Disable TLSv1.0 and TLSv1.1 using httpd CentOS7

Ask Question

Asked 2 years, 1 month ago

Modified 2 years, 1 month ago

Viewed 2k times

I'm trying to disable TLS 1.0/1.1 for PCI Compliance, but having problems.

Running CentOS 7 / Apache 2.4.6

The Server is setup with multiple hosts. All the documentation I've found is similar but nothing seems to work.

In /etc/httpd/conf.d (it currently has set)

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Also in the /etc/httpd/sitnamefqdn.conf (specific for the domain)

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

And just because I've read this about letsencrypt (even though not active) /etc/letsencrypt/options-ssl-apache.conf

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

I have restarted httpd, and rebooted just to make sure, nothing seems to take.

If you use the site: https://www.ssllabs.com/ssltest I'm still getting..

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.   
This server accepts RC4 cipher, but only with older protocols. Grade capped to B.  
This server does not support Forward Secrecy with the reference browsers. Grade capped to B.  
This server supports TLS 1.0 and TLS 1.1. Grade capped to B. 

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3   INSECURE    Yes
SSL 2   No

edited Nov 1, 2023 at 3:30

asked Nov 1, 2023 at 1:32

TexasTim

231 silver badge7 bronze badges

how do you know it's not working?

Marcus Müller
– Marcus Müller

2023-11-01 02:09:49 +00:00
Commented Nov 1, 2023 at 2:09
Good point.. I edited the post: Use ssllabs.com/ssltest. And just to clarity, the results are not Cached.

TexasTim
– TexasTim

2023-11-01 03:31:01 +00:00
Commented Nov 1, 2023 at 3:31
Also to note: Using httpd-2.4.6-99.el7.centos.1.x86_64

TexasTim
– TexasTim

2023-11-01 03:47:21 +00:00
Commented Nov 1, 2023 at 3:47
These options are working for me on same releases (centos/httpd). Did you check/change all SSLProtocol lines in httpd conf directories ?

tonioc
– tonioc

2023-11-01 14:34:38 +00:00
Commented Nov 1, 2023 at 14:34
@tonioc Yes all edited with the exception of some in an "old" directory inside that folder. Will it reach in and grab those also? Is there some way to see exactly what files are being read as part of the init? There are two virtual servers (same ip) here, and so I've added it inside the VirtualServer section for those.

TexasTim
– TexasTim

2023-11-03 14:51:36 +00:00
Commented Nov 3, 2023 at 14:51

Add a comment |

0 You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Stack Exchange Network

Disable TLSv1.0 and TLSv1.1 using httpd CentOS7

0

You must log in to answer this question.

Hot Network Questions

Disable TLSv1.0 and TLSv1.1 using httpd CentOS7

0

You must log in to answer this question.

Related

Hot Network Questions