When attempting to disable older TLS versions in Apache, many admins encounter situations where the configuration changes don't seem to take full effect. The standard approach of modifying the SSLProtocol directive often appears insufficient when verified through external SSL scanners.
Here's the comprehensive approach to fully disable TLS 1.0 and 1.1 in Apache:
# In your Apache SSL configuration file (usually in /etc/apache2/mods-available/ssl.conf)
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
After making these changes and restarting Apache (sudo service apache2 restart or sudo systemctl restart httpd), verify using:
openssl s_client -connect yourdomain.com:443 -tls1
openssl s_client -connect yourdomain.com:443 -tls1_1
Both commands should fail with handshake errors if properly configured.
If TLS 1.0/1.1 still appears enabled, check for:
- Multiple SSLProtocol directives in different configuration files
- Virtual host configurations overriding the main SSL settings
- Old OpenSSL versions that might ignore some protocol restrictions
- Proxy servers or load balancers that might handle TLS termination
ServerName example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/chain.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
# HSTS Header
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Other security headers
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Many Apache administrators face difficulties when trying to disable older TLS versions (1.0 and 1.1) despite updating their configuration files. The problem often persists even after adding the following directive:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Before making changes, check your current SSL/TLS support using:
openssl s_client -connect yourdomain.com:443 -tls1
openssl s_client -connect yourdomain.com:443 -tls1_1
Alternatively, use online tools like SSL Labs' SSL Test or Comodo SSL Analyzer.
The most reliable approach involves multiple configuration steps:
# In your Apache SSL configuration file (usually in /etc/apache2/mods-available/ssl.conf)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
If the changes don't take effect:
- Ensure you're editing the correct configuration file (check which one is loaded using
apache2ctl -S) - Verify that no other virtual host configuration overrides these settings
- Check for multiple SSL configuration files that might conflict
After making changes and restarting Apache (systemctl restart apache2 or service apache2 restart), verify with:
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
This should show only TLS 1.2 and 1.3 in the output.
For maximum security, consider:
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"