How to Disable TLS 1.1/1.2 in Apache 2.2 with OpenSSL 1.0.1: Configuration Guide for Legacy Systems


24 views

When working with older Apache 2.2.22 (Ubuntu 12.04 LTS) and OpenSSL 1.0.1 configurations, you might notice TLS 1.1 and 1.2 remain enabled despite using SSLProtocol -all +SSLv3. This occurs because:

# Current configuration that doesn't work as expected
SSLProtocol -all +SSLv3

The SSLProtocol directive in Apache 2.2 has limited protocol version control. While it supports TLSv1 as a keyword, it doesn't recognize TLSv1.1 or TLSv1.2 as valid parameters.

To completely disable TLS 1.1/1.2 while keeping SSLv3, use this configuration:

# Effective configuration for OpenSSL 1.0.1
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 +SSLv3

Alternatively, for more precise control:

# Explicitly disable all protocols except SSLv3
SSLProtocol SSLv3

After making changes, verify with OpenSSL commands:

openssl s_client -connect yourdomain:443 -ssl3
openssl s_client -connect yourdomain:443 -tls1_1
openssl s_client -connect yourdomain:443 -tls1_2

While this solution addresses the immediate technical requirement, be aware that:

  • SSLv3 is considered insecure (POODLE vulnerability)
  • This configuration should only be temporary for legacy compatibility
  • Consider upgrading to modern Apache/OpenSSL versions when possible

For production systems, the recommended approach would be to update the third-party application rather than downgrading security protocols.

When working with Apache 2.2.22 on Ubuntu 12.04 with OpenSSL 1.0.1, you might encounter unexpected TLS protocol behavior. The SSLProtocol -all +SSLv3 directive doesn't actually disable TLS 1.1 and 1.2 as you'd expect - this is due to how older OpenSSL versions handle protocol negotiation.

The root cause lies in OpenSSL's protocol handling. In version 1.0.1, OpenSSL doesn't properly respect the -all flag for newer TLS versions. The protocol stack looks like this:

SSLv2 (insecure, disabled by default)
SSLv3 (considered insecure today)
TLSv1.0
TLSv1.1 (introduced in OpenSSL 1.0.1)
TLSv1.2 (introduced in OpenSSL 1.0.1)

For Apache 2.2 with OpenSSL 1.0.1, use this explicit configuration:

<VirtualHost *:443>
    SSLEngine on
    SSLProtocol -all +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    # ... other SSL configurations ...
</VirtualHost>

After making changes, verify with these tools:

  1. OpenSSL command-line: 
    openssl s_client -connect yourdomain.com:443 -ssl3
  2. Online scanners: Use SSL Labs' tester
  3. Curl verification: 
    curl -Iv --ssl3 https://yourdomain.com

While this solution addresses the immediate problem, be aware that:

  • SSLv3 is vulnerable to POODLE attacks
  • Modern browsers are deprecating SSLv3 support
  • This should only be used as a temporary workaround

If you can upgrade to Apache 2.4+, the syntax is more straightforward:

SSLProtocol -ALL +SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256"

Remember to restart Apache after configuration changes:

sudo service apache2 restart