All about SSL certificates

All about SSL certificates

Apache - Disable SSL 2.0, SSL 3.0 and opt fore a modern safe SSL config

Last updated on 27 May 2024, 11:22:25.
Category: All about SSL certificates | SSL configuration

Apache SSL SSL v2 SSL v3

This article shows you how to disable the SSL 2.0, SSL 3.0 and older TLS version protocols on your Apache web server, in order to be prepared for a more modern and safer configuration.

Why disable SSL v2, SSL v3 and other TLS versions?

SSL 2.0 and SSL 3.0 are obsolete versions of the SSL protocol that have long since been superseded by the more secure Transport Layer Security (TLS) protocol, which offers a higher degree of security.
In addition, a SSL 3.0 security flaw nicknamed POODLE was discovered in 2014, allowing an attacker to completely circumvent SSL security. Your Apache web server shouldn't be serving those protocols for better security.

As time moved on, the TLS v1 and TLS v1.1 protocols also became obsolete and deprecated, therefore it is wise to also disable those in your configuration.

If you want to go the extra mile you can always remove TLS v1.2 as well but at the time of writing we might conclude that disabling TLS v1.2 may introduce some problems for older browsers. Therefor we do not recommend it.

Step 1: Find all SSL sites on Apache

Unless you only need to modify one site, in which case you can just open the virtual hosts file you need, try to find all SSL websites with the following command, executed in the root directory of your Apache installation. This will also avoid you *think* you disabled the SSL protocols but they might still have been enabled somewhere in the apache config. Keep ni mind that if not explicitly disabled, if one host is skipped, the older protocols will load!
Go to the installation directory of your Apache distribution and fFind all the configs that contain SSL information:

grep -r SSLEngine *

This will list all SSL VirtualHost blocks you need to modify.

Note that your Apache installation directory may differ according to you distribution. The most common locations are:

  • /etc/httpd for Red Hat, CentOs, Fedora and many other distributions
  • /etc/apache2 for Debian and Ubuntu distributions

Step 2: Modify the virtual hosts

Using vi or your favourite text editor, add or modify the following line in each VirtualHost block that needs updating:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Step 3: Restart Apache

Restart Apache with one of the following commands:

/etc/init.d/httpd restart
service httpd restart
apachectl -k restart

Additional info

If you would like to have a ready cut'n'paste config for Apache we strongly recommend the Mozzila.org SSL Configuration Generator which will allow you to pick the Apache version, OpenSSL version and help you choose an Old (e.g. pretty outdated), Intermediate (more current implementation) or Modern (cutting edge) SSL config for your server.

More info: https://ssl-config.mozilla.org/

Related articles

Managed services in the spotlight

Our system administrators have lifted a couple of cargo ships filled with containers of work. (yes, that pun was on...

Read more

What service level guarantees (SLA) are available for a server housing (co-location)?

Server housing or co-location customers can fall back on an excellent service level guarantee. A Kinamo server housing service comes...

Read more

Discover here how we’ve fixed a blocking error when upgrading ESXi 6.5 to 7.0 update 2 through vSphere Lifecycle Manager.

Kinamo maintains multiple VMware vSphere clusters, not only for our own infrastructure, but also for a variety of customers. As...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Kinamo

Select your language

All languages: