Apache - Disable SSL 2.0, SSL 3.0 and opt fore a modern safe SSL config
Last updated on 27 May 2024, 11:22:25.
Category: All about SSL certificates | SSL configuration
This article shows you how to disable the SSL 2.0, SSL 3.0 and older TLS version protocols on your Apache web server, in order to be prepared for a more modern and safer configuration.
Why disable SSL v2, SSL v3 and other TLS versions?
SSL 2.0 and SSL 3.0 are obsolete versions of the SSL protocol that have long since been superseded by the more secure Transport Layer Security (TLS) protocol, which offers a higher degree of security.
In addition, a SSL 3.0 security flaw nicknamed POODLE was discovered in 2014, allowing an attacker to completely circumvent SSL security. Your Apache web server shouldn't be serving those protocols for better security.
As time moved on, the TLS v1 and TLS v1.1 protocols also became obsolete and deprecated, therefore it is wise to also disable those in your configuration.
If you want to go the extra mile you can always remove TLS v1.2 as well but at the time of writing we might conclude that disabling TLS v1.2 may introduce some problems for older browsers. Therefor we do not recommend it.
Step 1: Find all SSL sites on Apache
Unless you only need to modify one site, in which case you can just open the virtual hosts file you need, try to find all SSL websites with the following command, executed in the root directory of your Apache installation. This will also avoid you *think* you disabled the SSL protocols but they might still have been enabled somewhere in the apache config. Keep ni mind that if not explicitly disabled, if one host is skipped, the older protocols will load!
Go to the installation directory of your Apache distribution and fFind all the configs that contain SSL information:
grep -r SSLEngine *
This will list all SSL VirtualHost blocks you need to modify.
Note that your Apache installation directory may differ according to you distribution. The most common locations are:
- /etc/httpd for Red Hat, CentOs, Fedora and many other distributions
- /etc/apache2 for Debian and Ubuntu distributions
Step 2: Modify the virtual hosts
Using vi or your favourite text editor, add or modify the following line in each VirtualHost block that needs updating:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Step 3: Restart Apache
Restart Apache with one of the following commands:
/etc/init.d/httpd restartservice httpd restartapachectl -k restart
Additional info
If you would like to have a ready cut'n'paste config for Apache we strongly recommend the Mozzila.org SSL Configuration Generator which will allow you to pick the Apache version, OpenSSL version and help you choose an Old (e.g. pretty outdated), Intermediate (more current implementation) or Modern (cutting edge) SSL config for your server.
More info: https://ssl-config.mozilla.org/