Table of Contents
November 6, 2023
|8m
How to Disable TLS 1.0 and TLS 1.1 on Your Apache Server?
TLS (Transport Layer Security) is an important technology used to protect data and communications over the Internet. It helps provide authentication, integrity, confidentiality, and secure communication between two or more parties by encryption techniques. TLS enables secure connections between servers and clients, allowing for a wide range of information to be exchanged securely.
TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol and offer many advantages over their previous versions. TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining popularity because of its efficiency and speed. As a server administrator, you should enable TLS 1.2 and TLS 1.3 on your Apache Server to enhance the security of your application, but wait, that’s not enough. You should also disable TLS 1.0 and TLS 1.1 on your Apache Server, as they are deprecated for their weak security.
Before learning how to disable TLS 1.0 and TLS 1.1 on your Apache Server, let’s learn about TLS 1.0 and TLS 1.1 and why you should disable TLS 1.0 and TLS 1.1 on your Apache Server.
A Short Note About TLS 1.0 and TLS 1.1:
Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over the internet. TLS 1.0 and TLS 1.1 are older versions of the TLS protocol. TLS 1.0 was first defined in 1999 and became widely used on the internet, but it has since been superseded by newer versions due to known vulnerabilities. TLS 1.1 was released in 2006 and addressed some of the vulnerabilities found in TLS 1.0, but it, too, has been superseded by newer versions. Both TLS 1.0 and TLS 1.1 are considered to be relatively weak and susceptible to attacks, and it is recommended to use a newer version of TLS, such as TLS 1.2 or TLS 1.3.
Why You Should Disable TLS 1.0 and TLS 1.1 on Your Apache Server?
Apache is a popular web server used by many businesses today and can be configured to support different versions of TLS depending on the needs of the organization. It is highly recommended that organizations disable TLS 1.0 and TLS 1.1 on their Apache server in order to ensure the highest level of security and protect the data that is being sent over their network.
There are a few reasons why you should disable TLS 1.0 and TLS 1.1 on your Apache Server:
TLS 1.0 and TLS 1.1 are no longer considered secure due to the fact that they are vulnerable to various attacks, such as the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, which can allow an attacker to intercept and decrypt sensitive information transmitted over the internet.
Another reason to disable TLS 1.0 and TLS 1.1 is that newer versions of TLS, such as TLS 1.2 and TLS 1.3, offer improved security and performance over the older versions. By using the newer versions, you can take advantage of the latest security features and protocols to protect your server and your users.
Some government agencies, such as the US National Security Agency (NSA), have recommended that TLS 1.0 and TLS 1.1 be disabled.
Attacks TLS 1.0 and TLS 1.1 are Vulnerable To:
There are a number of known vulnerabilities in TLS 1.0 and TLS 1.1 that can be exploited by attackers. These include:
POODLE (Padding Oracle On Downgraded Legacy Encryption)
BEAST (Browser Exploit Against SSL/TLS)
CRIME (Compression Ratio Info-leak Made Easy)
FREAK (Factoring Attack on RSA-EXPORT Keys)
LOGJAM (Diffie-Hellman Key Exchange Weakness)
These vulnerabilities allow attackers to perform man-in-the-middle attacks, decrypt sensitive information, and hijack user sessions. By disabling TLS 1.0 and TLS 1.1 on your Apache server, you can protect yourself from these attacks.
What is the Alternate to TLS 1.0 and TLS 1.1?
The current version of the TLS protocol is TLS 1.3. TLS 1.3 was first defined in 2018, and it includes a number of security improvements over previous versions of the TLS protocol. We suggest you enable TLS 1.2 and TLS 1.3 on your Apache Server instead of TLS 1.0 and TLS 1.1.
TLS 1.2 improves upon TLS 1.1 by adding support for Elliptic Curve Cryptography (ECC) and introducing new cryptographic suites that offer better security than the suites used in TLS 1.1. TLS 1.3 improves upon TLS 1.2 by simplifying the handshake process and making it more resistant to man-in-the-middle attacks. In addition, TLS 1.3 introduces new cryptographic suites that offer better security than the suites used in TLS 1.2.
TLS 1.2 and TLS 1.3 are both backward compatible with TLS 1.1 and earlier versions of the protocol. This means that a client that supports TLS 1.2 can communicate with a server that supports TLS 1.1 and vice versa. However, TLS 1.2 and TLS 1.3 are not compatible with each other. A client that supports TLS 1.2 cannot communicate with a server that supports TLS 1.3, and vice versa.
TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining in popularity. Many major web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, now support TLS 1.3. In addition, major Internet services providers, such as Cloudflare and Akamai, have started to support TLS 1.3 on their servers.
Please visit these posts to learn more about TLS 1.2 and TLS 1.3:
How to Disable TLS 1.0 and TLS 1.1 on Apache Server?
Disabling TLS 1.0 and TLS 1.1 on your Apache server is an important security step, as these older encryption protocols are considered insecure and have several known vulnerabilities. By disabling them, you can help protect your server from malicious actors seeking to exploit these weaknesses.
To disable TLS 1.0 and TLS 1.1 on your Apache server, you will need to edit the Apache configuration file. The location of this file may vary depending on your setup. If you don’t have separate virtual host multiple site configuration on your Apache, then the configuration file would be typically located at /etc/apache2/mods-available/ssl.conf or /etc/apache2/mods-enabled/ssl.conf.
On our server, we configured multiple server blocks, one for each site underneath /etc/Apache2/sites-available/<domain_name>. If you want to set the default configuration on Apache, configure the /etc/Apache2/sites-available/000-default.conf
Step 1: Check the SSL/TLS versions enabled on your application
Well, you can check the SSL/TLS versions using any online or offline tools. Visit this TLS Checker online tool to check the SSL/TLS versions of your public site. If you want to check it offline, we recommend Nmap to use. Run this Nmap command to check the SSL/TLS versions of both public and internal applications. However, make sure you have Nmap and internet connection if you want to use Nmap to verify the public site.
$ nmap --script ssl-enum-ciphers -p <PORT> <DOMAIN NAME>
Step 2: Disable TLS 1.0 and TLS 1.1 on Apache Server
The configuration file would be in a different location depending on how the Apache is configured to work. If you don’t have separate virtual host multiple site configuration on your Apache, then the configuration file would be typically located at:
/etc/apache2/mods-available/ssl.conf or /etc/apache2/mods-enabled/ssl.conf (Ubuntu/Debian)
/usr/local/apache2/conf/extra/httpd-ssl.conf (Default Apache Installation)
/private/etc/apache2/extra/httpd-ssl.conf (macOS)
Let’s edit the configuration file using nano text editor. Find the SSLProtocol directive.
You can write the TLS protocol with or without the ‘-‘ symbol. This symbol represent the negation.
Example:
SSLProtocol all -SSLv3: This says the server don’t negotiate with SSLv3 protocol. Ideally, disable SSLv3 communication.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1: This says the server to stop negotiating SSLv3, TLSv1, and TLSv1.1 protocols. This configuration enables TLS 1.2, as well as TLS 1.3 if it is available in your environment.
SSLProtocol all TLSv1.3: This configuration forces the server to negotiate the TLS protocol from the higher to the lower version. (The TLS version would negotiate with the client depending on the client’s configuration. As a result, you may see TLSv1.2 in most cases).
SSLProtocol all -TLSv1.3: This will direct the server to skip the TLSv1.3 and negotiate with a lower versions i.e TLSv1.2, TLSV1.1, TLSv1.0…
We hope, upon looking at these examples, it is clear that how to enable or disable the TLS protocols based on your needs.
$ sudo nano /etc/apache2/mods-available/ssl.conf
Step 3: Restart the Apache server
Restart the Nginx service using this domain.
$ sudo systemctl restart apache2We hope this post would help you know how to disable TLS 1.0 and TLS 1.1 on your Apache Server as they are deprecated for their weak security. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram,and subscribe to receive updates like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
