by InMotion Hosting Contributor
2 Minutes, 46 Seconds to Read
TLS versions 1.0 and 1.1 are now considered insecure with TLS 1.2 being the current standard and TLS 1.3 being the newest version available today. However, many web server environments leave the older TLS versions enabled to ensure compatibility for new users. This is a quick, but valuable way to harden your Linux server to protect your data and website visitors.
To test what TLS versions your Linux web server uses, you can use third party tools such as the Qualys SSL Labs online tool, included in the Mozilla Observatory Header Scanner.
Below we cover how to disable older TLS versions and enable TLS 1.3 on:
- cPanel VPS/Dedicated Servers
- Nginx Servers
- Apache Servers
Disable TLS 1.0 and TLS 1.1 in cPanel
- Log into WebHost Manager (WHM) as root.
- On the left, select Apache Configuration.
- Select Global Configuration.
- Beside SSL/TLS Protocols. you’ll likely see text similar to the following:
SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1. Select the radio button beside “TLSv1.2default.” If you wish to support the latest TLS version, TLS 1.3, select the radio button beside the text field and type the following:TLSv1.2 +TLSv1.3
- At the bottom, select Save.
- Select Rebuild Configuration and Restart Apache.
- If your cPanel server runs Nginx, follow the Nginx section below. If not, test your TLS settings.
Enjoy high-performance, lightning-fast servers with increased security and maximum up-time with our Secure VPS Hosting!
Linux VPS cPanel or Control Web Panel Scalable Website Migration Assistance
Disable Older TLS Versions on Nginx Servers
If your cPanel server runs Nginx, including users with the cPanel Cache Manager, you’ll need to do some advanced Nginx configuration:
Steps may differ if not managing an InMotion Hosting server.
- Log into SSH or WHM Terminal as root.
- Edit your default Nginx configuration file:
nano /opt/ngxconf/templates/default_server.j2
- Look for the
ssl_protocolsline at the bottom of the file. RemoveTLSv1.1. - Save changes.
- Rebuild your Nginx configuration:
ngxconf -Rrd --force
- Purge your Nginx cache:
ngxutil -Z
- Test your TLS settings.
Disable Older TLS Versions on Apache Servers
Follow these steps to harden unmanged Linux servers.
- SSH into your server as root.
- Edit your Apache configuration file. You can use the find command if it’s not below:
CentOS:
nano /etc/httpd/conf.d
Debian/Ubuntu:nano /etc/apache2/mods-enabled/ssl.conf
find / -iname ssl.conf
- Edit the
SSLProtocolline. Ensure it states the following:SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
- Save changes.
- Restart Apache:
systemctl restart apache2
- Test your TLS settings.
If you don’t need cPanel, don't pay for it. Only pay for what you need with our scalable Cloud VPS Hosting.
CentOS, Debian, or Ubuntu No Bloatware SSH and Root Access
Test your SSL/TLS Settings
After you finish configuring your TLS settings, there are two easy methods to check your TLS changes.
The easiest option is to use the Qualys SSL Labs test. Make sure to check the box stating “Do not show the results on the boards” for some anonymity.
- At the top, you should not see “This server supports TLS 1.0 and TLS 1.1.”
- If you enabled TLS 1.3, you should see “This server supports TLS 1.3” in green.
- View the related cPanel forum threads for more information on how to support Forward Secrecy.
- If you have a CAA DNS record, you’ll also see “DNS Certification Authority Authorization (CAA) Policy found for this domain.”
For terminal users with Nmap installed, you can use it or the Zenmap graphical application to check for insecure TLS ciphers.
nmap --script ssl-enum-ciphers -p 443 YourDomain.com
Be sure to bookmark our guide onVPS Security to learn more ways to protect your server. Have any questions about disabling older TLS protocols or SSL certificates? Let us know in our Community Forum.
