Turn off TLS1.0 on Apache for PCI compliance Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!Apache mod_ssl configuration for PCI complianceHow to Isolate PCI ComplianceHAProxy and Stunnel PCI CompliancePCI Compliance Apache Shiro failPCI Compliance ScansRemote MySQL PCI ComplianceInternet Explorer 8 - TLS Fatal Error Close Notify - Oracle HTTP - Server Apache 2.2.22.0Virtual terminal PCI compliancePCI compliance Apache versionsSSL config for web server compatible with PCI-DSS requirements about disabling CBC and TLSv1.0
Multi tool use
The Nth Gryphon Number
How often does castling occur in grandmaster games?
Induction Proof for Sequences
How does a spellshard spellbook work?
Amount of permutations on an NxNxN Rubik's Cube
A term for a woman complaining about things/begging in a cute/childish way
Why we try to capture variability?
Strange behavior of Object.defineProperty() in JavaScript
Co-worker has annoying ringtone
How does Belgium enforce obligatory attendance in elections?
Why are my pictures showing a dark band on one edge?
What are the discoveries that have been possible with the rejection of positivism?
How to pronounce 伝統色
Is CEO the "profession" with the most psychopaths?
Drawing spherical mirrors
Dyck paths with extra diagonals from valleys (Laser construction)
Most bit efficient text communication method?
Why weren't discrete x86 CPUs ever used in game hardware?
An adverb for when you're not exaggerating
Crossing US/Canada Border for less than 24 hours
One-one communication
What is the meaning of 'breadth' in breadth first search?
What order were files/directories output in dir?
Karn the great creator - 'card from outside the game' in sealed
Turn off TLS1.0 on Apache for PCI compliance
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Apache mod_ssl configuration for PCI complianceHow to Isolate PCI ComplianceHAProxy and Stunnel PCI CompliancePCI Compliance Apache Shiro failPCI Compliance ScansRemote MySQL PCI ComplianceInternet Explorer 8 - TLS Fatal Error Close Notify - Oracle HTTP - Server Apache 2.2.22.0Virtual terminal PCI compliancePCI compliance Apache versionsSSL config for web server compatible with PCI-DSS requirements about disabling CBC and TLSv1.0
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1
in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf
, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)
SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.1 +TLSv1.2
SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2
Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other?
Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000
ssl apache-2.4 ubuntu-16.04 pci-dss
|
show 1 more comment
Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1
in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf
, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)
SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.1 +TLSv1.2
SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2
Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other?
Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000
ssl apache-2.4 ubuntu-16.04 pci-dss
Do you have another dir called/etc/apache2/conf_enabled/
?
– Aaron
Jun 22 '17 at 21:37
Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
– wruckie
Jun 22 '17 at 21:40
you probably then also need a symlink for https.conf in conf-enabled.
– Aaron
Jun 22 '17 at 21:43
it is already there
– wruckie
Jun 22 '17 at 21:44
Do you have the defaultssl.conf
also enabled, which hasSSLProtocol all
in it, and which would follow and likely override yourhttps.conf
?
– Colt
Jun 23 '17 at 1:07
|
show 1 more comment
Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1
in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf
, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)
SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.1 +TLSv1.2
SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2
Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other?
Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000
ssl apache-2.4 ubuntu-16.04 pci-dss
Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1
in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf
, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)
SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.1 +TLSv1.2
SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2
Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other?
Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000
ssl apache-2.4 ubuntu-16.04 pci-dss
ssl apache-2.4 ubuntu-16.04 pci-dss
asked Jun 22 '17 at 21:36
wruckiewruckie
16710
16710
Do you have another dir called/etc/apache2/conf_enabled/
?
– Aaron
Jun 22 '17 at 21:37
Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
– wruckie
Jun 22 '17 at 21:40
you probably then also need a symlink for https.conf in conf-enabled.
– Aaron
Jun 22 '17 at 21:43
it is already there
– wruckie
Jun 22 '17 at 21:44
Do you have the defaultssl.conf
also enabled, which hasSSLProtocol all
in it, and which would follow and likely override yourhttps.conf
?
– Colt
Jun 23 '17 at 1:07
|
show 1 more comment
Do you have another dir called/etc/apache2/conf_enabled/
?
– Aaron
Jun 22 '17 at 21:37
Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
– wruckie
Jun 22 '17 at 21:40
you probably then also need a symlink for https.conf in conf-enabled.
– Aaron
Jun 22 '17 at 21:43
it is already there
– wruckie
Jun 22 '17 at 21:44
Do you have the defaultssl.conf
also enabled, which hasSSLProtocol all
in it, and which would follow and likely override yourhttps.conf
?
– Colt
Jun 23 '17 at 1:07
Do you have another dir called
/etc/apache2/conf_enabled/
?– Aaron
Jun 22 '17 at 21:37
Do you have another dir called
/etc/apache2/conf_enabled/
?– Aaron
Jun 22 '17 at 21:37
Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
– wruckie
Jun 22 '17 at 21:40
Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
– wruckie
Jun 22 '17 at 21:40
you probably then also need a symlink for https.conf in conf-enabled.
– Aaron
Jun 22 '17 at 21:43
you probably then also need a symlink for https.conf in conf-enabled.
– Aaron
Jun 22 '17 at 21:43
it is already there
– wruckie
Jun 22 '17 at 21:44
it is already there
– wruckie
Jun 22 '17 at 21:44
Do you have the default
ssl.conf
also enabled, which has SSLProtocol all
in it, and which would follow and likely override your https.conf
?– Colt
Jun 23 '17 at 1:07
Do you have the default
ssl.conf
also enabled, which has SSLProtocol all
in it, and which would follow and likely override your https.conf
?– Colt
Jun 23 '17 at 1:07
|
show 1 more comment
1 Answer
1
active
oldest
votes
That just means the file you are configuring is not being loaded.
Try defining SSLProtocol TLSv1.2
in the main config file "apache2.conf" or however it is called.
When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f857379%2fturn-off-tls1-0-on-apache-for-pci-compliance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
That just means the file you are configuring is not being loaded.
Try defining SSLProtocol TLSv1.2
in the main config file "apache2.conf" or however it is called.
When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.
add a comment |
That just means the file you are configuring is not being loaded.
Try defining SSLProtocol TLSv1.2
in the main config file "apache2.conf" or however it is called.
When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.
add a comment |
That just means the file you are configuring is not being loaded.
Try defining SSLProtocol TLSv1.2
in the main config file "apache2.conf" or however it is called.
When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.
That just means the file you are configuring is not being loaded.
Try defining SSLProtocol TLSv1.2
in the main config file "apache2.conf" or however it is called.
When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.
answered Jun 23 '17 at 9:32
ezra-sezra-s
1,5761310
1,5761310
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f857379%2fturn-off-tls1-0-on-apache-for-pci-compliance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
U,I2RCIeoK2ZhY0JJtemPm20e3hLGekWJqg sSUIebt ks5UNJ 3a9BzY8npmlX MZKHlz WOFHA z NXD0I q5uyxZTTE3 vLjbmnGsZJjsc
Do you have another dir called
/etc/apache2/conf_enabled/
?– Aaron
Jun 22 '17 at 21:37
Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
– wruckie
Jun 22 '17 at 21:40
you probably then also need a symlink for https.conf in conf-enabled.
– Aaron
Jun 22 '17 at 21:43
it is already there
– wruckie
Jun 22 '17 at 21:44
Do you have the default
ssl.conf
also enabled, which hasSSLProtocol all
in it, and which would follow and likely override yourhttps.conf
?– Colt
Jun 23 '17 at 1:07