Disable TLS 1 TLS1.1 on ubuntu server with xampp

ilContadino · March 14, 2022, 8:06am

My DNS host name is: 123.online-server.cloud

My web server is (include version):
Server: Apache/2.4.51 (Unix) OpenSSL/1.1.1l PHP/7.3.33 mod_perl/2.0.11 Perl/v5.32.1 XAMPP 7.3.33

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: IONOS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.24.0

I apologize to ask help for this common issue, but after have tried lots guides, none has worked for me.

My SSL certificate has been made with letsencrypt Certbot

I still get this result from Qualys

This server supports TLS 1.0 and TLS 1.1

What I have done.

On /etc/letsencrypt/options-ssl-apache.conf

SSLEngine on

#SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLProtocol             +TLSv1.2 +TLSv1.3

SSLHonorCipherOrder     on

# enabling Perfect Forward Secrecy
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES

SSLCompression          off
SSLOptions +StrictRequire

I've tried other ways to write the SSProtocol directive without succeed.

On /opt/lampp/etc/extra/httpd-vhosts.conf

<VirtualHost *:80>

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} !^/\.subfolder1
    RewriteRule ^(.*)$ https://%123.online-server.cloud/subfolder1/$1 [R=301,L]

</VirtualHost>

<VirtualHost *:443>
    #ServerAdmin webmaster@dummy-host2.example.com
    #DocumentRoot "/opt/lampp/htdocs/"
    ServerName 123.online-server.cloud
    SSLEngine On
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/123.online-server.cloud/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/123.online-server.cloud/privkey.pem
    SSLProtocol -all +TLSv1.3 +TLSv1.2
    ErrorLog "logs/123.online-server.cloud-error_log"
    CustomLog "logs/123.online-server.cloud-access_log" common
</VirtualHost>

but it seems has no effect. I read that letsencrypt options-ssl-apache.conf overrides any Apache SSL directives.

I made some improvement in my SSL analysis adding Perfect Forward Secrecy, but I think it could be more robust. When I'll succeed on disabling TLSv1.x I'll try to use this guide.

There is also /opt/lampp/etc/extra/httpd-ssl.conf but it has no SSLProtocol directive written in it, so I did not edit it.

I have edited instead /opt/lampp/etc/original/extra/httpd-ssl.conf

SSLHonorCipherOrder on

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

#SSLProtocol all -SSLv3
SSLProtocol +TLSv1.2 +TLSv1.3 -TLSv1 -TLSv1.1 -SSLv3 -SSLv2

#SSLProxyProtocol all -SSLv3
SSLProxyProtocol +TLSv1.2 +TLSv1.3

SSLEngine on

Again, no effect anyway.

Obviously I have stop and restarted the server every time.

sudo /opt/lampp/lampp stop

sudo /opt/lampp/lampp start

Thanks for your help.

webprofusion · March 14, 2022, 8:38am

I'm not an apache expert but there is a sample config for this recommended by Mozilla here: Mozilla SSL Configuration Generator

It's maybe a little more succinct.

So it sounds like you need to make these edits (especially -TLSv1 -TLSv1.1 ) to etc/letsencrypt/options-ssl-apache.conf but you made them in /opt/lampp/etc/original/extra/httpd-ssl.conf?

Either way I think the SSL Protocol bit can live outside the declaration because you want to apply it to the whole server, not just one site.

ilContadino · March 14, 2022, 11:28am

I think the SSL Protocol bit can live outside the declaration because you want to apply it to the whole server, not just one site.

That's would be my main goal, but I will live as well with just the main website.

I've tried what Mozilla recommended using intermediate config but nothing has changed.

Now, my etc/letsencrypt/options-ssl-apache.conf is this

SSLEngine on

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLHonorCipherOrder     off
SSLSessionTickets       off
SSLCompression          off
SSLOptions +StrictRequire

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_>
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

my /opt/lampp/etc/extra/httpd-vhosts.conf is this:

<VirtualHost *:80>

    RewriteEngine On
    RewriteCond %{HTTPS} off
    #RewriteCond %{REQUEST_URI} !^/\.subfolder1
    RewriteRule ^(.*)$ https://%123.online-server.cloud/subfolder1/$1 [R=301,L]

</VirtualHost>

<VirtualHost *:443>

    #DocumentRoot "/opt/lampp/htdocs/"
    #ServerName 123.online-server.cloud
    SSLEngine On

    SSLCertificateFile /etc/letsencrypt/live/123.online-server.cloud/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/123.online-server.cloud/privkey.pem

   #SSLProtocol -all +TLSv1.3 +TLSv1.2

    #Protocols h2 http/1.1

    #Header always set Strict-Transport-Security "max-age=63072000"

</VirtualHost>

my /opt/lampp/etc/original/extra/httpd-ssl.conf is this:

Listen 443

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLHonorCipherOrder off 

SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1

SSLPassPhraseDialog  builtin

<VirtualHost _default_:443>
DocumentRoot "/opt/lampp/htdocs"
ServerName 123.online-server.cloud:443
ErrorLog "/opt/lampp/logs/error_log"
TransferLog "/opt/lampp/logs/access_log"

SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/123.online-server.cloud/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/123.online-server.cloud/privkey.pem

rg305 · March 14, 2022, 5:43pm

Don't use ports in ServerNames.
Use:
ServerName 123.online-server.cloud

rg305 · March 14, 2022, 5:44pm

This seems unrelated/unnecessary:

rg305 · March 14, 2022, 5:46pm

Please show the output of:
apachectl -t -D DUMP_VHOSTS

ilContadino · March 14, 2022, 8:13pm

Please show the output of:
apachectl -t -D DUMP_VHOSTS

here it is

AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/123.online-server.cloud/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

rg305 · March 14, 2022, 8:54pm

You may have to disable that site OR temporarily modify the cert file used to one that exists.

ilContadino · March 14, 2022, 9:00pm

WHAT IS HAPPENED??
After I launched apachectl -t -D DUMP_VHOSTS
I couldn't stop XAMPP apache because another instance of it was running!

then I did

 sudo rm /opt/lampp/logs/httpd.pid

restarted /etc/lampp/ lampp restart
but still another instance was running instead XAMPP Apache

then I did

sudo /etc/init.d/apache2 stop

but it is not running, ... so what?!

then I did

sudo netstat -nap | grep :80
tcp6       0      0 :::80                  :::*                    LISTEN      176550/httpd

and kill that process, stop and restart /opt/lampp/lampp restart
but now the server is down!

Restarting XAMPP for Linux 7.3.33-0...
XAMPP: Stopping Apache...not running.
XAMPP: Stopping MySQL...ok.
XAMPP: Stopping ProFTPD...ok.
XAMPP: Starting Apache...fail.
AH00526: Syntax error on line 7 of /etc/letsencrypt/options-ssl-apache.conf:
SSLEngine not allowed in <Directory> context
XAMPP: Starting MySQL...ok.
XAMPP: Starting ProFTPD...ok.

Completely useless recover that error, it is a false positive.

rg305 · March 14, 2022, 9:04pm

That doesn't stop anything.

Show that file.

ilContadino · March 14, 2022, 9:20pm

Thanks rg305, but that file is already deleted. I just kept a copy

ls /opt/lampp/logs/
access_log  error_log  httpd.pid.bak  php_error_log  ssl_request_log

still get the same error

sudo /opt/lampp/lampp restart
Restarting XAMPP for Linux 7.3.33-0...
XAMPP: Stopping Apache...not running.
XAMPP: Stopping MySQL...ok.
XAMPP: Stopping ProFTPD...ok.
XAMPP: Starting Apache...fail.
AH00526: Syntax error on line 7 of /etc/letsencrypt/options-ssl-apache.conf:
SSLEngine not allowed in <Directory> context
XAMPP: Starting MySQL...ok.
XAMPP: Starting ProFTPD...ok.

/etc/letsencrypt/options-ssl-apache.conf


# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

rg305 · March 14, 2022, 9:31pm

Seems apache isn't liking that being called twice?

ilContadino · March 14, 2022, 10:06pm

what do you suggest?

update:
fortunately I had the backup of the files I have modified in the attempt to disable TLSv1.x

/opt/lampp/etc/original/extra/httpd-ssl.conf.bak
/opt/lampp/etc/original/extra/httpd-vhosts.conf.bak
/opt/lampp/etc/httpd.conf.bak

/opt/lampp/etc/extra/httpd-ssl.conf.bak
/opt/lampp/etc/extra/httpd-vhosts.conf.bak
/opt/lampp/etc/extra/httpd-xampp.conf.bak

after restoring /opt/lampp/etc/httpd.conf
Apache start to work again.

Anyway, I give up and I'll live with TLSv1.x.

9peppe · March 15, 2022, 1:38am

Is that file (/etc/letsencrypt/options-ssl-apache.conf) included in your config?

Otherwise you can run grep -ir SSLProtocol /opt/lampp and it should tell you where that directive appears.

(But the main issue is... we know the Debian Apache configuration a lot better than lampp)

rg305 · March 15, 2022, 4:34am

Remove the "SSLEngine" statement in your vhost config.

Don't give up.
Remove the lines from the vhost configs and just use the line in the file:

ilContadino · March 15, 2022, 10:19am

Thanks rg305 and 9peppe for you help.

Now my /opt/lampp/etc/extra/httpd-vhosts.conf
look like this:

<VirtualHost *:80>

    RewriteEngine On
    RewriteCond %{HTTPS} off
    #RewriteCond %{REQUEST_URI} !^/\.subfolder1
    RewriteRule ^(.*)$ https://%123.online-server.cloud/subfolder1/$1 [R=301,L] 

</VirtualHost>

<VirtualHost *:443>
    #DocumentRoot "/opt/lampp/htdocs/subfolder1/"
    #ServerName 123.online-server.cloud
    
    #SSLEngine On
    
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/123.online-server.cloud/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/123.online-server.cloud/privkey.pem
    
    #SSLProtocol -all +TLSv1.3 +TLSv1.2
    #Protocols h2 http/1.1
    #Header always set Strict-Transport-Security "max-age=63072000"

    ErrorLog "logs/123.online-server.cloud-error_log"
    CustomLog "logs/123.online-server.cloud-access_log" common

</VirtualHost>

but still Qualys rate my server "B" because of TLSv1.x enabled.

The other vhosts conf file /opt/lampp/etc/original/extra/httpd-vhosts.conf
has instead now its "default" (original) content:

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot "/opt/lampp/docs/dummy-host.example.com"
    ServerName dummy-host.example.com
    ServerAlias www.dummy-host.example.com
    ErrorLog "logs/dummy-host.example.com-error_log"
    CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot "/opt/lampp/docs/dummy-host2.example.com"
    ServerName dummy-host2.example.com
    ErrorLog "logs/dummy-host2.example.com-error_log"
    CustomLog "logs/dummy-host2.example.com-access_log" common
</VirtualHost>

In order that I do not confuse .conf files, please refer to them with their whole path.
Thanks

9peppe · March 15, 2022, 10:26am

You should tell us your actual domain name.

Did you grep like I told you? What did you see?

ilContadino · March 15, 2022, 10:39am

I did
grep -r "SSLProtocol" /opt/lampp/

these are the meaningful first results. (ignore the .bak files)

/opt/lampp/etc/original/extra/httpd-ssl.conf.bak:SSLProtocol all -SSLv3

/opt/lampp/etc/original/extra/httpd-ssl.conf:SSLProtocol all -SSLv3

/opt/lampp/etc/original/extra/httpd-ssl.conf.bak2:#SSLProtocol all -SSLv3

/opt/lampp/etc/original/extra/httpd-ssl.conf.bak2:#SSLProtocol +TLSv1.2 +TLSv1.3 -TLSv1 -TLSv1.1 -SSLv3 -SSLv2

/opt/lampp/etc/original/extra/httpd-ssl.conf.bak2:SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1

/opt/lampp/etc/extra/httpd-vhosts.conf: #SSLProtocol -all +TLSv1.3 +TLSv1.2

The domain name is this

9peppe · March 15, 2022, 10:47am

it looks like this is the culprit.

the SSLProtocol directive can go in server config or virtualhost, why is this overriding your config?

try commenting it or editing it to remove tls v1.0 and 1.1

ilContadino · March 15, 2022, 11:10am

After commenting it, nothing has changed. Beside Qualys I used also ImmuniWeb but the result is the same.
It make sense suspect that that SSL checkers are evaluating some sort of predefined path which does not correspond to what I have? Just speculation ... though

Anyway,
/opt/lampp/etc/original/extra/httpd-ssl.conf

#SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3