I am looking to disable TLS 1.0 in a linux box running on RHEL 6.7?
TLS 1.0 is end of life on June 30, 2018. To disable TLS 1.0 on Apache webserver installations, edit the “SSLProtocol” directive in your ssl.conf (typically /etc/httpd/conf.d/ssl.conf), where the ciphers protocols are listed and remove TLSv1. By restarting the httpd, after updating the SSLProtocol directive TLS 1.0 will be disabled.
Here are steps how to disable TLS 1.0 on an Apache server. The default configuration in /etc/httpd/conf.d/ssl.conf looks like this :# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # List the protocol versions which clients are allowed to connect with. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3
You will see a directive for “SSLProtocol”, which has all protocols listed except for SSLv3. This means that TLS 1.0, 1.1 and 1.2 are enabled.SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3
Edit it and change to:SSLProtocol TLSv1.1 TLSv1.2
or if you just need TLS 1.2, edit and change it toSSLProtocol TLSv1.2
And, restart the httpd server. You are done!.
You can also confirm this with nmap or ssl-scan utility to make sure TLS 1.0 is disabled. [ https://www.cloudibee.com/ssl-cert-tools/ ]Before disabling:
You can see that the host serves TLS 1.0, TLS 1.1 and TLS 1.2. You can use the nmap –script ssl-enum-ciphers command to scan the port and verify.[root@fedora-dev conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv | TLSv1.0: | TLSv1.1: | TLSv1.2: [root@fedora-dev conf.d]#After disabling:
You can see that TLS 1.0 cipher is no longer served by the host.[root@fedora-dev conf.d]# grep SSLProtocol ssl.conf SSLProtocol TLSv1.2 [root@fedora-dev conf.d]# /bin/systemctl restart httpd.service [root@fedora-dev conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv | TLSv1.2: [root@fedora-dev conf.d]#
OpenSSL. I am trying to dig more into the server to find more
That version of Red Hat has an openssl that can do more than TLS 1.0, namely TLS 1.2. I have yet to see something that implements TLS 1.1 and not 1.2. The best practice is to only leave TLS 1.2 enabled.
Once you sort out what on your system is going to use openssl-- namely anything providing a secure connection, most likely a web server. If you don't have apache, then I'd be looking for ngnix. In any case, the output of this command should reveal who is listening on port 80:
$ netstat -ani | grep :443 to find the https port, and process id. The ps <pid> to identify the command being run. Httpd is the apache server. ngnix is another likely answer.
[root@test2-centos7 ~]# netstat -anp | grep :443 tcp6 0 0 :::443 :::* LISTEN 1363/httpd [root@test2-centos7 ~]# ps 1363 PID TTY STAT TIME COMMAND 1363 ? Ss 0:45 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
My go to resource for proper configuration on Linux: https://wiki.mozilla.org/Security/Server_Side_TLS