Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
History
- SSL 1.0 (never launched)
- SSL 2.0 1995 obsolete
- SSL 3.0 1996 obsolete
- TLS 1.0 1999 obsolete
- TLS 1.1 2006 obsolete
- TLS 1.2 2008
- TLS 1.3 2018
From 30 June 2018, for PCI compatibility, site owners should refuse to support TLS 1.0.
The SSL 2.0/3.0 and TLS 1.0/1.1 protocols are obsolete. They do not provide adequate protection for data transfer.
In particular, TLS 1.0 is vulnerable to certain attacks.
The above versions of the protocols must be removed in environments that require a high level of security.
How-to: Apache
Almost all modern browsers support TLS 1.2.
Below, we will consider how to disable versions of TLS 1.0/1.1 and SSL 2.0/3.0 in Apache.
- edit ssl.conf (usually located in /etc/apache2/mods-available/ssl.conf).
sudo nano /etc/apache2/mods-available/ssl.conf- Look for the SSL Protocol Support section:
SSLProtocol all- Change to
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1- Locate:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA- Change to
SSLCipherSuite HIGH:!aNULL:!MD5:!3DESUncomment
SSLHonorCipherOrder onSave and restart
sudo service apache2 restartHow to: Nginx
Edit NGINX Configuration
sudo nano /etc/nginx/sites-available/defaultIn HTTPS server section, change to:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve secp384r1;I tested my NGINX config loaded them and restarted NGINX
nginx -t
nginx -s reload
/etc/init.d/nginx restart
/etc/init.d/nginx reloadAdvertisement
Add Comment
Please, Sign In to add comment
