All the SSL and TLS versions older than 1.2 are having lots of known vulnerabilities like POODLE (CVE-2014-3566), That’s why the latest browsers have removed support for these vulnerable protocols. We also recommend moving your server to use TLS versions and specifically to TLS 1.2. This tutorial will help you to enable TLS 1.2 and TLS 1.3 in mod_ssl and Apache servers.
Prerequisites
To enable TLS 1.3 you must have Apache version 2.4.38 or higher on your system. Also search for the SSL virtual host configuration file your system.
Generally Debian based systems have there files under /etc/apache2/sites-enabled directory.
And the Redhat (RPM) based system have there configuration in /etc/httpd/conf/httpd.conf file or a sperate file under /etc/httpd/conf.d directory.
Enable TLS 1.2 only in Apache
First, edit the virtual host section for your domain in the Apache SSL configuration file on your server and add set the SSLProtocol as followings. This will disable all older protocols and your Apache server and enable TLSv1.2 only.
SSLProtocol -all +TLSv1.2
The minimal Apache virtual host with SSL looks like this:
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
Enable TLS 1.3 & 1.2 Both in Apache
The Apache version 2.4.38 or higher versions support TLS v1.3. You must upgrade Apache packages before enabling TLS 1.3 in SSL settings.
SSLProtocol -all +TLSv1.2 +TLSv1.3
The simplest Apache VirtualHost with SSL looks like below
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
After making changes in your configuration file, restart the Apache service to apply new settings.
17 Comments
Hi RAHUL K,
i want to enable TLS1.2 or TLS1.3 on centos CentOS Linux release 7.9.2009 (Core)
i am looking for the command : not aware much on linux..
thanks
Lokesh
HI,
How to enable ssl/tls ciphers protocols on a web server., please suggest me.
Thanks
prasad
Tried to enable TLS 1.2 in /conf/extra/httpd-ssl.conf in Apache 2.4.10 as below combinations.
SSLProtocol -all +TLSv1.2
After restarting httpd service, getting error ‘illegal Protocol TLSv1.2’ as below.
AH00526: Syntax error on line 260 of /opt/NSAx/apache2.4-npservers/conf/extra/httpd-ssl.conf:
SSLProtocol: Illegal protocol ‘TLSv1.2’
Then updated SSLProtocol in http-ssl.conf file.
SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
After restarting httpd service, getting error ‘illegal Protocol TLSv1.1’ as below.
AH00526: Syntax error on line 260 of /opt/NSAx/apache2.4-npservers/conf/extra/httpd-ssl.conf:
SSLProtocol: Illegal protocol ‘TLSv1.1’
Set this SSLHonorCipherOrder in httpd-ssl.conf file both on / off. still same error.
SSLHonorCipherOrder off
Also tried different set of SSLCipersuite from [https://ssl-config.mozilla.org/#server=apache&version=2.4.10&config=intermediate&openssl=1.0.2k-fips&guideline=5.6][1]
ran command ‘nmap –script ssl-enum-ciphers -p 443 hostname’ in linux and returned SSLv3, TLSv1.0 enabled.
Hope, mentioned version of OpenSSL, Apache & Linux OS will support TLS 1.2.
Please help me, why does this configuration cause ‘illegal protocol’ error and How can I enable TLS 1.2 only with this setup?
Really Appreciate, if any help.
Sorry here is the error I got, note that I’m using Windows server 2012
E:\Programs\ApacheEV02_SSL\bin>httpd -t
Warning: DocumentRoot [E:/home/www-data] does not exist
Syntax error on line 29 of E:/Programs/ApacheEV02_SSL/conf/extra/httpd-ssl.conf:
SSLProtocol: Illegal protocol ‘TLSv1.2’
Hi,
I’m trying to install Apache 2.2.25, using TLS 1.2 but I got an error below. I added this configuration on httpd-ssl.conf
SSLProtocol -all +TLSv1.2 +TLSv1.3
Will the handshake work if the SSL Protocol line be set to just:
SSLProtocol -all +TLSv1.3
I can’t get it to work like that.
I can get it to work if it is set like this: (SSLProtocol -all +TLSv1.2 +TLSv1.3)
how to enable tls 1.3 on centos 7 Apache/2.4.6
Apache 2.4.6 doesn’t support TLS 1.3.
“First, edit the VirtualHost section for your domain in the Apache SSL configuration file”
and where is that file?
“first get inside the car” but I won’t tell you where is the key
Thanks unknown reader, Added some tips in tutorial to find SSL virtual host file.
If you can’t find the key, then maybe you shouldn’t be driving
1.1 version
does java 1.8 support TLS1.2?? I have a tomcat 8.5 server with jdk8u144, I just wanted to check TLS1.2 is enabled or not, Can you please help me out…
hi,
What should be the cipersuite corresponding to TLS1.2. I allowed only TLS 1.2 as u said, but am getting ssh handshaking exception on SOAPUI saying server still supports TLSv1 which is not enabled in soapui app. Please help
set a ssl certificate in my website but in old browsers site dose not show and show error ( your connection is not private ).my website is https://www10020.travel but my friend websites (https://ghasedak24.com) show without error. please help me
Apache version requirement for TLS 1.2
To use TLS 1.2 you must have Apache 2.2.23 or higher and OpenSSL 1.0.1 or higher