How to enable or disable SSL and TLS versions

Introduction

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols providing communication security over a network; for example a client connecting to a web server. A "handshake" is done at the start of a TLS or SSL connection. During this handshake the client and server will work out what mutual ciphers and hash algorithms are supported. This is also where a server will provide its digital certificate to a connecting client.

TLS is the continuation of SSL. Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. For this reason, you should disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1 in your server configuration, leaving only TLS protocols 1.2 and 1.3 enabled.

Disabling SSLv2, SSLv3, TLSv1, and TLSv1.1

APACHE
Depending on your configuration, this may need to be changed in multiple locations.

The default Apache configuration file can be found:

On Debian / Ubuntu based systems: /etc/apache2/apache2.conf
On Red Hat / CentOS based systems: /etc/httpd/conf/httpd.conf


If it is configured in a virtual host, the configuration files will generally be:
On Debian / Ubuntu based systems: /etc/apache2/sites-enabled/
On Red Hat / CentOS based systems: /etc/httpd/sites-enabled/

In your configuration file(s), find the entry "SSLProtocol" and modify it to look like:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

This tells Apache to enable all protocols, but disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1. The last step is to restart the Apache service:

service apache2 restart
or
service httpd restart

 

NGINX

NGINX may also be configured in multiple places. The global NGINX configuration file is located in:
/etc/nginx/nginx.conf

It may also be in individual server block configurations in:
/etc/nginx/sites-enabled/

In your configuration file(s), find the entry for "ssl_protocols" and modify it to match the following:
ssl_protocols TLSv1.2;

This tells NGINX to only enable the TLS 1.2 protocol. Restart NGINX to complete the changes:
service nginx restart

 

TOMCAT

The configuration file for Tomcat should be in:
TOMCAT_HOME/conf/server.xml

Tomcat 5 & 6 (Prior to 6.0.38)
Within the server.xml, find the sslProtocols entry and make sure only TLS 1.2 protocol is specified:

sslProtocols = "TLSv1.2"

Tomcat 6 & 7 (6.0.3.8 and newer)
Within the server.xml file, find the sslEnabledProtocols entry and make sure only TLS 1.2 protocol is specified:

sslEnabledProtocols = "TLSv1.2"

Restart the Tomcat service to complete the changes.

Enabling TLS versions

ANDROID

TLS 1.1 and TLS 1.2 are supported within Android starting API level 16+ (Android Jelly Bean):
https://developer.android.com/reference/javax/net/ssl/SSLSocket?hl=zh-cn

APPLE

Enabling TLS or SSL in Apple: https://developer.apple.com/library/content/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html

References

1. TLS Protocol Compatibility
2. It's time to Disable TLS 1.0 (and All SSL Versions) If You Haven't Already

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.