So, I’m migrating from one server to another, and adding a new domain server, meaning new certs all around! Yay! I was invited to ‘test my configuration’ at ssllabs.com, and when I did, the service capped my score at a B+ because support for TLS 1.0 and 1.1 should have been removed by now. I found that in LE’s SSL config, it’s still allowing all TLS settings except for SSLv2 and SSLv3
SSLProtocol all -SSLv2 -SSLv3
So I attempted to overwrite that in my apache config by adding the following to my HTTPS stanza
SSLEngine on SSLProtocol TLSv1.2
To which the security test still failed. I’d consider changing the TLS settings inside LE’s config file, but they have that warning that " If you modify this file manually, Certbot will be unable to automatically provide future security updates." while two lines down, they say “Intermediate configuration, tweak to your needs”
Am I safe to tweak the SSLProtocol in LE’s config? Did I screw something up in my apache config? I’m just trying to finish hardening my webserver in a clean way, and maybe Certbot’s script needs to be updated to match this depreciation?