IntroductionSecure Socket Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols providing communication security over a network; for example a client connecting to a web server. A "handshake" is done at the start of a TLS or SSL connection. During this handshake the client and server will work out what mutual ciphers and hash algorithms are supported. This is also where a server will provide its digital certificate to a connecting client.
TLS is the continuation of SSL. Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. For this reason, you should disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1 in your server configuration, leaving only TLS protocols 1.2 and 1.3 enabled.
Disabling SSLv2, SSLv3, TLSv1, and TLSv1.1
Depending on your configuration, this may need to be changed in multiple locations.
The default Apache configuration file can be found:
On Debian / Ubuntu based systems: /etc/apache2/apache2.conf
On Red Hat / CentOS based systems: /etc/httpd/conf/httpd.conf
If it is configured in a virtual host, the configuration files will generally be:
On Debian / Ubuntu based systems: /etc/apache2/sites-enabled/
On Red Hat / CentOS based systems: /etc/httpd/sites-enabled/
In your configuration file(s), find the entry "SSLProtocol" and modify it to look like:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
This tells Apache to enable all protocols, but disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1. The last step is to restart the Apache service:
service apache2 restart
service httpd restart
NGINXNGINX may also be configured in multiple places. The global NGINX configuration file is located in:
It may also be in individual server block configurations in:
In your configuration file(s), find the entry for "ssl_protocols" and modify it to match the following:
This tells NGINX to only enable the TLS 1.2 protocol. Restart NGINX to complete the changes:
service nginx restart
TOMCATThe configuration file for Tomcat should be in:
Tomcat 5 & 6 (Prior to 6.0.38)
Within the server.xml, find the sslProtocols entry and make sure only TLS 1.2 protocol is specified:
sslProtocols = "TLSv1.2"
Tomcat 6 & 7 (220.127.116.11 and newer)
Within the server.xml file, find the sslEnabledProtocols entry and make sure only TLS 1.2 protocol is specified:
sslEnabledProtocols = "TLSv1.2"
Restart the Tomcat service to complete the changes.
Enabling TLS versions
TLS 1.1 and TLS 1.2 are supported within Android starting API level 16+ (Android Jelly Bean):