How to Disable TLS 1.0 and TLS 1.1 on Your Apache Server?

12Jun 2023 by Ernest Haberli Jr. No Comments

TLS (Transport Layer Security) is an important technology used to protect data and communications over the Internet. It helps provide authentication, integrity, confidentiality, and secure communication between two or more parties by encryption techniques. TLS enables secure connections between servers and clients, allowing for a wide range of information to be exchanged securely.

TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol and offer many advantages over their previous versions. TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining popularity because of its efficiency and speed. As a server administrator, you should enable TLS 1.2 and TLS 1.3 on your Apache Server to enhance the security of your application, but wait, that’s not enough. You should also disable TLS 1.0 and TLS 1.1 on your Apache Server, as they are deprecated for their weak security.

Before learning how to disable TLS 1.0 and TLS 1.1 on your Apache Server, let’s learn about TLS 1.0 and TLS 1.1 and why you should disable TLS 1.0 and TLS 1.1 on your Apache Server.

A Short Note About TLS 1.0 and TLS 1.1:

Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over the internet. TLS 1.0 and TLS 1.1 are older versions of the TLS protocol. TLS 1.0 was first defined in 1999 and became widely used on the internet, but it has since been superseded by newer versions due to known vulnerabilities. TLS 1.1 was released in 2006 and addressed some of the vulnerabilities found in TLS 1.0, but it, too, has been superseded by newer versions. Both TLS 1.0 and TLS 1.1 are considered to be relatively weak and susceptible to attacks, and it is recommended to use a newer version of TLS, such as TLS 1.2 or TLS 1.3.

Why You Should Disable TLS 1.0 and TLS 1.1 on Your Apache Server?

Apache is a popular web server used by many businesses today and can be configured to support different versions of TLS depending on the needs of the organization. It is highly recommended that organizations disable TLS 1.0 and TLS 1.1 on their Apache server in order to ensure the highest level of security and protect the data that is being sent over their network.

There are a few reasons why you should disable TLS 1.0 and TLS 1.1 on your Apache Server:

  1. TLS 1.0 and TLS 1.1 are no longer considered secure due to the fact that they are vulnerable to various attacks, such as the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, which can allow an attacker to intercept and decrypt sensitive information transmitted over the internet.
  2. Another reason to disable TLS 1.0 and TLS 1.1 is that newer versions of TLS, such as TLS 1.2 and TLS 1.3, offer improved security and performance over the older versions. By using the newer versions, you can take advantage of the latest security features and protocols to protect your server and your users.
  3. Some government agencies, such as the US National Security Agency (NSA), have recommended that TLS 1.0 and TLS 1.1 be disabled.

 

See Also How To Fix CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT

Attacks TLS 1.0 and TLS 1.1 are Vulnerable To:

There are a number of known vulnerabilities in TLS 1.0 and TLS 1.1 that can be exploited by attackers. These include:

  1. POODLE (Padding Oracle On Downgraded Legacy Encryption)
  2. BEAST (Browser Exploit Against SSL/TLS)
  3. CRIME (Compression Ratio Info-leak Made Easy)
  4. FREAK (Factoring Attack on RSA-EXPORT Keys)
  5. LOGJAM (Diffie-Hellman Key Exchange Weakness)

These vulnerabilities allow attackers to perform man-in-the-middle attacks, decrypt sensitive information, and hijack user sessions. By disabling TLS 1.0 and TLS 1.1 on your Apache server, you can protect yourself from these attacks.

What is the Alternate to TLS 1.0 and TLS 1.1?

The current version of the TLS protocol is TLS 1.3. TLS 1.3 was first defined in 2018, and it includes a number of security improvements over previous versions of the TLS protocol. We suggest you enable TLS 1.2 and TLS 1.3 on your Apache Server instead of TLS 1.0 and TLS 1.1.

TLS 1.2 improves upon TLS 1.1 by adding support for Elliptic Curve Cryptography (ECC) and introducing new cryptographic suites that offer better security than the suites used in TLS 1.1. TLS 1.3 improves upon TLS 1.2 by simplifying the handshake process and making it more resistant to man-in-the-middle attacks. In addition, TLS 1.3 introduces new cryptographic suites that offer better security than the suites used in TLS 1.2.

TLS 1.2 and TLS 1.3 are both backward compatible with TLS 1.1 and earlier versions of the protocol. This means that a client that supports TLS 1.2 can communicate with a server that supports TLS 1.1 and vice versa. However, TLS 1.2 and TLS 1.3 are not compatible with each other. A client that supports TLS 1.2 cannot communicate with a server that supports TLS 1.3, and vice versa.

TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining in popularity. Many major web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, now support TLS 1.3. In addition, major Internet services providers, such as Cloudflare and Akamai, have started to support TLS 1.3 on their servers.

Please visit these posts to learn more about TLS 1.2 and TLS 1.3:

  1. What Is SSL/TLS? How SSL, TLS 1.2, And TLS 1.3 Differ From Each Other?
  2. Decoding TLS v1.2 protocol Handshake with Wireshark
  3. Decoding TLS 1.3 Protocol Handshake With Wireshark
  4. How to Enable TLS 1.3 on Popular Web Servers?
  5. How to Enable TLS 1.2 and TLS 1.3 on Windows Server
  6. How to Disable TLS 1.0 and TLS 1.1 on Your Nginx Server?

How to Disable TLS 1.0 and TLS 1.1 on Apache Server?

Disabling TLS 1.0 and TLS 1.1 on your Apache server is an important security step, as these older encryption protocols are considered insecure and have several known vulnerabilities. By disabling them, you can help protect your server from malicious actors seeking to exploit these weaknesses.

To disable TLS 1.0 and TLS 1.1 on your Apache server, you will need to edit the Apache configuration file. The location of this file may vary depending on your setup. If you don’t have separate virtual host multiple site configuration on your Apache, then the configuration file would be typically located at /etc/apache2/mods-available/ssl.conf or /etc/apache2/mods-enabled/ssl.conf.

 

On our server, we configured multiple server blocks, one for each site underneath /etc/Apache2/sites-available/<domain_name>.  If you want to set the default configuration on Apache, configure the /etc/Apache2/sites-available/000-default.conf

Time needed: 15 minutes.

How to Disable TLS 1.0 and TLS 1.1 on Nginx Server?

  1. Step 1: Check the SSL/TLS versions enabled on your applicationWell, you can check the SSL/TLS versions using any online or offline tools. Visit this TLS Checker online tool to check the SSL/TLS versions of your public site. If you want to check it offline, we recommend Nmap to use. Run this Nmap command to check the SSL/TLS versions of both public and internal applications. However, make sure you have Nmap and internet connection if you want to use Nmap to verify the public site.

    $ nmap –script ssl-enum-ciphers -p <PORT> <DOMAIN NAME>


    Check the SSL_TLS versions enabled on your application
  2. Open the SSL configuration file in a text editorThe configuration file would be in a different location depending on how the Apache is configured to work. If you don’t have separate virtual host multiple site configuration on your Apache, then the configuration file would be typically located at /etc/apache2/mods-available/ssl.conf or /etc/apache2/mods-enabled/ssl.conf.

    On our server we haven’t configured multiple server blocks in our setup. We configured the SSLProtocol directive to TLSv1.3 in /etc/apache2/mods-available/ssl.conf and /etc/apache2/sites-available/000-default.conf files to work with a higher version of TLS protocol that is TLSv1.3. This configuration forces the server to negotiate the TLS protocol from the higher to the lower version. (The TLS version would negotiate with the client depending on the client’s configuration. As a result, you may see TLSv1.2 in most cases)

    $ sudo nano /etc/apache2/mods-available/ssl.conf
    $ sudo nano /etc/apache2/sites-available/000-default.conf


    Open the ssl.conf file in a text editor
  3. Open the 000-default.conf file in a text editoropen the 000-default.conf file in a text editor
  4. Disable TLS 1.0 and TLS 1.1 on Apache ServerTo do this, locate the ‘SSLProtocol‘ directive in the below two configuration files and set the protocol to TLSV1.3 version as shown in the previous step, and save the file. That’s it.

    /etc/apache2/mods-available/ssl.conf
    /etc/apache2/sites-available/000-default.conf

    Upon configuring the SSLProtocol directive to TLSv1.3 in /etc/apache2/mods-available/ssl.conf and /etc/apache2/sites-available/000-default.conf files. This configuration force the server to negotiate the TLS protocol from the higher to the lower version. (The TLS version would negotiate with the client depending on the client’s configuration. As a result, you may see TLSv1.2 in most cases)
  5. Restart the Apache serverRestart the Nginx service using this domain.

    $ sudo systemctl restart apache2


    Restart the Apache server

Leave a Reply

Your email address will not be published. Required fields are marked *