stackoom
  简体   繁体   中英

How to Disable TLS 1.0 and 1.1 to enable only TLS 1.2 and TLS 1.3 in Apache for a Wordpress Bitnami Amazon-Ligthsail instance?

 原文  2019-12-19 22:06:31       wordpress/ apache/ ssl/ bitnami/ amazon-lightsail

Question

This is my first experience with Amazon Lighsail, Wordpress Multisite, Bitnami and even with Let's Encrypt; now it seems everything just works, except for SSL directives in my virtualhost file.

Because it seems that major browsers – aka Chrome, Safari/Webkit, Mozilla Firefox and IE/Edge - are going to remove support to TLS 1.0 and TLS 1.1, as soon as the beginning of the new year – precisely among January and March – I would want to know how to disable them for my new Wordpress Multisite instance in Lightsail.

After I obtained a Let's Encript SSL certificate and successfully deployed it I tested it to verify that TLS 1.0 and TLS 1.1 are enabled along with TLS 1.2. Now it seems that my Apache version 2.4.39 supports also TLS 1.3 and I am trying to enable even it and disable the two older versions. Reading on the net I found that I must change the httpd.conf file to insert this directive

SSLProtocol -all +TLSv1.2

so, inside the httpd.conf file I found this block, that seems the right place:

# Default SSL Virtual Host configuration.

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>

Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA$
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/mydomain.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/mydomain.key"

<Directory "/opt/bitnami/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>

# Error Documents
ErrorDocument 503 /503.html

# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

I tryed to simply update the httpd.conf and the httpd-ssl.conf, but nothing appens: TLS 1.3 does not work and TLS 1.0 and TLS 1.1 are always anabled.

Now, and I read even this question

Disabling TLS 1.0 in Apache 2.4

after my adds, this is my ssl directives in httpd-ssl.conf file:

# SSLProtocol all -SSLv3
SSLProtocol  +TLSv1.2 +TLSv1.3
#SSLProtocol all -TLSv1 -SSLv3
SSLProxyProtocol all +TLSv1.2 +TLSv1.3

But nothing changed and now I really do not know how to enable TLS 1.3 and disable TLS 1.0 and TLS 1.1. Of course after every change I used to restart Apache.

3 answers

solution1
 2  2020-02-21 07:34:41

I was also having this problem and put together the following solution:

  1. Open an instance of SSH from your Lightsail dashboard
  2. Navigate to: /opt/bitnami/apache2/conf/bitnami/
  3. Add the following line to the bitnami.conf file under where it says:

Listen 443
.#SSLProtocol -SSLv2 -SSLv3

SSLProtocol TLSv1.2

  1. Navigate to: /opt/bitnami/apache2/conf/extra
  2. In the httpd-ssl.conf file, add the hashtag to the following lines (without the . ):

.#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
.#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

Now remove the hastag from the following lines so they read as:

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

  1. Now under #SSL Protocol Support, change the settings to look like this:

.#SSLProtocol all -SSLv3
SSLProtocol -TLSv1.2 -TLSv1.3 -SSLv3
.#SSLProxyProtocol all -SSLv3
SSLProxyProtocol -TLSv1.2 -TLSv1.3 -SSLv3

Reboot apache with: sudo /opt/bitnami/ctlscript.sh restart apache

Check your site at both:
https://www.whynopadlock.com
https://www.ssllabs.com/ssltest

You should now receive and A score and no TLS 1.0 amd TLS 1.1 protocols being supported.

solution2
 1  2019-12-21 16:16:16

Probably it is not yet possible to enable TLSv1.3. According to this bitnami's community thread:

[ https://community.bitnami.com/t/tlsv1-3-support-for-new-lamp-stack-installers/67672 ]

TLSv1.3 is only supported with Apache version 2.4.36 and OpenSSL 1.1.1...our stacks include OpenSSL 1.0.2 so it's not currently possible to enable that protocol. Sorry for the inco…

Waiting for updates...

solution3
 0  2022-08-22 21:39:18

If your site is behind Cloudflare or a similar service, then you will need to make the TLS changes on Cloudflare itself, regardless of whether you have set up the SSLProtocol correctly in bitnami.conf .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google Cloud - TLS version How Can I Encrypt a File Uploaded via Contact Form 7 in Wordpress and Decrypt it Before Sending it By Email Over TLS How to disable Vary header in bitnami wordpress THe correct way to install wordpress on ec2 instance Amazon like BiTnami package Unable to start Apache - Bitnami Wordpress WordPress: How to enable or disable taxonomies? Amazon EC2 Bitnami Wordpress Extremely Slow Expires headers on an Amazon EC2 with Bitnami Wordpress How to get systemlogs in bitnami wordpress bitnami in Aws .htaccess permissions & Apache restart | Bitnami Wordpress | Kubernetes
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM