CentOS7 Server Apache Disable old TLS for higher versions
-
So to be clear you want to disable TLS v1.0 and allow everything from TLS 1.1 up?
-
Seems like you should disable everything except TLS 1.2 unless you need to support something that doesn't support 1.2 TLS
Could you put Cloudflare or nginx in front of this?
-
@aaronstuder said in CentOS7 Server Apache Disable old TLS for higher versions:
So to be clear you want to disable TLS v1.0 and allow everything from TLS 1.1 up?
Yea
-
@aaronstuder said in CentOS7 Server Apache Disable old TLS for higher versions:
Could you put Cloudflare or nginx in front of this?
No, this isn't hosted in a manner in which this wouldn't be viable. (read as outside of my control).
-
@dustinb3403 Got ya, that's why I asked
-
This looks OK, but I haven't tested it.
https://www.cloudibee.com/disabling-tls-apache/
I would check it with SSL Labs after you disable it.
-
@dustinb3403 said in CentOS7 Server Apache Disable old TLS for higher versions:
So the question has just come to me, how can I disable TLS v1 and force higher versions of TLS running on a CentOS 7 VM running an apache website.
I often don't bother with public facing things and thus never really look into this. So I'm looking for guidance / confirmation.
This appears to be the answer and than just wait a bit so the Interwebz can realize this change has been made.
Any additional guidance?
Yes, for Apache, that is pretty much it. You update your
SSLProtocol
as needed and restart the service. -
@DustinB3403 I really like this site for information on securing various web servers.
-
@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:
@DustinB3403 I really like this site for information on securing various web servers.
I just implemented their Nginx setting but getting back that TLSv1 was accepted?
https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com
-
@jaredbusch said in CentOS7 Server Apache Disable old TLS for higher versions:
@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:
@DustinB3403 I really like this site for information on securing various web servers.
I just implemented their Nginx setting but getting back that TLSv1 was accepted?
https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com
First line should read TLS1.2 if you don't have a version of Nginx that supports 1.3.
-
@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:
@jaredbusch said in CentOS7 Server Apache Disable old TLS for higher versions:
@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:
@DustinB3403 I really like this site for information on securing various web servers.
I just implemented their Nginx setting but getting back that TLSv1 was accepted?
https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com
First line should read TLS1.2 if you don't have a version of Nginx that supports 1.3.
Correct. That is the only change I made to their config. I even reran dhparam