The internet thrives on the secure transmission of data, and it’s protocols like Transport Layer Security (TLS) that make this possible. TLS is the successor to Secure Sockets Layer (SSL) and plays a crucial role in securing web traffic. In this article, we’ll be focusing on TLS 1.3 and 1.2 versions, which offer improved performance and security over their predecessors.
One of the web servers that extensively use these protocols is Apache. However, enabling only TLS 1.3/1.2 requires certain configurations. This guide will help you configure your Apache server to only accept TLS 1.3/1.2 connections.
Requirements
- Apache HTTP Server (version 2.4.37 or later, for full TLS 1.3 support).
- OpenSSL (version 1.1.1 or later, for full TLS 1.3 support).
- Root or sudo access to the server.
Enable TLS 1.2 only in Apache
First, edit the virtual host section for your domain in the Apache SSL configuration file on your server and add set the SSLProtocol as followings. This will disable all older protocols and your Apache server and enable TLSv1.2 only.
SSLProtocol -all +TLSv1.2
The minimal Apache virtual host with SSL looks like this:
<VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol -all +TLSv1.2 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost>
Enable TLS 1.3 & 1.2 Both in Apache
The Apache version 2.4.38 or higher versions support TLS v1.3. You must upgrade Apache packages before enabling TLS 1.3 in SSL settings.
SSLProtocol -all +TLSv1.2 +TLSv1.3
The simplest Apache VirtualHost with SSL looks like below
<VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem </VirtualHost>
You can test your server’s TLS configuration using an online service like Qualys SSL Labs’ SSL Server Test. This will show you a comprehensive breakdown of your server’s SSL/TLS configuration, including enabled protocols.
And there you have it. Your Apache server should now only be accepting connections using TLS 1.3/1.2. By ensuring your server uses the latest versions of TLS, you are taking steps to protect your users’ data, maintain trust, and potentially improve your site’s performance.
17 Comments
Hi RAHUL K,
i want to enable TLS1.2 or TLS1.3 on centos CentOS Linux release 7.9.2009 (Core)
i am looking for the command : not aware much on linux..
thanks
Lokesh
HI,
How to enable ssl/tls ciphers protocols on a web server., please suggest me.
Thanks
prasad
Tried to enable TLS 1.2 in /conf/extra/httpd-ssl.conf in Apache 2.4.10 as below combinations.
SSLProtocol -all +TLSv1.2
After restarting httpd service, getting error ‘illegal Protocol TLSv1.2’ as below.
AH00526: Syntax error on line 260 of /opt/NSAx/apache2.4-npservers/conf/extra/httpd-ssl.conf:
SSLProtocol: Illegal protocol ‘TLSv1.2’
Then updated SSLProtocol in http-ssl.conf file.
SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
After restarting httpd service, getting error ‘illegal Protocol TLSv1.1’ as below.
AH00526: Syntax error on line 260 of /opt/NSAx/apache2.4-npservers/conf/extra/httpd-ssl.conf:
SSLProtocol: Illegal protocol ‘TLSv1.1’
Set this SSLHonorCipherOrder in httpd-ssl.conf file both on / off. still same error.
SSLHonorCipherOrder off
Also tried different set of SSLCipersuite from [https://ssl-config.mozilla.org/#server=apache&version=2.4.10&config=intermediate&openssl=1.0.2k-fips&guideline=5.6][1]
ran command ‘nmap –script ssl-enum-ciphers -p 443 hostname’ in linux and returned SSLv3, TLSv1.0 enabled.
Hope, mentioned version of OpenSSL, Apache & Linux OS will support TLS 1.2.
Please help me, why does this configuration cause ‘illegal protocol’ error and How can I enable TLS 1.2 only with this setup?
Really Appreciate, if any help.
Sorry here is the error I got, note that I’m using Windows server 2012
E:\Programs\ApacheEV02_SSL\bin>httpd -t
Warning: DocumentRoot [E:/home/www-data] does not exist
Syntax error on line 29 of E:/Programs/ApacheEV02_SSL/conf/extra/httpd-ssl.conf:
SSLProtocol: Illegal protocol ‘TLSv1.2’
Hi,
I’m trying to install Apache 2.2.25, using TLS 1.2 but I got an error below. I added this configuration on httpd-ssl.conf
SSLProtocol -all +TLSv1.2 +TLSv1.3
Will the handshake work if the SSL Protocol line be set to just:
SSLProtocol -all +TLSv1.3
I can’t get it to work like that.
I can get it to work if it is set like this: (SSLProtocol -all +TLSv1.2 +TLSv1.3)
how to enable tls 1.3 on centos 7 Apache/2.4.6
Apache 2.4.6 doesn’t support TLS 1.3.
“First, edit the VirtualHost section for your domain in the Apache SSL configuration file”
and where is that file?
“first get inside the car” but I won’t tell you where is the key
Thanks unknown reader, Added some tips in tutorial to find SSL virtual host file.
If you can’t find the key, then maybe you shouldn’t be driving
1.1 version
does java 1.8 support TLS1.2?? I have a tomcat 8.5 server with jdk8u144, I just wanted to check TLS1.2 is enabled or not, Can you please help me out…
hi,
What should be the cipersuite corresponding to TLS1.2. I allowed only TLS 1.2 as u said, but am getting ssh handshaking exception on SOAPUI saying server still supports TLSv1 which is not enabled in soapui app. Please help
set a ssl certificate in my website but in old browsers site dose not show and show error ( your connection is not private ).my website is https://www10020.travel but my friend websites (https://ghasedak24.com) show without error. please help me
Apache version requirement for TLS 1.2
To use TLS 1.2 you must have Apache 2.2.23 or higher and OpenSSL 1.0.1 or higher