Disabling TLS 1.0 on Apache web servers

TLS 1.0 is end of life on June 30, 2018. To disable TLS 1.0 on Apache webserver installations, edit the “SSLProtocol” directive in your ssl.conf (typically /etc/httpd/conf.d/ssl.conf), where the ciphers  protocols are listed and remove TLSv1. By restarting the httpd, after updating the SSLProtocol directive TLS 1.0 will be disabled.

Here are steps how to disable TLS 1.0 on an Apache server.  The default configuration in /etc/httpd/conf.d/ssl.conf looks like this  :

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# List the protocol versions which clients are allowed to connect with.
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2
# protocol or later should remain in use.
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

You will see a directive for “SSLProtocol”, which has all protocols listed except for SSLv3. This means that TLS 1.0, 1.1 and 1.2 are enabled.

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

Edit it and change to:

SSLProtocol TLSv1.1 TLSv1.2

or if you just need TLS 1.2, edit and change it to

SSLProtocol TLSv1.2

And, restart the httpd server. You are done!.

You can also confirm this with nmap or ssl-scan utility to make sure TLS 1.0 is disabled.  [ https://www.cloudibee.com/ssl-cert-tools/ ]

Before disabling:

You can see that the host serves TLS 1.0, TLS 1.1 and TLS 1.2. You can use the nmap –script ssl-enum-ciphers  command to scan the port and verify.

[[email protected] conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv
| TLSv1.0:
| TLSv1.1:
| TLSv1.2:
[[email protected] conf.d]#

After disabling:

You can see that TLS 1.0 cipher is no longer served by the host.

[[email protected] conf.d]# grep SSLProtocol ssl.conf
SSLProtocol TLSv1.2
[[email protected] conf.d]# /bin/systemctl restart httpd.service
[[email protected] conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv
| TLSv1.2:
[[email protected] conf.d]#

5 thoughts on “Disabling TLS 1.0 on Apache web servers

  1. hm, this doesn’t work at all. Does those entries need any other modules installed?

    [….] Restarting Apache httpd web server: apache2AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:8
    Action ‘start’ failed.

  2. I am using apache 2.4 and my current config looks like this, any idea if i will have to follow same steps as told above ?

    Thanks in advance….cheers !!

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # SSL Protocol support:
    # List the enable protocol levels with which clients will be able to
    # connect. Disable SSLv2 access by default:
    SSLProtocol all -SSLv2

    # SSL Cipher Suite:
    # List the ciphers that the client is permitted to negotiate.
    # See the mod_ssl documentation for a complete list.
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.