11

I have enabled TLS 1.2 in my web server. But the http://ssllabs.com indicates that, I have enabled TLS 1.0 and 1.1 versions along with the TLS1.2 in my server. I modified my configurations files to disable 1.0 and 1.1 from my server. But it doesn't help.

/etc/apache2/mods-enabled/ssl.conf

SSLCipherSuite HIGH:!SSLv3:!kRSA:!kECDH:!ADH:!DSS
SSLHonorCipherOrder on
SSLProtocol -all +TLSv1.2

I have multiple virtual hosts in my Apache server. In each file, I have the following configuration.

SSLEngine On
SSLProtocol -all +TLSv1.2
SSLCertificateFile /etc/ssl/certs/certfile.pem
SSLCertificateKeyFile /etc/ssl/private/certfile.pem
Eranga Kapukotuwa
  • 211
  • 1
  • 2
  • 4
  • I too am currently having this issue on Ubuntu 16.04. Trying to disable TLS 1.0 as auto-renew from lets encrypt won't work at some point in future if TLS 1.0 still enabled. – Programster Feb 18 '19 at 15:07
  • I noticed that I am running apache 2.4.18 on Ubuntu 16.04 and according to this post, it might be a case that there is a bug where apache does not honor the SSLProtocol lines. https://stackoverflow.com/questions/43437546/disabling-tls-1-0-in-apache-2-4 – Programster Feb 19 '19 at 09:06
  • @Programster Is your server located in AWS ? " SSLProtocol -all +TLSv1.2 " controller works fine. It must work. Try to figure-out if there is any chance to have two certificates configured in your server unknowingly. – Eranga Kapukotuwa Feb 28 '19 at 03:50

5 Answers5

12

Look in the /etc/letsencrypt/ folder for a configuration file. Let's Encrypt adds an entry in the sites-enabled/-le-ssl.conf file:

Include /etc/letsencrypt/options-ssl-apache.conf

You will need to update the SSLProtocol & SSLCipherSuite directives in that file too.

bernieDog
  • 121
  • 1
  • 4
4

Letsencrypt by default will write this in /etc/letsencrypt/options-ssl-apache.conf . Check to make sure is included in your server configuration.

SSLEngine on    
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

Open this file and edit as below.

SSLEngine on

#we comment out whatever Letsencrypt give here
#SSLProtocol             all -SSLv2 -SSLv3
#We disabled TLS 1.0/1.1 and SSL 2.0/3.0 here
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

#Comment out whatever Letsencrypt give by default for SSLCipherSuite
#SSLCipherSuite    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 .....

#Add this line instead of what Letsencrypt added as SSLCipherSuite
#This is to ensure the use of SSL encryption with a high degree of protection.
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES

SSLHonorCipherOrder     on
SSLCompression          off

Go back to the SSL Server Test and Clear Cache. Then re-run the Test

enter image description here

ShapCyber
  • 141
  • 2
2

With a current Ubuntu 18.04 LTS, we have Apache 2.4.29 and the problem is not reproducible.

The following configuration in /etc/apache2/sites-enables/default-ssl.conf switches off the unwanted protocol versions:

# Suppress TLSv1.0 and TLS v1.1
SSLProtocol +TLSV1.2 +TLSv1.3

I put it close to the end of the file before </VirtualHost>.

Sir Cornflakes
  • 504
  • 8
  • 31
0

Enable and disable TLS options

sudo nano /etc/letsencrypt/options-ssl-apache.conf

SSLProtocol             all +TLSv1.3 -TLSv1 -TLSv1.1 -SSLv2 -SSLv3

And run test again!

Fernando León
  • 101
  • 2
0

In your virtual-host config, Edit This line

SSLProtocol all -SSLv3 -SSLv2 -SSLv2 -TLSv1 -TLSv1.1

Note that in configuration file, another file maybe included, so you can edit that.

Seyed M
  • 1