- Here is a little step by step guide on how to set this on a CentOS server.
Before you start, please keep in mind that you can always run into some issues and it’s really important to make a working copy of your configuration files or to do a full server/droplet backup before you start the process. In this way you can always restore your config files or the whole droplet in case something goes wrong.
If you’re running Apache server you will need to tweak the Apache/httpd configuration file in order to disable TLS 1.0 and 1.1
One thing to keep on mind is that if you have any control panel interface/gui like cPanel/Plesk you must tweak the configuration file from the control panel or the changes will be reverted.
If you don’t have any control panel running on the server you can make the change manually in the httpd configuration file. The location of the file should be:
/etc/apache2/conf/httpd.conf
and you might have a symlink here:
/usr/local/apache/conf/httpd.conf
- this symlink is usually present when you’re running on a cPanel server
You can open the httpd configuration file with your favorite text editor, so you can use vi, vim or nano it’s totally up to you.
You need to locate the following lines/rows:
SSLCipherSuite
SSLProtocol
The first one is for the SSL Cipher Suite and the second one for the actual protocol. In order to set only TLS 1.2 to be active you can copy/paste the following lines:
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLProtocol TLSv1.2
You can double check the available cipher suites using this link:
https://wiki.mozilla.org/Security/Server_Side_TLS
For TLS 1.3 you can use:
SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLProtocol TLSv1.2;
Now that server configured. It is time to test our apache config server for syntax errors:
sudo apache2 -t
Reload or restart the apache server:
sudo apache2 restart nginx
OR
sudo service apache2 restart
==============================================================
- Here is a little step by step guide on how to set this on a Ubuntu server.
If you’re running a Ubuntu 18.04 server you should be able to tweak the Apache configuration by following this steps:
You can open the Apache config file using any text editor and then look for the following lines/rows:
The file should be located here:
/etc/apache2/mods-available/ssl.conf
SSLCipherSuite
SSLProtocol
In order to leave only TLS 1.2 active you can use the following:
SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
SSLProtocol TLSv1.2
If you’re using Let’s Encrypt you need to edit the following file:
/etc/letsencrypt/options-ssl-apache.conf
And put the following as code:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
SSLEngine on
# Intermediate configuration, tweak to your needs
#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol +all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
Now that server configured. It is time to test our apache config server for syntax errors:
sudo apache2 -t
Reload or restart the apache server:
sudo apache2 restart nginx
OR
sudo service apache2 restart
This should make only TLS 1.2 availble.
=============================================
- For tweaking the TLS configuration on Nginx () follow this:
Open the nginx configuration file:
/etc/nginx/nginx.conf
Insert the following code snippet:
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off
Now that server configured. It is time to test our nginx config server for syntax errors:
nginx -t
Reload or restart the nginx server:
sudo systemctl restart nginx
OR
sudo service nginx restart
In order to test if everything is okay and only TLS 1.2 is available you can use either nmap or openssl
Example namp command:
nmap --script ssl-enum-ciphers -p 443 IPaddress/Hostname
Example openssl command:
openssl s_client -connect domain:443 -tls1_2
Hope this helps!
Please feel free to comment bellow if you use a different way/method to configure this!
Regards,
Alex
The second section for Ubuntu configuration starts with:
“Here is a little step by step guide on how to set this on a *CentOS * server.”
Hey, @dbuonomo
Thanks for bringing this to my attention, I’ve updated this!