Disabling TLS 1.0 in Apache 2.4
I'm a non-technical-but-able-to-read-the-manual website owner. I am running Apache 2.4.10 on a Debian 9.0 server. I would like to disable TLS 1.0. I have read the Apache documentation for the SSLProtocol directive.
In my virtual host file, I used the following directive:
SSLProtocol all -TLSv1 -SSLv3
That didn't work, even after reloading and then restarting Apache. I then added the same directive to the ssl.conf file as well, just to be sure, and still no luck, even after reloading and restarting. I also tried the same things with the following directive:
SSLProtocol +TLSv1.1 +TLSv1.2
Still no luck. I did the following search just to see if I had used the SSLProtocol directive somewhere else in my configuration files, but again, no luck:
grep -R 'SSLProtocol' .
I also checked the .htaccess file for the website to make sure I hadn't overridden anything (though I don't know that you could change this setting in an .htaccess file). Any ideas? Thank you for your help!
apache tls1.0
asked Apr 16 '17 at 13:05
TedFTedF
1113
add a comment |
I'm a non-technical-but-able-to-read-the-manual website owner. I am running Apache 2.4.10 on a Debian 9.0 server. I would like to disable TLS 1.0. I have read the Apache documentation for the SSLProtocol directive.
In my virtual host file, I used the following directive:
SSLProtocol all -TLSv1 -SSLv3
That didn't work, even after reloading and then restarting Apache. I then added the same directive to the ssl.conf file as well, just to be sure, and still no luck, even after reloading and restarting. I also tried the same things with the following directive:
SSLProtocol +TLSv1.1 +TLSv1.2
Still no luck. I did the following search just to see if I had used the SSLProtocol directive somewhere else in my configuration files, but again, no luck:
grep -R 'SSLProtocol' .
I also checked the .htaccess file for the website to make sure I hadn't overridden anything (though I don't know that you could change this setting in an .htaccess file). Any ideas? Thank you for your help!
apache tls1.0
asked Apr 16 '17 at 13:05
TedFTedF
1113
add a comment |
I'm a non-technical-but-able-to-read-the-manual website owner. I am running Apache 2.4.10 on a Debian 9.0 server. I would like to disable TLS 1.0. I have read the Apache documentation for the SSLProtocol directive.
In my virtual host file, I used the following directive:
SSLProtocol all -TLSv1 -SSLv3
That didn't work, even after reloading and then restarting Apache. I then added the same directive to the ssl.conf file as well, just to be sure, and still no luck, even after reloading and restarting. I also tried the same things with the following directive:
SSLProtocol +TLSv1.1 +TLSv1.2
Still no luck. I did the following search just to see if I had used the SSLProtocol directive somewhere else in my configuration files, but again, no luck:
grep -R 'SSLProtocol' .
I also checked the .htaccess file for the website to make sure I hadn't overridden anything (though I don't know that you could change this setting in an .htaccess file). Any ideas? Thank you for your help!
apache tls1.0
asked Apr 16 '17 at 13:05
TedFTedF
1113
I'm a non-technical-but-able-to-read-the-manual website owner. I am running Apache 2.4.10 on a Debian 9.0 server. I would like to disable TLS 1.0. I have read the Apache documentation for the SSLProtocol directive.
In my virtual host file, I used the following directive:
SSLProtocol all -TLSv1 -SSLv3
That didn't work, even after reloading and then restarting Apache. I then added the same directive to the ssl.conf file as well, just to be sure, and still no luck, even after reloading and restarting. I also tried the same things with the following directive:
SSLProtocol +TLSv1.1 +TLSv1.2
Still no luck. I did the following search just to see if I had used the SSLProtocol directive somewhere else in my configuration files, but again, no luck:
grep -R 'SSLProtocol' .
I also checked the .htaccess file for the website to make sure I hadn't overridden anything (though I don't know that you could change this setting in an .htaccess file). Any ideas? Thank you for your help!
apache tls1.0
apache tls1.0
asked Apr 16 '17 at 13:05
TedFTedF
1113
asked Apr 16 '17 at 13:05
TedFTedF
1113
asked Apr 16 '17 at 13:05
TedFTedF
1113
asked Apr 16 '17 at 13:05
TedFTedF
1113
asked Apr 16 '17 at 13:05
TedFTedF
1113
1113
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
There is an answer for this questions here:
How to disable TLS 1.1 & 1.2 in Apache?
Basically, you have to disable this protocol in the ssl.conf file. Doing that in your vhosts.conf or equivalent file will not work (although it is right setting this configuration there), due a bug in OpenSSL, as reported in one of the answers cited there.
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
add a comment |
As of today, 11/15/2018, there is a known bug about failing to disable tls1.0 in Apache 2.4. So don't hit your head when your modification just didn't work for no reason. Hopefully we can get it patched soon.
Also form the ticket
This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting SSLProtocol use to be honored.
answered Nov 15 '18 at 23:12
KuNKuN
760922
add a comment |
In a large amount of cases for this "bug" it turns out that if you have letsencrypt installed on your server, it's configuration file sets protocols which are superseding ssl.conf or vhosts' settings:
/etc/letsencrypt/options-ssl-apache.conf
Bug 60739 - SSLProtocol settings seem to have no effect
edited 2 days ago
Pavel Smirnov
1,309214
answered Mar 21 at 14:14
ShanebeShanebe
111
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f43437546%2fdisabling-tls-1-0-in-apache-2-4%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
There is an answer for this questions here:
How to disable TLS 1.1 & 1.2 in Apache?
Basically, you have to disable this protocol in the ssl.conf file. Doing that in your vhosts.conf or equivalent file will not work (although it is right setting this configuration there), due a bug in OpenSSL, as reported in one of the answers cited there.
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
add a comment |
There is an answer for this questions here:
How to disable TLS 1.1 & 1.2 in Apache?
Basically, you have to disable this protocol in the ssl.conf file. Doing that in your vhosts.conf or equivalent file will not work (although it is right setting this configuration there), due a bug in OpenSSL, as reported in one of the answers cited there.
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
add a comment |
There is an answer for this questions here:
How to disable TLS 1.1 & 1.2 in Apache?
Basically, you have to disable this protocol in the ssl.conf file. Doing that in your vhosts.conf or equivalent file will not work (although it is right setting this configuration there), due a bug in OpenSSL, as reported in one of the answers cited there.
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
There is an answer for this questions here:
How to disable TLS 1.1 & 1.2 in Apache?
Basically, you have to disable this protocol in the ssl.conf file. Doing that in your vhosts.conf or equivalent file will not work (although it is right setting this configuration there), due a bug in OpenSSL, as reported in one of the answers cited there.
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
edited Dec 15 '17 at 18:59
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
answered Oct 6 '17 at 19:33
aldemarcalazansaldemarcalazans
53169
53169
add a comment |
add a comment |
As of today, 11/15/2018, there is a known bug about failing to disable tls1.0 in Apache 2.4. So don't hit your head when your modification just didn't work for no reason. Hopefully we can get it patched soon.
Also form the ticket
This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting SSLProtocol use to be honored.
answered Nov 15 '18 at 23:12
KuNKuN
760922
add a comment |
As of today, 11/15/2018, there is a known bug about failing to disable tls1.0 in Apache 2.4. So don't hit your head when your modification just didn't work for no reason. Hopefully we can get it patched soon.
Also form the ticket
This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting SSLProtocol use to be honored.
answered Nov 15 '18 at 23:12
KuNKuN
760922
add a comment |
As of today, 11/15/2018, there is a known bug about failing to disable tls1.0 in Apache 2.4. So don't hit your head when your modification just didn't work for no reason. Hopefully we can get it patched soon.
Also form the ticket
This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting SSLProtocol use to be honored.
answered Nov 15 '18 at 23:12
KuNKuN
760922
As of today, 11/15/2018, there is a known bug about failing to disable tls1.0 in Apache 2.4. So don't hit your head when your modification just didn't work for no reason. Hopefully we can get it patched soon.
Also form the ticket
This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting SSLProtocol use to be honored.
answered Nov 15 '18 at 23:12
KuNKuN
760922
answered Nov 15 '18 at 23:12
KuNKuN
760922
answered Nov 15 '18 at 23:12
KuNKuN
760922
answered Nov 15 '18 at 23:12
KuNKuN
760922
760922
add a comment |
add a comment |
In a large amount of cases for this "bug" it turns out that if you have letsencrypt installed on your server, it's configuration file sets protocols which are superseding ssl.conf or vhosts' settings:
/etc/letsencrypt/options-ssl-apache.conf
Bug 60739 - SSLProtocol settings seem to have no effect
edited 2 days ago
Pavel Smirnov
1,309214
answered Mar 21 at 14:14
ShanebeShanebe
111
add a comment |
In a large amount of cases for this "bug" it turns out that if you have letsencrypt installed on your server, it's configuration file sets protocols which are superseding ssl.conf or vhosts' settings:
/etc/letsencrypt/options-ssl-apache.conf
Bug 60739 - SSLProtocol settings seem to have no effect
edited 2 days ago
Pavel Smirnov
1,309214
answered Mar 21 at 14:14
ShanebeShanebe
111
add a comment |
In a large amount of cases for this "bug" it turns out that if you have letsencrypt installed on your server, it's configuration file sets protocols which are superseding ssl.conf or vhosts' settings:
/etc/letsencrypt/options-ssl-apache.conf
Bug 60739 - SSLProtocol settings seem to have no effect
edited 2 days ago
Pavel Smirnov
1,309214
answered Mar 21 at 14:14
ShanebeShanebe
111
In a large amount of cases for this "bug" it turns out that if you have letsencrypt installed on your server, it's configuration file sets protocols which are superseding ssl.conf or vhosts' settings:
/etc/letsencrypt/options-ssl-apache.conf
Bug 60739 - SSLProtocol settings seem to have no effect
edited 2 days ago
Pavel Smirnov
1,309214
answered Mar 21 at 14:14
ShanebeShanebe
111
edited 2 days ago
Pavel Smirnov
1,309214
edited 2 days ago
Pavel Smirnov
1,309214
edited 2 days ago
Pavel Smirnov
1,309214
1,309214
answered Mar 21 at 14:14
ShanebeShanebe
111
answered Mar 21 at 14:14
ShanebeShanebe
111
answered Mar 21 at 14:14
ShanebeShanebe
111
111
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f43437546%2fdisabling-tls-1-0-in-apache-2-4%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
