25-06-18, How to disable outdated versions of SSL/TLS in Apache
From 30 June 2018, for PCI compatibility, site owners should refuse to support TLS 1.0. The TLS 1.0/1.1 and SSL 2.0/3.0 protocols are obsolete. They do not provide adequate protection for data transfer. In particular, TLS 1.0 is vulnerable to certain attacks. The above versions of the protocols must be removed in environments that require a high level of security.
Almost all modern browsers support TLS 1.2. Below, we will consider how to disable versions of TLS 1.0/1.1 and SSL 2.0/3.0 in Apache.
1. Use vi (or vim) to edit ssl.conf (usually located in /etc/httpd/conf.d).
2. Look for the SSL Protocol Support section:
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
3. Comment the line SSLProtocol all -SSLv2 -SSLv3, by adding a hash symbol in front of it.
4. Add a line under it:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
5. We have disabled TLS 1.0/1.1 and SSL 2.0/3.0, and are further investigating SSL Cipher Suite.
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
6. Comment the line SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA and add the following under it:
This option ensures the use of SSL encryption only with a high degree of protection.
Also add under SSLCipherSuite
HIGH:!aNULL:!MD5:!3DES the line:
This parameter ensures that the server cipher preferences will be used, not the client preferences.
Save the file and restart Apache:
service httpd restart
Next, test all applications that interact with your server. If you experience any problems, you can remove the comments (hash symbol) and return to the previous version of the file.
Follow the best SSL practices with LeaderTelecom!