Disable TLSv1 and TLSv1.1 in Apache 2.4.10 on Debian 8.11

Kernels & Hardware, configuring network, installing services

Disable TLSv1 and TLSv1.1 in Apache 2.4.10 on Debian 8.11

Postby waldo22 » 2018-10-17 20:23

I have been trying for months to disable TLSv1 and TLSv1.1 in Apache 2.4.10 on Debian 8.11 for PCI compliance.

I am using the directive:
Code: Select all
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

...in both my /etc/apache2/sites-available vhost conf file and /etc/apache2/mods-available/ssl.conf.

I have read the following:
https://serverfault.com/questions/84817 ... -in-apache
https://stackoverflow.com/questions/434 ... apache-2-4
https://serverfault.com/questions/51396 ... -in-apache
https://bugs.launchpad.net/ubuntu/+sour ... omments/12

I have NOT yet added a 'Protocol' directive to /etc/ssl/openssl.cnf.

The SSLProtocol directives are simply ignored.

I should add that this directive works fine on Apache 2.4.25 on Debian 9.5.

Am I missing something obvious, or is this a bug that has not yet been fixed?

Thanks,

-Wes
waldo22
 
Posts: 14
Joined: 2012-06-19 00:09

Return to System configuration

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable