~~REDIRECT>litespeed_wiki:cpanel:tls13~~

====== How to disable TLS1.0 while enable TLS1.1 and TLS1.2 ======
SSL 3.0 is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL. TLS 1.0 does include a means by which a TLS implementation could downgrade the connection to SSL 3.0, thus weakening security.

To disable TLS1.0 while enable TLS1.1 and TLS1.2 in an Cpanel environment, place the following in /usr/local/apache/conf/includes/pre_main_global.conf file:

<code>
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1.1 +TLSv1.2
</code>

Test shows the handshake error for TLS1.0, which means TLS 1.0 has been successfully disabled on port 443. While TLS1.1 and TLS1.2 were enabled successfully.

<code>
openssl s_client -connect example.com:443 -tls1
openssl s_client -connect example.com:443 -tls1_1
openssl s_client -connect example.com:443 -tls1_2
</code>
example output:
<code>
#openssl s_client -connect 127.0.0.1:443 -tls1
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
...
this mean TLS 1.0 not supported
#openssl s_client -connect 127.0.0.1:443 -tls1_1
...
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-RC4-SHA
...
this mean TLS 1.1 is supported
</code>
You might run some further tests on other ports and TLS1.0 seems fine with them:

<code>
openssl s_client -connect example.com:465 -tls1
openssl s_client -connect example.com:993 -tls1
openssl s_client -connect example.com:995 -tls1
openssl s_client -connect example.com:2078 -tls1
openssl s_client -connect example.com:2083 -tls1
openssl s_client -connect example.com:2087 -tls1
openssl s_client -connect example.com:2096 -tls1
</code>

Actually, those ports are owned by different processes and are not managed by a web server. You will have to configure the corresponding service to disable TLS1.0 for those ports.