All the SSL and TLS versions older than 1.2 are having lots of known vulnerabilities like POODLE (CVE-2014-3566), That’s why the latest browsers have removed support for these vulnerable protocols. We also recommend moving your server to use TLS versions and specifically to TLS 1.2. This tutorial will help you to enable TLS 1.2 and TLS 1.3 in mod_ssl and Apache servers.
To enable TLS 1.3 you must have Apache version 2.4.38 or higher on your system. Also search for the SSL virtual host configuration file your system.
Generally Debian based systems have there files under /etc/apache2/sites-enabled directory.
And the Redhat (RPM) based system have there configuration in /etc/httpd/conf/httpd.conf file or a sperate file under /etc/httpd/conf.d directory.
Enable TLS 1.2 only in Apache
First, edit the virtual host section for your domain in the Apache SSL configuration file on your server and add set the SSLProtocol as followings. This will disable all older protocols and your Apache server and enable TLSv1.2 only.
SSLProtocol -all +TLSv1.2
The minimal Apache virtual host with SSL looks like this:
<VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol -all +TLSv1.2 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost>
Enable TLS 1.3 & 1.2 Both in Apache
The Apache version 2.4.38 or higher versions support TLS v1.3. You must upgrade Apache packages before enabling TLS 1.3 in SSL settings.
SSLProtocol -all +TLSv1.2 +TLSv1.3
The simplest Apache VirtualHost with SSL looks like below
<VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost>
After making changes in your configuration file, restart the Apache service to apply new settings.