How can I disable TLS 1.0 and 1.1 in apache?
Solution 1:
When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of the SSLProtocol directive are used for the whole server and/or all name-based VirtualHosts supporting TLS1.
So check your main httpd.conf (and all included snippets from for instance conf.d/*.conf and similar includes) for more occurrences of the SSLProtocol directive.
You syntax is correct, although I agree with ezra-s' answer that, when you expand the all shorthand, you can slightly improve upon:
SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
by simply using:
SSLProtocol TLSv1.2
Solution 2:
that you have specified is enough, it shouldn't show any other protocols. Remember SSLLABS caches recent tests. Although knowing that there are no other protocols defining it like you did is kind of convoluted on purpose.
In any case you can use that or simply:
SSLProtocol TLSv1.2
Solution 3:
Disable TLS1.0 version in Apache.
If you have multiple virtual hosting then you have to update all configurations file, otherwise,ssl.conf is enough.
To check TSL supporting version:
# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
| TLSv1.0:
| TLSv1.1:
| TLSv1.2:
Modify the Apache configuration file vi /etc/httpd/conf.d/web.conf remove all TLS and allow only TLS1.2.
SSLProtocol TLSv1.2
Validate after the modification.
# grep SSLProtocol /etc/httpd/conf.d/web.conf
SSLProtocol TLSv1.2
# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
| TLSv1.2:
# service httpd restart
Solution 4:
I was struggling with this issue as well, modifying configs with the SSLProtocol directive wasn't working. I ended up adding the following to my virtual host configuration:
SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
Which worked perfectly. You can read more about the SSLOpenSSLConfCmd directive here.