Last updated on 27 May 2024, 11:22:25.
Category:
All about SSL certificates
| SSL configuration
This article shows you how to disable the SSL 2.0, SSL 3.0 and older TLS version protocols on your Apache web server, in order to be prepared for a more modern and safer configuration.
SSL 2.0 and SSL 3.0 are obsolete versions of the SSL protocol that have long since been superseded by the more secure Transport Layer Security (TLS) protocol, which offers a higher degree of security.
In addition, a SSL 3.0 security flaw nicknamed POODLE was discovered in 2014, allowing an attacker to completely circumvent SSL security. Your Apache web server shouldn't be serving those protocols for better security.
As time moved on, the TLS v1 and TLS v1.1 protocols also became obsolete and deprecated, therefore it is wise to also disable those in your configuration.
If you want to go the extra mile you can always remove TLS v1.2 as well but at the time of writing we might conclude that disabling TLS v1.2 may introduce some problems for older browsers. Therefor we do not recommend it.
Unless you only need to modify one site, in which case you can just open the virtual hosts file you need, try to find all SSL websites with the following command, executed in the root directory of your Apache installation. This will also avoid you *think* you disabled the SSL protocols but they might still have been enabled somewhere in the apache config. Keep ni mind that if not explicitly disabled, if one host is skipped, the older protocols will load!
Go to the installation directory of your Apache distribution and fFind all the configs that contain SSL information:
grep -r SSLEngine *
This will list all SSL VirtualHost blocks you need to modify.
Note that your Apache installation directory may differ according to you distribution. The most common locations are:
Using vi or your favourite text editor, add or modify the following line in each VirtualHost block that needs updating:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Restart Apache with one of the following commands:
/etc/init.d/httpd restart service httpd restart apachectl -k restart
If you would like to have a ready cut'n'paste config for Apache we strongly recommend the Mozzila.org SSL Configuration Generator which will allow you to pick the Apache version, OpenSSL version and help you choose an Old (e.g. pretty outdated), Intermediate (more current implementation) or Modern (cutting edge) SSL config for your server.
More info: https://ssl-config.mozilla.org/
Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!