How to enforce TLSv1.2 on Centos 7?

July 15, 2018 4.1k views
Apache CentOS

I’m trying to enforce TLSv1.2 on my droplet. At the moment I got this in my ssl.conf file:

# grep -i sslprotocol /etc/httpd/conf.d/ssl.conf
SSLProtocol TLSv1.2

SSLProtocol hasn’t been defined anywhere else:

# find /etc/httpd/ -type f -exec grep -il 'sslprotocol' {} +

I’ve restarted httpd and have even rebooted the droplet. However, when I scan the droplet from my local machine it’s showing that both TLSv1.0 and TLSv1.1 are supported:

# nmap --script ssl-enum-ciphers -p 443 | grep TLSv
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2: also shows that TLSv1.0 is still enabled, so I guess there’s something else I must do to disable it. Is there anyone who has achieved this and is happy to share how to do this?

1 Answer

Hello friend!

When defining the SSLProtocol variable in Apache, it may be beneficial for you to specifically disable the ones you don’t want. You can use +/- to enable/disable a specific protocol. For example, “-SSLv3” should disable SSLv3 where “+SSLv3” should enable it. I generally don’t reference manuals themselves but I actually love the Apache manual, so I’ll toss the reference here:

You can also find some strong SSL configuration templates to build on here:

Kind Regards,

Have another answer? Share your knowledge.