How to enforce TLSv1.2 on Centos 7?

July 15, 2018 170 views
Apache CentOS

I'm trying to enforce TLSv1.2 on my droplet. At the moment I got this in my ssl.conf file:

# grep -i sslprotocol /etc/httpd/conf.d/ssl.conf
SSLProtocol TLSv1.2

SSLProtocol hasn't been defined anywhere else:

# find /etc/httpd/ -type f -exec grep -il 'sslprotocol' {} +
/etc/httpd/conf.d/ssl.conf__BAK
/etc/httpd/conf.d/ssl.conf

I've restarted httpd and have even rebooted the droplet. However, when I scan the droplet from my local machine it's showing that both TLSv1.0 and TLSv1.1 are supported:

# nmap --script ssl-enum-ciphers -p 443 xxx.xxx.xx.xx | grep TLSv
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2:

ssllabs.com also shows that TLSv1.0 is still enabled, so I guess there's something else I must do to disable it. Is there anyone who has achieved this and is happy to share how to do this?

2 Answers

Hello friend!

When defining the SSLProtocol variable in Apache, it may be beneficial for you to specifically disable the ones you don't want. You can use +/- to enable/disable a specific protocol. For example, "-SSLv3" should disable SSLv3 where "+SSLv3" should enable it. I generally don't reference manuals themselves but I actually love the Apache manual, so I'll toss the reference here:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol

You can also find some strong SSL configuration templates to build on here:

https://cipherli.st/

Kind Regards,
Jarland

Hello!
I want to know how to install and configure Let's Encrypt on CentOS 7? Thanks.

Have another answer? Share your knowledge.