TLSv1 Not Turning Off in Apache

Question

What is the best way to see where my SSLProtocols might be overridden on a CentOS 7 server? Apache 2.4.6 (realizing this is quite old as well so i'll have to update this off hours and see if it fixes the issue).

I'm trying to disable TLSv1 using this Apache Directive in my config root (/etc/httpd/conf/httpd.conf)

SSLProtocol -all +TLSv1.1 +TLSv1.2

Yet when I run either nmap --script ssl-enum-ciphers -p 443 <mysite.com> It shows that TLSv1 is still enabled:

ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server 

The SSL Labs test reveals the same thing.

No other SSLProtocol directives are provided in the virtual host.

After that I decided to just search all config files using this command sudo grep -rnw '/etc/httpd' -e 'SSLProtocol' and it revealed the following locations:

/etc/httpd/conf/httpd.conf:359:SSLProtocol -all +TLSv1.1 +TLSv1.2
/etc/httpd/conf.d/ssl.conf:74:SSLProtocol ALL -SSLv2 -SSLv3
/etc/httpd/conf.d/ssl.conf:227:SSLProtocol ALL -SSLv2 -SSLv3
/etc/httpd/conf.d/ssl.conf:257:SSLProtocol ALL -SSLv2 -SSLv3
/etc/httpd/conf.d/ssl.conf.rpmnew:75:SSLProtocol all -SSLv2 -SSLv3

So I went into the ssl.conf file and changed line 74 to match, the issue still persists. Lines 227 and 257 are for two virtual hosts that I'm not currently testing but will I'll update later.

EDIT: Even though the remaining two lines were for Virtual Hosts, granted the answers about the OpenSSL bug, I changed all references to SSLProtocol -all +TLSv1.1 +TLSv1.2 and restarted my server but nothing has changed. Why would this be? I'm wondering if it's a bug in Apache 2.4.6 itself.

Answer 1

I solved this issue through an unexpected fix. I found this issue on Bugzilla and was going through it when later on someone mentioned that Let's Encrypt has an isolated file /etc/letsencrypt/options-ssl-apache.conf within this file there is a setting:

SSLProtocol             all -SSLv2 -SSLv3

Certbot automatically installs a reference to this file in the virtual host configuration, and that cert happened to be installed on the first Virtual Host in my server configuration. I changed it to match my previous setting of SSLProtocol -all +TLSv1.1 +TLSv1.2 and it worked perfectly.

Note:

1. Virtual Hosts inherit their siblings settings.
2. Global file settings don't take precedence.

Answer 2

Using

SSLProtocol TLSv1.2

Or

SSLProtocol -ALL +TLSv1.2

Should work. But (there is always a but!) it's not working configuring it in virtualhosts. Using virtualhosts it's keeping the first vhost option for all further vhosts.

At least this happens in CentOS 7.6 running Apache (httpd) 2.4.6.

Answer 3

For me, after spending an hour pulling my hair out trying to figure out why my website kept offering TLS 1.0 and TLS 1.1 - even after manually editing the letsencrypt override that was included automatically.. I realized that I was using Cloudflare, and that Cloudflare is still offering TLS 1.0 and TLS 1.1 by default in 2023. Crazy. Anyway, if anyone reading this is experiencing this same problem, then you can set a minimum TLS version in Cloudflare as follows (for free): https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/

Answer 4

When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings for the SSLProtocol directive from the first VirtualHost are used for the whole server and/or all name-based VirtualHosts supporting TLS¹.

Answer 5

Remove (or comment out) every SSLProtocol ALL -SSLv2 -SSLv3 line and change them into your SSLProtocol TLSv1.1 TLSv1.2. Only disabling those two would still allow TLSv1.0.

No need to specify -all if you only enable what you need.