Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
litespeed:wiki:disable_tls1 [2015/04/30 15:37] Serge Espitia |
— (current) | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== How to disable TLS1.0 while enable TLS1.1 and TLS1.2 ====== | ||
- | SSL 3.0 is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL. TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security. | ||
- | |||
- | To disable TLS1.0 while enable TLS1.1 and TLS1.2 in an Cpanel environment, place the following in /usr/local/apache/conf/includes/pre_main_global.conf file: | ||
- | |||
- | <code> | ||
- | SSLHonorCipherOrder On | ||
- | SSLProtocol -All +TLSv1.1 +TLSv1.2 | ||
- | </code> | ||
- | |||
- | Test shows the handshake error for TLS1.0, which means TLS 1.0 has been successfully disabled on port 443. While TLS1.1 and TLS1.2 were enabled successfully. | ||
- | |||
- | <code> | ||
- | openssl s_client -connect example.com:443 -tls1 | ||
- | openssl s_client -connect example.com:443 -tls1_1 | ||
- | openssl s_client -connect example.com:443 -tls1_2 | ||
- | </code> | ||
- | example output: | ||
- | <code> | ||
- | #openssl s_client -connect 127.0.0.1:443 -tls1 | ||
- | ... | ||
- | SSL-Session: | ||
- | Protocol : TLSv1 | ||
- | Cipher : 0000 | ||
- | ... | ||
- | this mean TLS 1.0 not supported | ||
- | #openssl s_client -connect 127.0.0.1:443 -tls1_1 | ||
- | ... | ||
- | SSL-Session: | ||
- | Protocol : TLSv1.1 | ||
- | Cipher : ECDHE-RSA-RC4-SHA | ||
- | ... | ||
- | this mean TLS 1.1 is supported | ||
- | </code> | ||
- | You might run some further tests on other ports and TLS1.0 seems fine with them: | ||
- | |||
- | <code> | ||
- | openssl s_client -connect example.com:465 -tls1 | ||
- | openssl s_client -connect example.com:993 -tls1 | ||
- | openssl s_client -connect example.com:995 -tls1 | ||
- | openssl s_client -connect example.com:2078 -tls1 | ||
- | openssl s_client -connect example.com:2083 -tls1 | ||
- | openssl s_client -connect example.com:2087 -tls1 | ||
- | openssl s_client -connect example.com:2096 -tls1 | ||
- | </code> | ||
- | |||
- | Actually, those ports are owned by different processes and are not managed by a web server. You will have to configure the corresponding service to disable TLS1.0 for those ports. | ||