The internet thrives on the secure transmission of data, and it’s protocols like Transport Layer Security (TLS) that make this possible. TLS is the successor to Secure Sockets Layer (SSL) and plays a crucial role in securing web traffic. In this article, we’ll be focusing on TLS 1.3 and 1.2 versions, which offer improved performance and security over their predecessors.
One of the web servers that extensively use these protocols is Apache. However, enabling only TLS 1.3/1.2 requires certain configurations. This guide will help you configure your Apache server to only accept TLS 1.3/1.2 connections.
- Apache HTTP Server (version 2.4.37 or later, for full TLS 1.3 support).
- OpenSSL (version 1.1.1 or later, for full TLS 1.3 support).
- Root or sudo access to the server.
Enable TLS 1.2 only in Apache
First, edit the virtual host section for your domain in the Apache SSL configuration file on your server and add set the SSLProtocol as followings. This will disable all older protocols and your Apache server and enable TLSv1.2 only.
SSLProtocol -all +TLSv1.2
The minimal Apache virtual host with SSL looks like this:
<VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol -all +TLSv1.2 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost>
Enable TLS 1.3 & 1.2 Both in Apache
The Apache version 2.4.38 or higher versions support TLS v1.3. You must upgrade Apache packages before enabling TLS 1.3 in SSL settings.
SSLProtocol -all +TLSv1.2 +TLSv1.3
The simplest Apache VirtualHost with SSL looks like below
<VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost>
You can test your server’s TLS configuration using an online service like Qualys SSL Labs’ SSL Server Test. This will show you a comprehensive breakdown of your server’s SSL/TLS configuration, including enabled protocols.
And there you have it. Your Apache server should now only be accepting connections using TLS 1.3/1.2. By ensuring your server uses the latest versions of TLS, you are taking steps to protect your users’ data, maintain trust, and potentially improve your site’s performance.