TLS 1.0 is end of life on June 30, 2018. To disable TLS 1.0 on Apache webserver installations, edit the “SSLProtocol” directive in your ssl.conf (typically /etc/httpd/conf.d/ssl.conf), where the ciphers protocols are listed and remove TLSv1. By restarting the httpd, after updating the SSLProtocol directive TLS 1.0 will be disabled.
Here are steps how to disable TLS 1.0 on an Apache server. The default configuration in /etc/httpd/conf.d/ssl.conf looks like this :
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # List the protocol versions which clients are allowed to connect with. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3
You will see a directive for “SSLProtocol”, which has all protocols listed except for SSLv3. This means that TLS 1.0, 1.1 and 1.2 are enabled.
SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3
Edit it and change to:
SSLProtocol TLSv1.1 TLSv1.2
or if you just need TLS 1.2, edit and change it to
And, restart the httpd server. You are done!.
You can also confirm this with nmap or ssl-scan utility to make sure TLS 1.0 is disabled. [ https://www.cloudibee.com/ssl-cert-tools/ ]
You can see that the host serves TLS 1.0, TLS 1.1 and TLS 1.2. You can use the nmap –script ssl-enum-ciphers command to scan the port and verify.
[[email protected] conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv | TLSv1.0: | TLSv1.1: | TLSv1.2: [[email protected] conf.d]#
You can see that TLS 1.0 cipher is no longer served by the host.
[[email protected] conf.d]# grep SSLProtocol ssl.conf SSLProtocol TLSv1.2 [[email protected] conf.d]# /bin/systemctl restart httpd.service [[email protected] conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv | TLSv1.2: [[email protected] conf.d]#