-1

I have been asked to disable TLS1.0(on SSLV3) from apache running on Solaris. I am new to infrastructure stuff. I did some googling and most of them talk about something like this SSLProtocol all -TLSv1 in the ssl.conf file But, when i go to /etc/apache2/ssl.conf file there is no setting defined for SSLProtocol. Is it that since there is no settings defined for SSLProtocol that all tls versions are being allowed? Also , where should i add the SSLProtocl settings in the ssl.conf files? Many thanks for all replies

Sukirti Sen
  • 35
  • 1
  • 9

1 Answers1

0

Go to the apache's folder, and just run:

grep -iRl "SSLProtocol" ./

And then, if you found a file containing it, change it to the following, or if you didn't find anything, open the ssl.conf, and add this line after the lines starting with SSL:

SSLProtocol -all +TLSv1.2

If your openssl version is above version 1.1.1 (use openssl version to check), and if your apache version is above 2.4.36 (use httpd -v to check), then you can also use TLSv1.3. If you will use it without the above mentioned requirements of the versions, then you will get an error saying Illegal Protocol. So, if you have the above requirements you can use:

SSLProtocol -all +TLSv1.2 +TLSv1.3

Also, I am confused about the SSLv3 you mentioned. You must not use SSLv3 even if you want to. Check https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/.

Example person
  • 3,198
  • 3
  • 18
  • 45
  • hi thanks for the reply .. when i use the grep command i get error - grep: illegal option -- R openssl version is OpenSSL 1.0.2n – Sukirti Sen Mar 13 '20 at 09:50
  • @SukirtiSen Just copy my command, you probably typed the grep command wrong. I guess you are using Ubuntu 18.04 right? Did you try the SSLProtocol line? – Example person Mar 13 '20 at 09:53
  • hi no i am using putty on solrais 10 servers – Sukirti Sen Mar 13 '20 at 14:38
  • @SukirtiSen Ok, alright, test my conf, tell me about it, accept/decline my answer. It should also work with solaris. – Example person Mar 13 '20 at 15:30
  • @SukirtiSen I meant, if you would not find anything using the grep command, then open the /etc/apache2/ssl.conf file, and add ```SSLProtocol -all +TLSv1.2```. Put it after the last SSL line. Also, whats `openssl s_client -connect 135.188.232.142:443 -tls1`. Comment the SSLProtocol line if it is not already. And then add this without commenting this – Example person Mar 13 '20 at 16:44
  • I am getting confused by your comment 'if you didn't find anything, open the ssl.conf, and add this line after the lines starting with SSL'. I am not sure where to put the protocol adjustments. SSL protocol is not defined , the lines are commented like this SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown You mention that ' If you will use it without the above mentioned requirements of the versions, then you will get an error saying Illegal Protocol.' I ran openssl s_client -connect :443 -tls1 , I receive successful connect result – Sukirti Sen Mar 13 '20 at 16:50
  • @SukirtiSen Can you please add your ssl.conf file to your question. – Example person Mar 13 '20 at 16:51
  • You must restart Apache after making any changes. – Example person Mar 13 '20 at 16:54
  • @SukirtiSen, you are seriously getting confused lol. Use TLSv1.3 if you have the version 1.1.1 of openssl, and if your apache version is above 2.4.36. Use the `SSLProtocol -all +TLSv1.2` if using TLSv1.3 doesn't work. Also, I assume you are absolutely new to Apache. – Example person Mar 13 '20 at 16:56
  • Hi sorry i am totally new to apache :(, apologies You said earlier ' If you will use it without the above mentioned requirements of the versions, then you will get an error saying Illegal Protocol.' My ssl.conf file does not have any sslprotocol settings defined , so as per your comment, should I not be receiving an error? – Sukirti Sen Mar 13 '20 at 18:44
  • When i run openssl s_client -connect :443 -tls1 , I receive successful connect result , same goes if i check to connect with tls1.2 /1.3. Requirement is to disable tls1.0 and while I understand your solution , your earlier comment and the lack of an SSLProtocol settings in my ssl.conf file has got me confused, sorry – Sukirti Sen Mar 13 '20 at 18:45
  • Leave all of the above comments. Open your ssl.conf, add `SSLProtocol -all +TLSv1.2` after the last SSL line. TLSv1.0 is disabled. – Example person Mar 14 '20 at 06:23