5

I want to enable TLS 1.2 in Ubuntu server 18.

I have edited the /etc/apache2/mods-available/ssl.conf, adding 

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on

but still Apache is using tls 1.0. Is it possible to activate tls 1.2?

The Apache version is Apache/2.4.29 (Ubuntu)

Ry-
  • 218,210
  • 55
  • 464
  • 476
Lorik H
  • 51
  • 1
  • 1
  • 5

1 Answers1

10

To enable TLS 1.2 in Apache, you will need to change/add the SSLProtocol directive.

Note: To do any of this, mod_ssl should be enabled, if not, use the command sudo a2enmod ssl.

The below configuration line will disable all TLS versions except TLSv1.2.

SSLProtocol -all +TLSv1.2 #This makes Apache to support only TLSv1.2


You can also support TLSv1.3 if you have OpenSSL 1.1.1 or newer. You can check the OpenSSL version by running the command: openssl version in the terminal, etc. You will also need Apache version 2.4.36 or more to use the TLSv1.3 provided by OpenSSL. You can also support TLSv1.3 together with TLSv1.2 using SSLProtocol -all +TLSv1.2 +TLSv1.3.

Example person
  • 3,198
  • 3
  • 18
  • 45
  • I ran command apachectl -M,-> ssl_module (shared),http_module (static), this are the modules I believe are linked with the command you said to run. Also when I ran command : openssl version OpenSSL 1.1.1 But when I change the ssl.conf, and added TLS 1.3, the apache didn't start – Lorik H Jan 16 '20 at 11:40
  • Run journalist -xe – Example person Jan 16 '20 at 12:01
  • See the output of that command. And see why Apache didn't start. – Example person Jan 16 '20 at 12:02
  • Thank for the reply, here is the output of the command: AH00526: Syntax error on line 77 of /etc/apache2/mods-enabled/ssl.conf: SSLProtocol: Illegal protocol 'TLSv1.3' Action 'start' failed. The Apache error log may have more information. apache2.service: Control process exited, code=exited status=1 apache2.service: Failed with result 'exit-code'. Failed to start The Apache HTTP Server. – Lorik H Jan 16 '20 at 14:30
  • Oh, sorry. Your Apache version doesn't support it. You will need Apache version 2.4.36 or higher. – Example person Jan 16 '20 at 14:56
  • Can I use TLS 1.2 instead? – Lorik H Jan 16 '20 at 15:08
  • Yes you can do that. – Example person Jan 16 '20 at 15:23
  • Can you please help me with this, activating tls 1.2 ? – Lorik H Jan 20 '20 at 19:04
  • Use the code in my answer, replace what you have used with that. – Example person Jan 22 '20 at 05:06
  • To enable TLS 1.2 in Apache, you will need to change/add the SSLProtocol directive. Use what I've given. – Example person Jan 22 '20 at 05:07
  • 2
    Change `SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1` to `SSLProtocol -all +TLSv1.2` – Example person Jan 22 '20 at 05:09
  • How to do this in the Apache installed in windows. Do we need to change the config/server.xml ? – Sajeev Oct 12 '21 at 20:03
  • @Sajeev are you using XAMPP? – Example person Oct 13 '21 at 14:08
  • @Exampleperson, No standalone Apache for Java – Sajeev Oct 26 '21 at 05:43
  • @Sajeev, Is [Apache JackRabbit](https://jackrabbit.apache.org/jcr/standalone-server.html) the server you are talking about? – Example person Oct 26 '21 at 08:09
  • @Exampleperson, No, I am running the Adempiere(java based application) on the Apache server, and it is installed on Windows server machine. – Sajeev Oct 26 '21 at 08:41
  • @Sajeev please let me know if there is a file called httpd.conf in the httpd/apache2/apache folder (or inside [nameofapache]/conf) – Example person Oct 26 '21 at 08:42
  • @Exampleperson There is no such file. I checked that. we have conf/server.xml is that the file we change the TLS version? – Sajeev Oct 26 '21 at 08:47
  • @Exampleperson The following is the code: – Sajeev Oct 26 '21 at 08:48
  • @Sajeev, I am pretty sure you are using Apache Tomcat. I cannot help you with that since I do not have any experience with it. I am sorry – Example person Oct 26 '21 at 08:50
  • hint, TLSv1.3 is not apache property, but it is property openssl version linked to apache. The simplest way to check it, is adding TLSv1.3 into config, and try full restart apache. If it will work, leave in this config. If not, revert config and restart apache again – Znik May 22 '23 at 05:55
  • @Znik, I might've misunderstood what you said, but anyways, when modifying OpenSSL configuration files, caution and attention are crucial. Creating backups of those files is essential to avoid disrupting the operating system due to improper changes. Editing Apache's configuration files poses lower risks. Thus, it's recommended to start with Apache when making configuration adjustments in such cases. – Example person May 22 '23 at 09:09
  • changing apache config file has no chance to disrupt OS. Of course, backing up everything what we modify, is very good practice. About apache, unfortunately not all versions have implementation for tls1.3 . I have this problem in Debian. At now it is not a big problem, because tls1.2 is still good. The same problem is on all other services based on SSL layer. – Znik Jun 29 '23 at 05:50