Disabling TLS 1.0 and TLS 1.1

I maintain several websites that use Certbot. The Qualys SSL Labs SSL Server Test has historically graded them as A+, but recently the grade has changed to B:

"This server supports TLS 1.0 and TLS 1.1. Grade capped to B. "

I could disable those protocols. For Apache, it would seem to require changing the SSLProtocol line in /etc/letsencrypt/options-ssl-apache.conf. But that file warns: “If you modify this file manually, Certbot will be unable to automatically provide future security updates.”

So, how can you disable TLS 1.0 and TLS 1.1, but still get configuration updates from Certbot? Will Certbot disable these obsolete protocols in the near future? Any advice would be appreciated.

1 Like

In Apache, search through your configuration files for “SSLProtocol”.
Set it to:
SSLProtocol +TLSv1.2
[and restart Apache]

This change will not break certbot updates.


Thanks, I tried this, except for Nginx instead of Apache. (Sorry to confuse the issue, but it’s probably the same problem for both Nginx and Apache.) I first changed /etc/nginx/nginx.conf, but found that I could not disable TLS 1.0 and TLS 1.1 unless I also edited /etc/letsencrypt/options-ssl-nginx.conf. That would presumably break Certbot updates because, as options-ssl-nginx.conf says: "If you modify this file manually, Certbot will be unable to automatically provide future security updates.”

It seems either that comment in the .conf file is wrong or Certbot updates will be broken.

1 Like

Relying on certbot for (any) future security updates is not an ideal best practice.
SSL Labs can better show you when/where your systems are out of compliance; from there you can and should take steps to ensure your systems are up to your minimum security standards.

And for those that do absolutely nothing to secure and maintain their systems, certbot may eventually steer them to a safer security configuration.

[sadly unlike say driving a car, there is no test, nor license required, to operate a web server]

1 Like

Makes sense. Some of the Certbot-using websites I maintain, I don’t administrate the systems so I have to request changes to web server configuration. Unfortunately, the administrators can be derelict about security maintenance, so I worry breaking the Certbot automatic updates for a one-off security improvement will just make security worse in the long run. I think I’ll just hope that Certbot removes TLS 1.0 and TLS 1.1 from the default configurations eventually. It’d be nice if there were some way to make the change to remove TLS 1.0 and TLS 1.1 without breaking future Certbot configuration updates.

1 Like

For that plan, I would keep certbot updated [and also monitor the site with SSL Labs every couple of months].

1 Like

TBH, I don’t even use the Certbot Apache config. I configure my VirtualHosts manually and hold a global SSL Configuration:

RHEL/CentOS: /etc/httpd/conf.d/ssl.conf
Debian/Ubuntu: /etc/apache2/mods-enabled/ssl.conf
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Not sure what file it might reside on with nginx, but the syntax is:
ssl_protocols TLSv1.2;

The SSLProtocol line in Apache can be shortened to:
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
If you want to be explicit. I keep my template the other way so I don’t have to worry about that particular configuration in the future when things progress to later TLS versions.

1 Like

Here is the “default” found in nginx.conf (Ubuntu 18.04 - nginx 1.14.0):

        # SSL Settings

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

1 Like

The most recent version of Certbot did disable TLS 1.0 and 1.1 in the Apache configuration.

If you can’t upgrade Certbot, I guess you could steal its configuration file. Then there shouldn’t be problems with future upgrades.