By alexdo
I recently got asked how we can disable old TLS versions on a server. The user was applying for a PCI compliance and wanted to have only TLS 1.2 running on their machine in order to pass the scan of the PCI vendor.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
- Here is a little step by step guide on how to set this on a CentOS server.
Before you start, please keep in mind that you can always run into some issues and it’s really important to make a working copy of your configuration files or to do a full server/droplet backup before you start the process. In this way you can always restore your config files or the whole droplet in case something goes wrong.
If you’re running Apache server you will need to tweak the Apache/httpd configuration file in order to disable TLS 1.0 and 1.1
One thing to keep on mind is that if you have any control panel interface/gui like cPanel/Plesk you must tweak the configuration file from the control panel or the changes will be reverted.
If you don’t have any control panel running on the server you can make the change manually in the httpd configuration file. The location of the file should be:
/etc/apache2/conf/httpd.conf
and you might have a symlink here:
/usr/local/apache/conf/httpd.conf
- this symlink is usually present when you’re running on a cPanel server
You can open the httpd configuration file with your favorite text editor, so you can use vi, vim or nano it’s totally up to you.
You need to locate the following lines/rows:
SSLCipherSuite
SSLProtocol
The first one is for the SSL Cipher Suite and the second one for the actual protocol. In order to set only TLS 1.2 to be active you can copy/paste the following lines:
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLProtocol TLSv1.2
You can double check the available cipher suites using this link:
https://wiki.mozilla.org/Security/Server_Side_TLS
For TLS 1.3 you can use:
SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLProtocol TLSv1.2;
Now that server configured. It is time to test our apache config server for syntax errors:
sudo apache2 -t
Reload or restart the apache server:
sudo apache2 restart nginx
OR
sudo service apache2 restart
==============================================================
- Here is a little step by step guide on how to set this on a Ubuntu server.
If you’re running a Ubuntu 18.04 server you should be able to tweak the Apache configuration by following this steps:
You can open the Apache config file using any text editor and then look for the following lines/rows:
The file should be located here:
/etc/apache2/mods-available/ssl.conf
SSLCipherSuite
SSLProtocol
In order to leave only TLS 1.2 active you can use the following:
SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
SSLProtocol TLSv1.2
If you’re using Let’s Encrypt you need to edit the following file:
/etc/letsencrypt/options-ssl-apache.conf
And put the following as code:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
SSLEngine on
# Intermediate configuration, tweak to your needs
#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol +all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
Now that server configured. It is time to test our apache config server for syntax errors:
sudo apache2 -t
Reload or restart the apache server:
sudo apache2 restart nginx
OR
sudo service apache2 restart
This should make only TLS 1.2 availble.
============================================= 3. For tweaking the TLS configuration on Nginx () follow this:
Open the nginx configuration file:
/etc/nginx/nginx.conf
Insert the following code snippet:
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off
Now that server configured. It is time to test our nginx config server for syntax errors:
nginx -t
Reload or restart the nginx server:
sudo systemctl restart nginx
OR
sudo service nginx restart
In order to test if everything is okay and only TLS 1.2 is available you can use either nmap or openssl
Example namp command:
nmap --script ssl-enum-ciphers -p 443 IPaddress/Hostname
Example openssl command:
openssl s_client -connect domain:443 -tls1_2
Hope this helps!
Please feel free to comment bellow if you use a different way/method to configure this!
Regards, Alex
May also need to edit /etc/letsencrypt/options-ssl-nginx.conf (apart from /etc/nginx/nginx.conf) per https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04?comment=85617
This question was answered by @duvax:
Easy way: Activate Cloudflare, change TLS setting for 1.2++
only 10 seconds and the problem is finished. And you can even use OpenSSL for Nginx cert (free and easy than Lets Encrypt) but that will require Cloudflare already activated.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.