AnsweredAssumed Answered

Allow only TLS 1.2 in mod_ssl

Question asked by Janus 384 on Oct 4, 2014
Latest reply on Aug 11, 2016 by Rob Moss

For most of my sites, I have SSL 2.0 and 3.0 successfully disabled using: "SSLProtocol all -SSLv2 -SSLv3"  I can confirm this using the ssllabs scanner.

 

For some sites, I know only company owned systems will connect.  I know that per internal policy, only the latest browsers are installed.  So I can safely only allow in TLS 1.2; thereby eliminating any possible step-down attacks.  When configure Apache with "SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1", it does not work as expected.  Both my own testing with older browsers, and ssllabs reports that TLS 1.0 and 1.1 are still enabled.  Any ideas how to configure mod_ssl to only allow TLS 1.2?

Outcomes