Get answers from your peers along with millions of IT pros who visit Spiceworks.
Join Now

Hi All, 

I am looking to disable TLS 1.0 in a linux box running on RHEL 6.7?


Learn generalnetworking
With tons of resources, progress tracking, and achievement badges you're bound to improve your IT skills.
TEST YOUR SMARTS
Which of the following retains the information it's storing when the system power is turned off?
  • GPU
  • RAM
  • CPU
  • ROM
88% of IT pros got this right.

6 Replies

· · ·
timmyspiller
Anaheim
OP
timmyspiller

TLS 1.0 is end of life on June 30, 2018. To disable TLS 1.0 on Apache webserver installations, edit the “SSLProtocol” directive in your ssl.conf (typically /etc/httpd/conf.d/ssl.conf), where the ciphers protocols are listed and remove TLSv1. By restarting the httpd, after updating the SSLProtocol directive TLS 1.0 will be disabled.

Here are steps how to disable TLS 1.0 on an Apache server. The default configuration in /etc/httpd/conf.d/ssl.conf looks like this :

# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # List the protocol versions which clients are allowed to connect with. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3

You will see a directive for “SSLProtocol”, which has all protocols listed except for SSLv3. This means that TLS 1.0, 1.1 and 1.2 are enabled.

SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3

Edit it and change to:

SSLProtocol TLSv1.1 TLSv1.2

or if you just need TLS 1.2, edit and change it to

SSLProtocol TLSv1.2

And, restart the httpd server. You are done!.

You can also confirm this with nmap or ssl-scan utility to make sure TLS 1.0 is disabled. [ https://www.cloudibee.com/ssl-cert-tools/ ]

Before disabling:

You can see that the host serves TLS 1.0, TLS 1.1 and TLS 1.2. You can use the nmap –script ssl-enum-ciphers command to scan the port and verify.

[root@fedora-dev conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv | TLSv1.0: | TLSv1.1: | TLSv1.2: [root@fedora-dev conf.d]#After disabling:

You can see that TLS 1.0 cipher is no longer served by the host.

[root@fedora-dev conf.d]# grep SSLProtocol ssl.conf SSLProtocol TLSv1.2 [root@fedora-dev conf.d]# /bin/systemctl restart httpd.service [root@fedora-dev conf.d]# nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv | TLSv1.2: [root@fedora-dev conf.d]#
0
· · ·
joelarkin3
Pimiento
OP
joelarkin3

If httpd is not used where else would it be located?

0
· · ·
Bryan Doe
Mace
OP
Bryan Doe

What's in use then?

0
· · ·
joelarkin3
Pimiento
OP
joelarkin3

OpenSSL. I am trying to dig more into the server to find more 

0
· · ·
Jim Peters
Thai Pepper
OP
Jim Peters

That version of Red Hat has an openssl that can do more than TLS 1.0, namely TLS 1.2.   I have yet to see something that implements TLS 1.1 and not 1.2.   The best practice is to only leave TLS 1.2 enabled.

Once you sort out what on your system is going to use openssl-- namely anything providing a secure connection, most likely a web server.   If you don't have apache, then I'd be looking for ngnix.  In any case, the output of this command should reveal who is listening on port 80:

$ netstat -ani | grep :443 to find the https port, and process id.  The ps <pid> to identify the command being run.  Httpd is the apache server.  ngnix is another likely answer.    

Text
[root@test2-centos7 ~]# netstat -anp | grep :443
tcp6       0      0 :::443                  :::*                    LISTEN      1363/httpd
[root@test2-centos7 ~]# ps 1363
  PID TTY      STAT   TIME COMMAND
 1363 ?        Ss     0:45 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND

My go to resource for proper configuration on Linux:  https://wiki.mozilla.org/Security/Server_Side_TLS

0
· · ·
joelarkin3
Pimiento
OP
joelarkin3

Awesome, thanks guys. I was able to figure it out. it was a change needed to be done via jruyi 

0
Oops, something's wrong below.