Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Disable TLSv1 and TLSv1.1 in Apache 2.4.10 on Debian 8.11

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
waldo22
Posts: 21
Joined: 2012-06-19 00:09

Disable TLSv1 and TLSv1.1 in Apache 2.4.10 on Debian 8.11

#1 Post by waldo22 »

I have been trying for months to disable TLSv1 and TLSv1.1 in Apache 2.4.10 on Debian 8.11 for PCI compliance.

I am using the directive:

Code: Select all

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
...in both my /etc/apache2/sites-available vhost conf file and /etc/apache2/mods-available/ssl.conf.

I have read the following:
https://serverfault.com/questions/84817 ... -in-apache
https://stackoverflow.com/questions/434 ... apache-2-4
https://serverfault.com/questions/51396 ... -in-apache
https://bugs.launchpad.net/ubuntu/+sour ... omments/12

I have NOT yet added a 'Protocol' directive to /etc/ssl/openssl.cnf.

The SSLProtocol directives are simply ignored.

I should add that this directive works fine on Apache 2.4.25 on Debian 9.5.

Am I missing something obvious, or is this a bug that has not yet been fixed?

Thanks,

-Wes

Post Reply