TLS 1.0/1.1 depreciation

So, I'm migrating from one server to another, and adding a new domain server, meaning new certs all around! Yay! I was invited to 'test my configuration' at ssllabs.com, and when I did, the service capped my score at a B+ because support for TLS 1.0 and 1.1 should have been removed by now. I found that in LE's SSL config, it's still allowing all TLS settings except for SSLv2 and SSLv3

SSLProtocol all -SSLv2 -SSLv3

So I attempted to overwrite that in my apache config by adding the following to my HTTPS stanza

    SSLEngine on

   SSLProtocol TLSv1.2

To which the security test still failed. I'd consider changing the TLS settings inside LE's config file, but they have that warning that " If you modify this file manually, Certbot will be unable to automatically provide future security updates." while two lines down, they say "Intermediate configuration, tweak to your needs"

Am I safe to tweak the SSLProtocol in LE's config? Did I screw something up in my apache config? I'm just trying to finish hardening my webserver in a clean way, and maybe Certbot's script needs to be updated to match this depreciation?

You can safely modify the configuration file. The warning simply means that, by editing the file, you are taking responsibility for managing its contents into the future.

If you like, you can just copy the contents of the file as they are in the latest version of Certbot.

If your version of Certbot is old (pre-1.0), this is probably even a good idea.

That’s surprising because I -do- have an old version, 0.31.0-1+ubuntu18.04.1+certbot+1 … what’s surprising is I just installed it earlier today using the PPA and it’s apparently that outdated.

That said, your suggestion did indeed work. Thanks a bunch!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.