How to Disable/Enable SSL/TLS protocols in Ubentu/Apache/Linux Server?

To Disable/Enable the SSL/TLS protocols those are SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3, you should configure the SSL setting configuration file in Ubentu/Apache/Linux Server.

You must first locate the SSL configuration file location. You can find the configuration file in below path,

/etc/apache2/sites-enabled/*.conf

Note: If not found check any of below location.

Main -> httpd.conf file
/etc/httpd/conf.d
/etc/httpd/conf.d/web.conf

You can edit the configuration file any of your preferred editor and have make the change to enable/disable the required protocols and save it again.

The Config file Format is like below with VirtualHost Section.

<VirtualHost *:443>
   ServerName www.yourdomain.com
   DocumentRoot /var/www/html
   SSLEngine on
   SSLCertificateFile /etc/apache2/certificates/certificate.crt
   SSLCertificateKeyFile /etc/apache2/certificates/certificate.key       
   SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt 
</VirtualHost>

You need to add the below line under the SSLEngine to set SSL Protocols

Syntax:
SSLProtocol +/-{Protocol Name}

To Enable Only TLS 1.0:

SSLProtocol +TLSv1

  •  This will only allow TLS 1.0 protocol.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1.1 -TLSv1.2 +TLSv1

To Enable Only TLS 1.1:

SSLProtocol +TLSv1.1

  • This will only allow TLS 1.1 protocol.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.2 +TLSv1.1

To Enable Only TLS 1.2:

SSLProtocol +TLSv1.2

  • This will only allow TLS 1.2 protocol.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2

To Enable TLS 1.1 and TLS 1.2:

SSLProtocol +TLSv1.1 +TLSv1.2

  • This will only allow TLS 1.1 and TLS 1.2 protocols.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2

To Enable TLS 1.0, TLS 1.1 and TLS 1.2:

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

  • This will only allow TLS 1.0, TLS 1.1 and TLS 1.2 protocols.

Note: This will disable all other protocols, so you no need to mention like

SSLProtocol -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

Example Virtual Host File which only allows TLS 1.1 and TLS 1.2

<VirtualHost *:443>
   ServerName www.yourdomain.com
   DocumentRoot /var/www/html
   SSLEngine on
   SSLProtocol +TLSv1.1 +TLSv1.2 
   SSLCertificateFile /etc/apache2/certificates/certificate.crt
   SSLCertificateKeyFile /etc/apache2/certificates/certificate.key 
   SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt 
</VirtualHost> 

Once changed this VirtualHost configuration file, you need to restart the apache.  To restart the apache service use below command in Putty Command Window.

sudo service apache2 restart

Advertisements

One thought on “How to Disable/Enable SSL/TLS protocols in Ubentu/Apache/Linux Server?

Leave a Reply