Friday, 30 March 2018

How to Disabling all SSL/TLS Protocols except TLSv1.2 in CentOS7/RHEL7



Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols providing encrypted and secure communication between servers, clients, machines and applications operating over a network.


The default Apache configuration files:

/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/ssl.conf

Find the entry ‘SSLProtocol’ in above mentioned files and modify as below:

[root@linuxcnf ~]# vi /etc/httpd/conf.d/ssl.conf
SSLProtocol -ALL +TLSV1.2

In the above changes the apache service will disable all protocols, but enable TLSV1.2

Verify the configuration changes:

[root@linuxcnf ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol
SSLProtocol -ALL +TLSV1.2
[root@linuxcnf ~]#

Restart the Apache service to complete the changes:

[root@linuxcnf ~]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@linuxcnf ~]# 

To verify the TSLv1.2 is enabled on the server:

[root@ linuxcnf ~]# openssl s_client -connect 192.168.43.105:443 -tls1_2|grep -i supported
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = linuxcnf, emailAddress = root@ linuxcnf
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = linuxcnf, emailAddress = root@ linuxcnf
verify error:num=21:unable to verify the first certificate
verify return:1
Secure Renegotiation IS supported
^c
[root@ linuxcnf ~]#

We can see the Secure Renegotiation IS supported.


No comments:

Post a comment