Disabling TLSv1

As you can see below, I have specified the SSLProtocol to ignore TLS1.0 however, the ssllabs still says that feature is enabled albeit apache2 restart.

root@s1:/etc/apache2# grep -r SSLProtocol .
./mods-available/ssl.conf:      SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
./sites-available/default-ssl.conf:             SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
./sites-available/000-default-le-ssl.conf:      SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1


root@courseware:/etc/apache2# cat sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

       ServerName DOMAIN.COM
       SSLCertificateFile /etc/letsencrypt/live/DOMAIN.COM/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN.COM/privkey.pem
       Include /etc/letsencrypt/options-ssl-apache.conf

Should I do something more?

What does that file contain?

What version of Certbot are you using?

What is your OS (including version)?

1 Like

O Yes… That file doesn’t exclude TLSv1

root@courseware:/etc/apache2# cat /etc/letsencrypt/options-ssl-apache.conf
SSLEngine on
SSLProtocol             all -SSLv2 -SSLv3

Thanks for point that.
It is fine now.


FYI, more recent versions of Certbot do disable TLS versions before 1.2 by default.

If you upgrade to a newer version, the problem may resolve itself.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.