Differences

This shows you the differences between two versions of the page.

Link to this comparison view

litespeed_wiki:config:disable-tls1 [2015/07/24 15:13] (current)
Michael Alegre created
Line 1: Line 1:
 +====== How to disable TLS1.0 while enable TLS1.1 and TLS1.2 ======
 +SSL 3.0 is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL. TLS 1.0 does include a means by which a TLS implementation could downgrade the connection to SSL 3.0, thus weakening security.
 +
 +To disable TLS1.0 while enable TLS1.1 and TLS1.2 in an Cpanel environment,​ place the following in /​usr/​local/​apache/​conf/​includes/​pre_main_global.conf file:
 +
 +<​code>​
 +SSLHonorCipherOrder On
 +SSLProtocol -All +TLSv1.1 +TLSv1.2
 +</​code>​
 +
 +Test shows the handshake error for TLS1.0, which means TLS 1.0 has been successfully disabled on port 443. While TLS1.1 and TLS1.2 were enabled successfully.
 +
 +<​code>​
 +openssl s_client -connect example.com:​443 -tls1
 +openssl s_client -connect example.com:​443 -tls1_1
 +openssl s_client -connect example.com:​443 -tls1_2
 +</​code>​
 +example output:
 +<​code>​
 +#openssl s_client -connect 127.0.0.1:​443 -tls1
 +...
 +SSL-Session:​
 +    Protocol ​ : TLSv1
 +    Cipher ​   : 0000
 +...
 +this mean TLS 1.0 not supported
 +#openssl s_client -connect 127.0.0.1:​443 -tls1_1
 +...
 +SSL-Session:​
 +    Protocol ​ : TLSv1.1
 +    Cipher ​   : ECDHE-RSA-RC4-SHA
 +...
 +this mean TLS 1.1 is supported
 +</​code>​
 +You might run some further tests on other ports and TLS1.0 seems fine with them:
 +
 +<​code>​
 +openssl s_client -connect example.com:​465 -tls1
 +openssl s_client -connect example.com:​993 -tls1
 +openssl s_client -connect example.com:​995 -tls1
 +openssl s_client -connect example.com:​2078 -tls1
 +openssl s_client -connect example.com:​2083 -tls1
 +openssl s_client -connect example.com:​2087 -tls1
 +openssl s_client -connect example.com:​2096 -tls1
 +</​code>​
 +
 +Actually, those ports are owned by different processes and are not managed by a web server. You will have to configure the corresponding service to disable TLS1.0 for those ports.
  
  • Admin
  • Last modified: 2015/07/24 15:13
  • by Michael Alegre