Disabling Lets-encrypt TLSv1.0 & TLSv1.1 on Nginx & Apache
Following some maintenance work which included the movement of some web sites around between various hosts, I visited https://www.ssllabs.com/ to sanity check a few things. I was surprised to find that all my sites were rated as B because the still supported TLSv1.0 & TLSv1.1.
TLS is a more recent or continuation of SSL, TLS (Transport Layer Security) and SSL (Secure Socket Layers) are both cryptographic protocols. These protocols are used to authenticate and encrypt data on the Internet.
I’m no professional web guy, but knowing that SSL1,SSL2,SSL3 along with TLSv1 and TLSv1.1 all had various vulnerabilities. I took care and disabled them on each of the Virtual Hosts as I moved them. I was surprised that they appeared in the ssllab report, a short while later, with a bit of looking through Apache & Nginx config files I found it was the included Lets-encrypt config file.
In order to get an A rating on the https://www.ssllabs.com/ checker I needed to disable them. Fortunately this was simple enough once I knew where to look. Then it’s simple to amend the appropriate file followed by a restart of the appropriate service.
For Apache2:
root@Apache2-Host: vi /etc/letdencrypt/options-ssl-apache.conf
Edit the file, find the relevant line, comment it out, and make the changes below:
#SSLProtocol all -SSLv2 -SSLv3 SSLProtocol -ALL +TLSv1.2
Followed by a simple restart:
root@Apache2-Host: systemctl restart apache2
For Nginx:
root@NginX-Host: vi /etc/letsencrypt/options-ssl-nginx.conf
Similar to Apache2, find the relevant line, comment it out, and make the changes below:
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1.2;
Then just restart the Nginx server:
root@NginX-Host: systemctl restart nginx
Heading back to https://www.ssllabs.com/ and restarting to check gave me the positive result:
I did find it slightly ironic, that it was in a Lets Encrypt config file that these legacy protocols were enabled. I am full of admiration for https://letsencrypt.org I think they have done the world of good to increase security of the internet.