How to Disable TLS 1.1/1.2 in Apache 2.2 with OpenSSL 1.0.1: Configuration Guide for Legacy Systems


2 views

When working with older Apache 2.2.22 (Ubuntu 12.04 LTS) and OpenSSL 1.0.1 configurations, you might notice TLS 1.1 and 1.2 remain enabled despite using SSLProtocol -all +SSLv3. This occurs because:

# Current configuration that doesn't work as expected
SSLProtocol -all +SSLv3

The SSLProtocol directive in Apache 2.2 has limited protocol version control. While it supports TLSv1 as a keyword, it doesn't recognize TLSv1.1 or TLSv1.2 as valid parameters.

To completely disable TLS 1.1/1.2 while keeping SSLv3, use this configuration:

# Effective configuration for OpenSSL 1.0.1
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 +SSLv3

Alternatively, for more precise control:

# Explicitly disable all protocols except SSLv3
SSLProtocol SSLv3

After making changes, verify with OpenSSL commands:

openssl s_client -connect yourdomain:443 -ssl3
openssl s_client -connect yourdomain:443 -tls1_1
openssl s_client -connect yourdomain:443 -tls1_2

While this solution addresses the immediate technical requirement, be aware that:

  • SSLv3 is considered insecure (POODLE vulnerability)
  • This configuration should only be temporary for legacy compatibility
  • Consider upgrading to modern Apache/OpenSSL versions when possible

For production systems, the recommended approach would be to update the third-party application rather than downgrading security protocols.

When working with Apache 2.2.22 on Ubuntu 12.04 with OpenSSL 1.0.1, you might encounter unexpected TLS protocol behavior. The SSLProtocol -all +SSLv3 directive doesn't actually disable TLS 1.1 and 1.2 as you'd expect - this is due to how older OpenSSL versions handle protocol negotiation.

The root cause lies in OpenSSL's protocol handling. In version 1.0.1, OpenSSL doesn't properly respect the -all flag for newer TLS versions. The protocol stack looks like this:

SSLv2 (insecure, disabled by default)
SSLv3 (considered insecure today)
TLSv1.0
TLSv1.1 (introduced in OpenSSL 1.0.1)
TLSv1.2 (introduced in OpenSSL 1.0.1)

For Apache 2.2 with OpenSSL 1.0.1, use this explicit configuration:

<VirtualHost *:443>
    SSLEngine on
    SSLProtocol -all +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    # ... other SSL configurations ...
</VirtualHost>

After making changes, verify with these tools:

  1. OpenSSL command-line: 
    openssl s_client -connect yourdomain.com:443 -ssl3
  2. Online scanners: Use SSL Labs' tester
  3. Curl verification: 
    curl -Iv --ssl3 https://yourdomain.com

While this solution addresses the immediate problem, be aware that:

  • SSLv3 is vulnerable to POODLE attacks
  • Modern browsers are deprecating SSLv3 support
  • This should only be used as a temporary workaround

If you can upgrade to Apache 2.4+, the syntax is more straightforward:

SSLProtocol -ALL +SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256"

Remember to restart Apache after configuration changes:

sudo service apache2 restart