How to disable TLS1.0 while enable TLS1.1 and TLS1.2

SSL 3.0 is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL. TLS 1.0 does include a means by which a TLS implementation could downgrade the connection to SSL 3.0, thus weakening security.

To disable TLS1.0 while enable TLS1.1 and TLS1.2 in an Cpanel environment, place the following in /usr/local/apache/conf/includes/pre_main_global.conf file:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1.1 +TLSv1.2

Test shows the handshake error for TLS1.0, which means TLS 1.0 has been successfully disabled on port 443. While TLS1.1 and TLS1.2 were enabled successfully.

openssl s_client -connect example.com:443 -tls1
openssl s_client -connect example.com:443 -tls1_1
openssl s_client -connect example.com:443 -tls1_2

example output:

#openssl s_client -connect 127.0.0.1:443 -tls1
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
...
this mean TLS 1.0 not supported
#openssl s_client -connect 127.0.0.1:443 -tls1_1
...
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-RC4-SHA
...
this mean TLS 1.1 is supported

You might run some further tests on other ports and TLS1.0 seems fine with them:

openssl s_client -connect example.com:465 -tls1
openssl s_client -connect example.com:993 -tls1
openssl s_client -connect example.com:995 -tls1
openssl s_client -connect example.com:2078 -tls1
openssl s_client -connect example.com:2083 -tls1
openssl s_client -connect example.com:2087 -tls1
openssl s_client -connect example.com:2096 -tls1

Actually, those ports are owned by different processes and are not managed by a web server. You will have to configure the corresponding service to disable TLS1.0 for those ports.

 
litespeed_wiki/config/disable-tls1.txt · Last modified: 2015/07/24 15:13 by Michael Alegre