How to disable TLSv1


#1

Hi,

I finally managed to get my certificate, nice!

https://www.benjaminthompson.org

I would like to disable TLSv1 though.

When I look after /etc/httpd/conf.d/ssl.conf file doesn’t exist?

So how and where do I make the changes?

Thanks


#2

first try locating the vhost config file:
grep -ri benjaminthompson.org /etc/httpd


#3

Hi rg305,

I get:

grep: /etc/httpd: No such file or directory

Thanks


#4

is it below /etc/apache2/ ? if not, could you tell us a little more about your config ( what is your OS etc )

From your other posts - probably
/etc/apache2/sites-available/benjaminthompson.org.conf
/etc/apache2/sites-available/benjaminthompson.org-lessl.conf


#5

Hi serverco,

/etc/apache2/sites-available/benjaminthompson.org.conf

<VirtualHost *:80>
ServerName benjaminthompson.org
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =benjaminthompson.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerName www.benjaminthompson.org

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.benjaminthompson.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

/etc/apache2/sites-available/benjaminthompson.org-le-ssl.conf

ServerName benjaminthompson.org DocumentRoot /var/www/html SSLCertificateFile /etc/letsencrypt/live/www.benjaminthompson.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.benjaminthompson.org/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf ServerName www.benjaminthompson.org

SSLCertificateFile /etc/letsencrypt/live/www.benjaminthompson.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.benjaminthompson.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

I’m having issues getting caching plugins to work since I got my SSL certificate, don’t know if my issues are related.

Thanks


#6

I’m using puTTY from WIN10


#7

I’d suggest using https://mozilla.github.io/server-side-tls/ssl-config-generator/ to provide the optimal config for your site.

Adding

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

in your config after the

SSLCertificateFile /etc/letsencrypt/live/www.benjaminthompson.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.benjaminthompson.org/privkey.pem

lines will disable SSLv3, TLSv1 and TLSv1.1 although that will also prevent connection from some of the less modern browsers.

You should also check if these are set at all in

/etc/letsencrypt/options-ssl-apache.conf

#8

Thanks!

How is my /etc/letsencrypt/options-ssl-apache.conf supposed to look after I have disabled TLsv?

This is how it is now:

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-
AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
SHA256:ECDHE-EC$
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

I will install https://mozilla.github.io/server-side-tls/ssl-config-generator/

and add:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

Right now.

Thanks! :slight_smile:


#9

You don’t need to “install” the mozilla SSL config generator - it’s a web page that gives you example configs.

As long as the /etc/letsencrypt/options-ssl-apache.conf doesn’t include any SSLProtocol line, which would overwrite the previous one - then that’s fine.


#10

PERFECT!!!

https://www.whynopadlock.com/results/e38afde3-320d-4f51-9388-63fbac1086c4

Thank you very much sir !


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.