Trying to enable TLS 1.2 on Apache webserver

r3b0ot · 08-20-2015, 04:57 AM

Hi guys,

I am trying to enable TLS v1.2 on my apache webserver.
Ubuntu 14.04
Apache 2.4.7
openssl 1.0.1f

I have the following set in my vhost config:

Code:

SSLProtocol -All -SSLv3 +TLSv1 +TLSv1.2

But when scanning the website with https://www.ssllabs.com/ssltest/, it still shows TLS 1.2 is not enabled.

any ideas?

AlexSlack · 08-20-2015, 10:37 PM

Hi!

To enable TLS 1.2 you have to enable the ciphers.
This is from the Apache HTTP documentation:

Code:

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate,
#   and that httpd will negotiate as the client of a proxied server.
#   See the OpenSSL documentation for a complete list of ciphers, and
#   ensure these follow appropriate best practices for this deployment.
#   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
#   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4

#  By the end of 2016, only TLSv1.2 ciphers should remain in use.
#  Older ciphers should be disallowed as soon as possible, while the
#  kRSA ciphers do not offer forward secrecy.  These changes inhibit
#  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
#  non-browser tooling) from successfully connecting.  
#
#  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
#  those protocols which do not support forward secrecy, replace
#  the SSLCipherSuite and SSLProxyCipherSuite directives above with
#  the following two directives, as soon as practical.
# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

The following lines tell the server to use the HIGH and MEDIUM security ciphers needed for TLS 1.2

Code:

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4

Then you enable the protocols:

Code:

#   SSL Protocol support:
#   List the protocol versions which clients are allowed to connect with.
#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
#   protocol or later should remain in use.
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLv3 should not be use anymore, and in Apache 2.4 SSLv2 ciphers are no longer supported.

Hope this helps.

r3b0ot · 08-21-2015, 02:46 AM

Hi Alex,

Thanks for the reply!
Unfortunately, I still can't get it work to work

My vhost config:

Code:

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCipherOrder On

I also checked my ssl.conf and that looks good as well.

I'm really puzzled...

r3b0ot · 08-21-2015, 02:55 AM

I just found out that issue is probably on my reverse proxy server. When browsing directly to the backend server, TLS 1.2 is used.
When browsing via the reverse proxy server, TLS 1.0 is used.

The configs I pasted above are from my proxy server btw.

r3b0ot · 08-21-2015, 07:18 AM

Got this work, jeez. It was due to apache selecting the SSLsettings from the first vhost config file in sites-enabled and not the one from the site itself.