This is my first experience with Amazon Lighsail, Wordpress Multisite, Bitnami and even with Let's Encrypt; now it seems everything just works, except for SSL directives in my virtualhost file.
Because it seems that major browsers – aka Chrome, Safari/Webkit, Mozilla Firefox and IE/Edge - are going to remove support to TLS 1.0 and TLS 1.1, as soon as the beginning of the new year – precisely among January and March – I would want to know how to disable them for my new Wordpress Multisite instance in Lightsail.
After I obtained a Let's Encript SSL certificate and successfully deployed it I tested it to verify that TLS 1.0 and TLS 1.1 are enabled along with TLS 1.2. Now it seems that my Apache version 2.4.39 supports also TLS 1.3 and I am trying to enable even it and disable the two older versions. Reading on the net I found that I must change the httpd.conf file to insert this directive
SSLProtocol -all +TLSv1.2
so, inside the httpd.conf file I found this block, that seems the right place:
# Default SSL Virtual Host configuration.
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA$
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/mydomain.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/mydomain.key"
<Directory "/opt/bitnami/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>
# Error Documents
ErrorDocument 503 /503.html
# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>
I tryed to simply update the httpd.conf and the httpd-ssl.conf, but nothing appens: TLS 1.3 does not work and TLS 1.0 and TLS 1.1 are always anabled.
Now, and I read even this question
Disabling TLS 1.0 in Apache 2.4
after my adds, this is my ssl directives in httpd-ssl.conf file:
# SSLProtocol all -SSLv3
SSLProtocol +TLSv1.2 +TLSv1.3
#SSLProtocol all -TLSv1 -SSLv3
SSLProxyProtocol all +TLSv1.2 +TLSv1.3
But nothing changed and now I really do not know how to enable TLS 1.3 and disable TLS 1.0 and TLS 1.1. Of course after every change I used to restart Apache.
I was also having this problem and put together the following solution:
Listen 443
.#SSLProtocol -SSLv2 -SSLv3
SSLProtocol TLSv1.2
.#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
.#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
Now remove the hastag from the following lines so they read as:
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
.#SSLProtocol all -SSLv3
SSLProtocol -TLSv1.2 -TLSv1.3 -SSLv3
.#SSLProxyProtocol all -SSLv3
SSLProxyProtocol -TLSv1.2 -TLSv1.3 -SSLv3
Reboot apache with: sudo /opt/bitnami/ctlscript.sh restart apache
Check your site at both:
https://www.whynopadlock.com
https://www.ssllabs.com/ssltest
You should now receive and A score and no TLS 1.0 amd TLS 1.1 protocols being supported.
Probably it is not yet possible to enable TLSv1.3. According to this bitnami's community thread:
[ https://community.bitnami.com/t/tlsv1-3-support-for-new-lamp-stack-installers/67672 ]
TLSv1.3 is only supported with Apache version 2.4.36 and OpenSSL 1.1.1...our stacks include OpenSSL 1.0.2 so it's not currently possible to enable that protocol. Sorry for the inco…
Waiting for updates...
If your site is behind Cloudflare or a similar service, then you will need to make the TLS changes on Cloudflare itself, regardless of whether you have set up the SSLProtocol
correctly in bitnami.conf
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.