How to disable TLSv1


I finally managed to get my certificate, nice!

I would like to disable TLSv1 though.

When I look after /etc/httpd/conf.d/ssl.conf file doesn’t exist?

So how and where do I make the changes?


first try locating the vhost config file:
grep -ri /etc/httpd

Hi rg305,

I get:

grep: /etc/httpd: No such file or directory


is it below /etc/apache2/ ? if not, could you tell us a little more about your config ( what is your OS etc )

From your other posts - probably

Hi serverco,


<VirtualHost *:80>
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>

RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


ServerName DocumentRoot /var/www/html SSLCertificateFile /etc/letsencrypt/live/ SSLCertificateKeyFile /etc/letsencrypt/live/ Include /etc/letsencrypt/options-ssl-apache.conf ServerName

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf

I’m having issues getting caching plugins to work since I got my SSL certificate, don’t know if my issues are related.


I’m using puTTY from WIN10

I’d suggest using to provide the optimal config for your site.


SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

in your config after the

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

lines will disable SSLv3, TLSv1 and TLSv1.1 although that will also prevent connection from some of the less modern browsers.

You should also check if these are set at all in



How is my /etc/letsencrypt/options-ssl-apache.conf supposed to look after I have disabled TLsv?

This is how it is now:

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

I will install

and add:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

Right now.

Thanks! :slight_smile:

You don’t need to “install” the mozilla SSL config generator - it’s a web page that gives you example configs.

As long as the /etc/letsencrypt/options-ssl-apache.conf doesn’t include any SSLProtocol line, which would overwrite the previous one - then that’s fine.


Thank you very much sir !


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.