CentOS7 Server Apache Disable old TLS for higher versions

DustinB3403

So the question has just come to me, how can I disable TLS v1 and force higher versions of TLS running on a CentOS 7 VM running an apache website.

I often don't bother with public facing things and thus never really look into this. So I'm looking for guidance / confirmation.

This appears to be the answer and than just wait a bit so the Interwebz can realize this change has been made.

Any additional guidance?

Alex Sage

So to be clear you want to disable TLS v1.0 and allow everything from TLS 1.1 up?

Alex Sage

Seems like you should disable everything except TLS 1.2 unless you need to support something that doesn't support 1.2 TLS

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-hardening_tls_configuration

Could you put Cloudflare or nginx in front of this?

DustinB3403

@aaronstuder said in CentOS7 Server Apache Disable old TLS for higher versions:

So to be clear you want to disable TLS v1.0 and allow everything from TLS 1.1 up?

Yea

DustinB3403

@aaronstuder said in CentOS7 Server Apache Disable old TLS for higher versions:

Could you put Cloudflare or nginx in front of this?

No, this isn't hosted in a manner in which this wouldn't be viable. (read as outside of my control).

Alex Sage

@dustinb3403 Got ya, that's why I asked

Alex Sage

This looks OK, but I haven't tested it.

https://www.cloudibee.com/disabling-tls-apache/

I would check it with SSL Labs after you disable it.

https://www.ssllabs.com/

JaredBusch

@dustinb3403 said in CentOS7 Server Apache Disable old TLS for higher versions:

So the question has just come to me, how can I disable TLS v1 and force higher versions of TLS running on a CentOS 7 VM running an apache website.

I often don't bother with public facing things and thus never really look into this. So I'm looking for guidance / confirmation.

This appears to be the answer and than just wait a bit so the Interwebz can realize this change has been made.

Any additional guidance?

Yes, for Apache, that is pretty much it. You update your SSLProtocol as needed and restart the service.

coliver

@DustinB3403 I really like this site for information on securing various web servers.

https://cipherli.st/

JaredBusch

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@DustinB3403 I really like this site for information on securing various web servers.

https://cipherli.st/

I just implemented their Nginx setting but getting back that TLSv1 was accepted?

https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com

coliver

@jaredbusch said in CentOS7 Server Apache Disable old TLS for higher versions:

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@DustinB3403 I really like this site for information on securing various web servers.

https://cipherli.st/

I just implemented their Nginx setting but getting back that TLSv1 was accepted?

https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com

First line should read TLS1.2 if you don't have a version of Nginx that supports 1.3.

JaredBusch

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@jaredbusch said in CentOS7 Server Apache Disable old TLS for higher versions:

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@DustinB3403 I really like this site for information on securing various web servers.

https://cipherli.st/

I just implemented their Nginx setting but getting back that TLSv1 was accepted?

https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com

First line should read TLS1.2 if you don't have a version of Nginx that supports 1.3.

Correct. That is the only change I made to their config. I even reran dhparam