Categories
Technical

How to Disable/Enable SSL/TLS protocols in Ubentu/Apache/Linux Server?

To Disable/Enable the SSL/TLS protocols those are SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3, you should configure the SSL setting configuration file in Ubentu/Apache/Linux Server.

You must first locate the SSL configuration file location. You can find the configuration file in below path,

/etc/apache2/sites-enabled/*.conf

Note: If not found check any of below location.

Main -> httpd.conf file
/etc/httpd/conf.d
/etc/httpd/conf.d/web.conf

You can edit the configuration file any of your preferred editor and have make the change to enable/disable the required protocols and save it again.

The Config file Format is like below with VirtualHost Section.

<VirtualHost *:443>
   ServerName www.yourdomain.com
   DocumentRoot /var/www/html
   SSLEngine on
   SSLCertificateFile /etc/apache2/certificates/certificate.crt
   SSLCertificateKeyFile /etc/apache2/certificates/certificate.key       
   SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt 
</VirtualHost>

You need to add the below line under the SSLEngine to set SSL Protocols

Syntax:
SSLProtocol +/-{Protocol Name}

To Enable Only TLS 1.0:

SSLProtocol +TLSv1

  •  This will only allow TLS 1.0 protocol.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1.1 -TLSv1.2 +TLSv1

To Enable Only TLS 1.1:

SSLProtocol +TLSv1.1

  • This will only allow TLS 1.1 protocol.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.2 +TLSv1.1

To Enable Only TLS 1.2:

SSLProtocol +TLSv1.2

  • This will only allow TLS 1.2 protocol.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2

To Enable TLS 1.1 and TLS 1.2:

SSLProtocol +TLSv1.1 +TLSv1.2

  • This will only allow TLS 1.1 and TLS 1.2 protocols.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2

To Enable TLS 1.0, TLS 1.1 and TLS 1.2:

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

  • This will only allow TLS 1.0, TLS 1.1 and TLS 1.2 protocols.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

Example Virtual Host File which only allows TLS 1.1 and TLS 1.2

<VirtualHost *:443>
   ServerName www.yourdomain.com
   DocumentRoot /var/www/html
   SSLEngine on
   SSLProtocol +TLSv1.1 +TLSv1.2 
   SSLCertificateFile /etc/apache2/certificates/certificate.crt
   SSLCertificateKeyFile /etc/apache2/certificates/certificate.key 
   SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt 
</VirtualHost> 

Once changed this VirtualHost configuration file, you need to restart the apache.  To restart the apache service use below command in Putty Command Window.

sudo service apache2 restart

2 replies on “How to Disable/Enable SSL/TLS protocols in Ubentu/Apache/Linux Server?”

Leave a Reply

Your email address will not be published. Required fields are marked *