.  The default configuration in /etc/httpd/conf.d/ssl.conf looks like this  :

You will see a directive for “SSLProtocol”, which has all protocols listed except for SSLv3. This means that TLS 1.0, 1.1 and 1.2 are enabled.

Edit it and change to:

or if you just need TLS 1.2, edit and change it to

And, restart the httpd server. You are done!.

You can also confirm this with nmap or ssl-scan utility to make sure TLS 1.0 is disabled.  [ https://www.cloudibee.com/ssl-cert-tools/ ]

Before disabling:

You can see that the host serves TLS 1.0, TLS 1.1 and TLS 1.2. You can use the nmap –script ssl-enum-ciphers  command to scan the port and verify.

After disabling:

You can see that TLS 1.0 cipher is no longer served by the host.

Leave a Reply