Apache - Disable unsecure SSL versions
To keep your website as safe as possible, it is important to ensure that it only works with secure protocols. Disabling insecure protocols is therefore strongly recommended. At the moment all SSL protocols are insecure, and TLS 1.0 and TLS 1.1 are labeled as end-of-life. TLS 1.2 is still secure, but TLS 1.3 is preferred.
This can be done by changing the SSL configuration for Apache.
- Open ssl.conf (normally to be found in /etc/httpd; the exact location being depended on the server OS), and modify the following lines:
SSLProtocol ALL -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
- It may be that the SSLProtocol option is included multiple times in the file, adjust them all.
- Save the changes and restart Apache
- Test the modified settings with the openssl command below; (This should give an error message if it is successful):
# openssl s_client -ssl2 -connect virtualhostnaam:443 -servername yourdomain.com
- Test for TLSv1.3:
# openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -tls1_3
- Make sure the sites still work well with TLSv1.2:
# oopenssl s_client -connect yourdomain.com:443 -servername yourdomain.com -tls1_2
Use our SSLCheck to verify the webserver still allows unsafe SSL protocols.
You can use the Mozilla SSL Configurator for the configuration standards.
SSLCheck
Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues