If you are using Apache as either a HTTP server or a reverse proxy (like my free one) then it is relatively simple to disable TLS1.0 and TLS1.1. Basically this should do it:


SSLProtocol TLSv1.2



Except if you're using SNI
. With Apache you may see a strange phenomenon where no matter what you do to a virtual server config TLS1.0 and TLS1.1 still remain active. This has to do with an OpenSSL bug outlined here
https://bz.apache.org/bugzilla/show_bug.cgi?id=55707.

What this bug means is that if you have multiple virtual hosts (either in a single config or as multiple configs), Apache can only use the SSLProtocol setting from the first host it loads. Which one will load first? No idea. But if you change each and every virtual host to the above an reload Apache, voila, TLS1.0 and TLS1.1 are now disabled.
Darren Duke   |   March 12 2018 09:15:02 AM   |    apache  security  ssl    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found