Question

Disable old TLS versions (1.0/1.1 ) for Apache/Nginx on Ubuntu 18.04 or CentOS 7

I recently got asked how we can disable old TLS versions on a server. The user was applying for a PCI compliance and wanted to have only TLS 1.2 running on their machine in order to pass the scan of the PCI vendor.

Show comments
Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
February 27, 2020
Accepted Answer
  1. Here is a little step by step guide on how to set this on a CentOS server.

Before you start, please keep in mind that you can always run into some issues and it’s really important to make a working copy of your configuration files or to do a full server/droplet backup before you start the process. In this way you can always restore your config files or the whole droplet in case something goes wrong.

If you’re running Apache server you will need to tweak the Apache/httpd configuration file in order to disable TLS 1.0 and 1.1

One thing to keep on mind is that if you have any control panel interface/gui like cPanel/Plesk you must tweak the configuration file from the control panel or the changes will be reverted.

If you don’t have any control panel running on the server you can make the change manually in the httpd configuration file. The location of the file should be:

/etc/apache2/conf/httpd.conf

and you might have a symlink here:

/usr/local/apache/conf/httpd.conf
  • this symlink is usually present when you’re running on a cPanel server

You can open the httpd configuration file with your favorite text editor, so you can use vi, vim or nano it’s totally up to you.

You need to locate the following lines/rows:

SSLCipherSuite
SSLProtocol

The first one is for the SSL Cipher Suite and the second one for the actual protocol. In order to set only TLS 1.2 to be active you can copy/paste the following lines:

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLProtocol TLSv1.2

You can double check the available cipher suites using this link:

https://wiki.mozilla.org/Security/Server_Side_TLS

For TLS 1.3 you can use:

SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLProtocol TLSv1.2;

Now that server configured. It is time to test our apache config server for syntax errors:

sudo apache2 -t

Reload or restart the apache server:

sudo apache2 restart nginx

OR

sudo service apache2 restart

==============================================================

  1. Here is a little step by step guide on how to set this on a Ubuntu server.

If you’re running a Ubuntu 18.04 server you should be able to tweak the Apache configuration by following this steps:

You can open the Apache config file using any text editor and then look for the following lines/rows:

The file should be located here:

/etc/apache2/mods-available/ssl.conf

SSLCipherSuite
SSLProtocol

In order to leave only TLS 1.2 active you can use the following:

SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
SSLProtocol TLSv1.2

If you’re using Let’s Encrypt you need to edit the following file:

/etc/letsencrypt/options-ssl-apache.conf

And put the following as code:

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
#SSLProtocol             all -SSLv2 -SSLv3
SSLProtocol +all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

Now that server configured. It is time to test our apache config server for syntax errors:

sudo apache2 -t

Reload or restart the apache server:

sudo apache2 restart nginx

OR

sudo service apache2 restart

This should make only TLS 1.2 availble.

============================================= 3. For tweaking the TLS configuration on Nginx () follow this:

Open the nginx configuration file:

/etc/nginx/nginx.conf

Insert the following code snippet:

ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off

Now that server configured. It is time to test our nginx config server for syntax errors:

nginx -t

Reload or restart the nginx server:

sudo systemctl restart nginx

OR

sudo service nginx restart

In order to test if everything is okay and only TLS 1.2 is available you can use either nmap or openssl

Example namp command:

nmap --script ssl-enum-ciphers -p 443 IPaddress/Hostname

Example openssl command:

openssl s_client -connect domain:443 -tls1_2

Hope this helps!

Please feel free to comment bellow if you use a different way/method to configure this!

Regards, Alex

alexdo
Site Moderator
Site Moderator badge
October 31, 2021

This question was answered by @duvax:

Easy way: Activate Cloudflare, change TLS setting for 1.2++

only 10 seconds and the problem is finished. And you can even use OpenSSL for Nginx cert (free and easy than Lets Encrypt) but that will require Cloudflare already activated.

View the original comment

aalJune 2, 2020

May also need to edit /etc/letsencrypt/options-ssl-nginx.conf (apart from /etc/nginx/nginx.conf) per https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04?comment=85617