Skip to main content

Disabling TLSv1 and TLSv1.1

Introduction

When performing an SSL scan at SSL Labs it showed that this webpage had a grade of B. This is the grade also obtained at Mozilla Observatory (75/100 score). The report from Mozilla Observatory, showed that just disabling TLSv1 and TLSv1.1 would increase the score by 20 pts. So in this page I will show the steps done investigating how to disable TLSv1 (TLSv1.0) and TLSv1.1 on Apache running on Debian.

Without using Cloudflare

Without using Cloudflare, the modification on the Apache2 server to disable TLSv1 and TLSv1.1 would be done at the /etc/apache/mods-available/ssl.conf by making sure the following line is present:

SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1

With this line we are essentially disabling SSLv3, TLSv1 and TLSv1.1 and leaving just TLSv1.2 enabled (and any other that may come in the future enabled with the use of all keyword).

Also, since we are using Let's Encrypt, we have to make sure the line is also present that way at the /etc/letsencrypt/options-ssl-apache.conf file.

After the files are modified, do a restart of the apache2 service: sudo service apache2 restart

Using Cloudflare

But, since I am managing the domain via Cloudflare, the modification must be made from the Cloudflare portal at the SSL/TLS > Edge Certificates menu:

Go to the Minimum TLS Version, and select TLS 1.2 from the dropdown menu. This will essentially disable TLSv1 and TLSv1.1

image.png

Sources:

Minimum TLS Version
https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/

SSL Server Test: sergio-jimenez.net (Powered by Qualys SSL Labs)
https://www.ssllabs.com/ssltest/analyze.html?d=sergio%2djimenez.net&s=104.21.9.134&latest

ssl - How can I disable TLS 1.0 and 1.1 in apache? - Server Fault
https://serverfault.com/questions/848177/how-can-i-disable-tls-1-0-and-1-1-in-apache

SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.5
https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

Disable TLS 1.0 and 1.1 in Apache and Nginx - SSL.com
https://www.ssl.com/guide/disable-tls-1-0-and-1-1-apache-nginx/

Apache/Hardening - Debian Wiki
https://wiki.debian.org/Apache/Hardening

Mozilla Observatory :: Scan Results for sergio-jimenez.net
https://observatory.mozilla.org/analyze/sergio-jimenez.net

Back to top