Why Disable TLSv1.0 and TLSv1.1?
An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection. Furthermore newly uncovered vulnerabilities in this protocols won’t receive security updates anymore. If you meet these errors, you may need to disable TLSv1.0 and TLSv1.1.
How Do I Disable TLSv1.0 and TLSv1.1?
It is recommended to disable the deprecated TLSv1.0 and/or TLSv1.1 protocols in favor of the TLSv1.2+ protocols. Please see the references for more information.
To disable TLSv1.0 and TLSv1.1 protocols on CentOS, you typically need to make some configuration changes. Here are the general steps:
Step 1. Configure SSL/TLS Libraries
- Edit OpenSSL Configuration File:
Open the OpenSSL configuration file, usually located at/etc/ssl/openssl.cnf
or/etc/pki/tls/openssl.cnf
, depending on your system version and installation. - Locate the SSL/TLS Configuration Section:
Find or add the following section in the configuration file (if it doesn’t exist):
[system_default_sect]
MinProtocol = TLSv1.2
Here, MinProtocol
specifies the minimum allowed protocol version, set to TLSv1.2
to allow only TLSv1.2 and above.
- Restart Services:
If your applications use the OpenSSL library, restart the relevant services (e.g., Apache or Nginx) to apply the configuration changes.
Step 2. Configure Web Servers
If you configure SSL/TLS protocols through a web server like Apache or Nginx, follow these steps:
1. Apache
- Edit Apache Configuration File (usually
/etc/httpd/conf/httpd.conf
or/etc/httpd/conf.d/ssl.conf
). - Locate the SSL Protocol Configuration Section:
Ensure your configuration includes the following directive:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
Here, -TLSv1
and -TLSv1.1
disable TLSv1.0 and TLSv1.1, respectively.
- Restart Apache Service:
Restart Apache usingsystemctl restart httpd
to apply the configuration changes.
2. Nginx
- Edit Nginx Configuration File (usually
/etc/nginx/nginx.conf
or/etc/nginx/conf.d/default.conf
). - Locate the SSL Protocol Configuration Section:
Ensure your SSL configuration includes a directive similar to:
ssl_protocols TLSv1.2;
Here, TLSv1.2
specifies allowing only TLSv1.2.
- Restart Nginx Service:
Restart Nginx usingsystemctl restart nginx
to apply the configuration changes.
Step 3. Verification
After making these configuration changes, you can verify whether TLSv1.0 and TLSv1.1 are successfully disabled:
- Use the
openssl s_client
command to test connecting to your server and specify-tls1
and-tls1_1
options to attempt connections, which should result in connection failures.
Conclusion
By following these steps, you should be able to successfully disable TLSv1.0 and TLSv1.1 protocols on CentOS.