Disable TLS 1 TLS1.1 on ubuntu server with xampp

Question

Sorry, to bother with this common issue which I found lots of resources on the web but non has worked for me.

I have Apache/2.4.51 (Unix) OpenSSL/1.1.1l PHP/7.3.33 mod_perl/2.0.11 Perl/v5.32.1 installed with XAMPP on Ubuntu Server 20.04.

My SSL certificate has been made with letsencrypt Certbot https://certbot.eff.org/

I still get this result from Qualys https://www.ssllabs.com/ssltest/

This server supports TLS 1.0 and TLS 1.1

What I did.

On /etc/letsencrypt/options-ssl-apache.conf

SSLEngine on

#SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLProtocol             +TLSv1.2 +TLSv1.3

SSLHonorCipherOrder     on

# enabling Perfect Forward Secrecy
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES

SSLCompression          off
SSLOptions +StrictRequire

I tried many other way to write it but none has worked.

On /opt/lampp/etc/extra/httpd-vhosts.conf

<VirtualHost *:443>
    #ServerAdmin webmaster@dummy-host2.example.com
    #DocumentRoot "/opt/lampp/htdocs/"
    ServerName myserver.name
    SSLEngine On
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/myserver.name/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/myserver.name/privkey.pem
    SSLProtocol -all +TLSv1.3 +TLSv1.2
    ErrorLog "logs/myserver.name-error_log"
    CustomLog "logs/myserver.name-access_log" common
</VirtualHost>

but it seems has no effect. I read that letsencrypt options-ssl-apache.conf overrides any Apache SSL directives.

I made some improvement in my SSL evaluation adding Perfect Forward Secrecy, but I think it could be more robust. When I'll succeed to disable TLSv1.x I'll try to use this guide.

There is also /opt/lampp/etc/extra/httpd-ssl.conf but it has no SSLProtocol directive written, so I've avoided to edit it.

I have edited instead /opt/lampp/etc/original/extra/httpd-ssl.conf

SSLHonorCipherOrder on

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

#SSLProtocol all -SSLv3
SSLProtocol +TLSv1.2 +TLSv1.3 -TLSv1 -TLSv1.1 -SSLv3 -SSLv2

#SSLProxyProtocol all -SSLv3
SSLProxyProtocol +TLSv1.2 +TLSv1.3

SSLEngine on

Again, it seems to have no effect whatsoever.

Obviously I have stop and restarted the server.

sudo /opt/lampp/lampp stop

sudo /opt/lampp/lampp start

Thanks for your help.

yes: sudo /opt/lampp/lampp stop and then sudo /opt/lampp/lampp start — Neuran, Mar 12 '22 at 13:40
Put your LogLevel to a higher level (max trace8) to see many more log entries, it might point you in the right direction. But do not leave it like that on the long run, your logs will get huge! — Nic3500, Mar 14 '22 at 03:54

score 0 · Answer 1 · answered Mar 15 '22 at 22:08

0

Solved.

#
Listen 443

#added this line
SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1

to /opt/lampp/etc/extra/httpd-ssl.conf

answered Mar 15 '22 at 22:08

Neuran

137
10

Disable TLS 1 TLS1.1 on ubuntu server with xampp

1 Answers1