Apache using TLS1.0 even if configure with TLS1.2
Question
I have issues when to make my apache server uses TLS1.2. I respect all recommended configuration (ssl.conf, virtuals, ciphers...) but apache is all the time using TLS1.0. I suspect the version of openssl to be the root cause. Environment: RHEL 7 openssl version: OpenSSL 1.0.1e-fips Apache version: Apache/2.4.6 I have this message on browser dev tools even though configuration seems to be ok:
The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA, and AES_256_CBC with HMAC-SHA1.
TLS 1.0 is obsolete. Enable TLS 1.2 or later.
AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.
can you help on this please?
1 answers
solution1
0 2021-06-02 13:07:52
Make sure you have restarted apache.
And, make sure this line is added, and make sure all other SSLProtocol are commented using # at the start of the line, or removed:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Or, if your version of OpenSSL doesn't support TLSv1.3:
SSLProtocol -all +TLSv1.2
I absolutely recommend you to update to the latest version of Apache (2.4.46 at the time of this post), and OpenSSL 1.1.1.
You can use SSL Labs to test your website's SSL conf.
Next:
AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.
For the above, you can test your site on SSL Labs, and see the ciphers that are green and orange, and you can implement them by using https://testssl.sh/openssl-iana.mapping.html for help
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.