How can I disable TLS 1.0 and 1.1 in apache?

Better Stack Team
Updated on November 9, 2023

To disable TLS 1.0 and 1.1 in Apache, you need to modify the SSL/TLS configuration settings. This typically involves editing the Apache configuration file, such as ssl.conf or httpd.conf. Make sure you have root or superuser privileges to modify these files. Here's the general process:

  1. Open the Apache SSL configuration file:

    Using a text editor or a command-line editor like nano or vim, open the SSL/TLS configuration file. The location and name of this file may vary based on your system and Apache configuration. Common locations include /etc/httpd/conf.d/ssl.conf, /etc/apache2/sites-available/default-ssl.conf, etc.

  2. Locate the SSL/TLS configuration section:

    Look for the SSL/TLS configuration section, which includes directives related to the SSL protocol and ciphers.

  3. Disable TLS 1.0 and 1.1:

    Within the SSL/TLS configuration section, you'll typically find a line similar to this:

     
    SSLProtocol all -SSLv3

    Modify this line to explicitly exclude TLS 1.0 and 1.1, like this:

     
    SSLProtocol -SSLv3 -TLSv1 -TLSv1.1

    This configuration disables TLS 1.0 and 1.1 while allowing TLS 1.2 and higher.

  4. Save the changes and restart Apache:

    After making the necessary changes, save the configuration file and restart Apache to apply the new settings:

     
    sudo systemctl restart apache2   # For Ubuntu/Debian

    or

     
    sudo systemctl restart httpd     # For CentOS/RHEL

  5. Verify the changes:

    Use an online SSL testing tool or a command-line utility like openssl to verify that TLS 1.0 and 1.1 are disabled:

     
    openssl s_client -connect yourdomain.com:443 -tls1

Replace yourdomain.com with the domain hosted on the Apache server. This command attempts to connect using TLS 1.0. You should receive an error or a handshake failure if TLS 1.0 and 1.1 are disabled correctly.

Remember, before making changes to your SSL/TLS configuration, it's crucial to ensure that your users and clients support the newer TLS versions to avoid service disruptions. Additionally, always make a backup of the configuration file before making changes.

Got an article suggestion? Let us know
Explore more
SSL
How to force or redirect to SSL in nginx?
Questions
Solved: Invalid command ‘SSLEngine
This frequently happens on fresh Apache servers. When Apache starts it reads through the configuration files. When it encounters `SSLEngine` directive, it considers it as unknown. This is caused by the fact that the server’s basic configuration does not have `mod_ssl` module installed or enabled.
Questions
SSL Certificate Problem: Unable to get Local Issuer Certificate
If you get SSL certificate problem: unable to get local issuer certificate error, it's an indication that your root and intermediate certificates on the system are not working correctly or not set up correctly.
Questions
Where to keep SSL certificates and private keys on Ubuntu and Debian?
To list all available CA SSL certificates run the following lines of code:
Questions
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.