0

On SSL Labs, I'm getting that TLS 1.0 is enabled on my server. I tried many configurations to disable this, like

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

and

SSLProtocol +TLSv1.2 +TLSv1.3

But no matter what I do, it always says that it's enabled on SSL labs. There are other questions that discussed this, like this one, but it doesn't help. I greped the whole Apache directory, and I'm sure this is the only instance of SSLProtocol enabled.

One thing to mention that SSL Labs mentions the following when I point my mouse on TLS 1.0 state:

TLS 1.0 support observed only with client that does not support Server Name Indication.

Is there something else I should do to disable TLS 1.0?

EDIT:

I'm now using: SSLProtocol TLSv1.2 +TLSv1.3 -TLSv1 -TLSv1.1 but that doesn't work either. I still see TLS 1.0 in SSL Labs.

The Quantum Physicist
  • 688
  • 2
  • 11
  • 27
  • Well... You can remove ALL unsecure encryption schemes. It basically has the same effect as disabling TLSv1.0. I will post an example that disables all but TLSv1.2 when I get home. – Lasse Michael Mølgaard Nov 18 '19 at 21:48
  • You likely only show the configuration for a specific vhost. But in case of no SNI it might use a different configuration so make sure to check all SSLProtocol settings and not only the one specific for the vhost. Since there might be a default which allows TLS 1.0 make sure to set an explicit default in the server config to disable TLS 1.0. – Steffen Ullrich Nov 18 '19 at 21:55
  • @SteffenUllrich I went to /etc/apache2/apache2.conf and added there SSLProtocol TLSv1.2 +TLSv1.3 -TLSv1 -TLSv1.1, and that still didn't disable it. Is there any other place to put the global config? – The Quantum Physicist Nov 18 '19 at 23:34
  • Maybe you have a default config in /etc/apache2/sites-enabled/. – Piotr P. Karwasz Nov 18 '19 at 23:50
  • @PiotrP.Karwasz when I go to the directory /etc/apache2/ and grep with grep -i SSLProtocol -R ., I get only either commented instances or two others, one is global in apache2.conf and one to be included, and both have the form SSLProtocol TLSv1.2 +TLSv1.3 -TLSv1 -TLSv1.1. I'm wondering at this point, is there any other setting that enables this somewhere else? – The Quantum Physicist Nov 19 '19 at 08:39
  • Are you sure you are actually rerunning the tests, and not looking at cached results? (look at the "assessed" date and time). Or do you possibly have another server with ssl termination before your server? – Gerald Schneider Nov 19 '19 at 08:59
  • Check for Environment Variables being set by your init scripts maybe? https://httpd.apache.org/docs/current/mod/mod_ssl.html – Marcel Nov 19 '19 at 09:09
  • @Marcel Good point. I checked the init script and found that it uses a file called envvars from /etc/apache2/envvars. However, that file doesn't have SSL or TLS mentioned in it. Sorry if this sounds like a stupid question, but is there a way to check the environment that apache uses when it starts? Maybe something else is doing the evil work and adding that variable? – The Quantum Physicist Nov 19 '19 at 09:37
  • Look into the proc filesystem: /proc/<apache's pid>/environ contains is environment. – Piotr P. Karwasz Nov 19 '19 at 09:45
  • @PiotrP.Karwasz OK. I checked that now. There's no mention of SSL or TLS there... – The Quantum Physicist Nov 19 '19 at 09:52

1 Answers1

0

I just had a long battle with this. My server is running Centos 7 and I got a bunch of sites that have Let's Encrypt SSLs. I found two instances of SSLProtocol in the /etc/httpd directory (which will be /etc/apache2 on other servers):

[root@server httpd]# find ./ -type f -exec grep -i sslprotocol {} +
./conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3
./conf.d/ssl.conf:SSLProtocol All -SSLv2 -SSLv3

I changed those to SSLProtocol TLSv1.2 as per this answer and restarted the httpd service, but SSL Labs still showed that TLS 1.0 and 1.1 were enabled.

After a bit of digging I found that another configuration file is included in the **-le-ssl.conf* files in the /etc/httpd/sites-available directory: /etc/letsencrypt/options-ssl-apache.conf. I only needed to change SSLProtocol all -SSLv2 -SSLv3 to SSLProtocol TLSv1.2 in that file (and restart httpd). All the certificates now have an A+ rating.

rkhff
  • 201