How to enable only TLS 1.2 & disable previous versions?


#1

Hello Team,

Due to security vulnerabilities, We need to enable only TLS 1.2 & need to disable TLS1.0 & 1.1 version.

Could you please help me to understand, how to check

  1. What are the current protocols are enabled ?
  2. How can we enable only TLS 1.2?

Let me know if my question is not clear. I can elaborate.


#2

@Motu

you can disable the protocols what ever you want by configuring ssl.conf or httpd.conf or vertualhost

once look at the below steps to disable ssl2 and ssl3 protocols

#vim /etc/httpd/conf.d/ssl.conf

 SSLProtocol all -SSLv2 -SSLv3          ##(it allows all protocols except ssl2 and ssl3)

Disabling it by configuring httpd.conf

#vim /etc/httpd/conf/httpd.conf


       ServerName labs.example.com
       DocumentRoot /var/www/xxxx
       SSLEngine on
       SSLCertificateFile /etc/httpd/ssl/xxxx.crt
       SSLCertificateKeyFile /etc/httpd/ssl/xxxx.key
       SSLCertificateChainFile /etc/httpd/ssl/xxxx.crt
       SSLProtocol All -SSLv2 -SSLv3
      
           Options FollowSymLinks
           AllowOverride None

After doing these changes restart the httpd service. By using below command you can check the disabled protocols.

 openssl s_client -connect labs.example.com:443 -ssl3

which should produce something like

CONNECTED(00000003)
140214333110088:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40
140214333110088:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

you could see that handshake failure from the above output which means ssl3 is disabled on that particular host.


#3

Hey Raghu,

Thanks for the information. But on my server I don’t see ssl.conf & http.conf files. under etc I don’t see httpd folder also.

Can you please suggest what can I do now?

Can i create one? if i create will it be any impact to other applications running on this server.


#4

On which you configured your web host, is it apache tomcat or what…?

If it is apache tomcat then you have to go to your tomcat installation directory and configure conf/server.xml.