Ryfujk

Problems with Ubuntu mount /tmp

Why can't wing-mounted spoilers be used to steepen approaches?

Was credit for the black hole image misattributed?

Searching for a differential characteristic (differential cryptanalysis)

How do I add random spotting to the same face in cycles?

How to delete random line from file using Unix command?

Can the prologue be the backstory of your main character?

Does Parliament hold absolute power in the UK?

Would an alien lifeform be able to achieve space travel if lacking in vision?

Arduino Pro Micro - switch off LEDs

Relations between two reciprocal partial derivatives?

system() function string length limit

how can a perfect fourth interval be considered either consonant or dissonant?

Is above average number of years spent on PhD considered a red flag in future academia or industry positions?

Does Parliament need to approve the new Brexit delay to 31 October 2019?

The variadic template constructor of my class cannot modify my class members, why is that so?

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

He got a vote 80% that of Emmanuel Macron’s

I could not break this equation. Please help me

How many people can fit inside Mordenkainen's Magnificent Mansion?

Cooking pasta in a water boiler

Scientific Reports - Significant Figures

"... to apply for a visa" or "... and applied for a visa"?

What is this lever in Argentinian toilets?

Turn off TLS1.0 on Apache for PCI compliance

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

1

0

Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1 in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)

SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2

SSLProtocol -all +TLSv1.2

SSLProtocol +TLSv1.1 +TLSv1.2

SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2

Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other?

Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000

ssl apache-2.4 ubuntu-16.04 pci-dss

share|improve this question

asked Jun 22 '17 at 21:36

wruckiewruckie

16710

bumped to the homepage by Community♦ 27 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you have another dir called /etc/apache2/conf_enabled/ ?
  
  – Aaron
  Jun 22 '17 at 21:37
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
  
  – wruckie
  Jun 22 '17 at 21:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  you probably then also need a symlink for https.conf in conf-enabled.
  
  – Aaron
  Jun 22 '17 at 21:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  it is already there
  
  – wruckie
  Jun 22 '17 at 21:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you have the default ssl.conf also enabled, which has SSLProtocol all in it, and which would follow and likely override your https.conf?
  
  – Colt
  Jun 23 '17 at 1:07
  

  
  
  
  

 | 
show 1 more comment

1

0

Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1 in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)

SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2

SSLProtocol -all +TLSv1.2

SSLProtocol +TLSv1.1 +TLSv1.2

SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2

Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other?

Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000

ssl apache-2.4 ubuntu-16.04 pci-dss

share|improve this question

asked Jun 22 '17 at 21:36

wruckiewruckie

16710

bumped to the homepage by Community♦ 27 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you have another dir called /etc/apache2/conf_enabled/ ?
  
  – Aaron
  Jun 22 '17 at 21:37
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, there is a simlink for httpd.conf in /etc/apache2/conf-enabled
  
  – wruckie
  Jun 22 '17 at 21:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  you probably then also need a symlink for https.conf in conf-enabled.
  
  – Aaron
  Jun 22 '17 at 21:43
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  it is already there
  
  – wruckie
  Jun 22 '17 at 21:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you have the default ssl.conf also enabled, which has SSLProtocol all in it, and which would follow and likely override your https.conf?
  
  – Colt
  Jun 23 '17 at 1:07
  

  
  
  
  

 | 
show 1 more comment

Pci DSS compliance stated that by June 2016 TLSv1.0 must be disabled. My cursory search taught me that a -TLSv1 in the SSLProtocals portion of the apache config would care for it (right next to the -SSLv3). I have tried each of the following lines in my /etc/apache2/conf_available/https.conf, but to no avail. I cannot figure out why changing these protocols makes no difference on my server (Apache/2.4.25 on Ubuntu 16.04)

SSLProtocol -all -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2

SSLProtocol -all +TLSv1.2

SSLProtocol +TLSv1.1 +TLSv1.2

SSLProtocol -TLSv1 +TLSv1.1 +TLSv1.2

Everytime I test with https://www.ssllabs.com/ssltest/index.html, I get the same result - TLSv1 is never turned off. What am I missing here? Are the TLS versions dependent on each other?

Promising Links that did not work for me
http://utdream.org/post.cfm/how-to-disable-tlsv1-0-for-pci-compliance-in-apache-2-2
https://ubuntuforums.org/showthread.php?t=2288000

ssl apache-2.4 ubuntu-16.04 pci-dss

share|improve this question

asked Jun 22 '17 at 21:36

wruckiewruckie

16710

share|improve this question

asked Jun 22 '17 at 21:36

wruckiewruckie

16710

share|improve this question

asked Jun 22 '17 at 21:36

wruckiewruckie

16710

asked Jun 22 '17 at 21:36

wruckiewruckie

16710

asked Jun 22 '17 at 21:36

wruckiewruckie

16710

1 Answer
1

active

oldest

votes

0

That just means the file you are configuring is not being loaded.

Try defining SSLProtocol TLSv1.2 in the main config file "apache2.conf" or however it is called.

When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.

share|improve this answer

answered Jun 23 '17 at 9:32

ezra-sezra-s

1,5761310

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f857379%2fturn-off-tls1-0-on-apache-for-pci-compliance%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

That just means the file you are configuring is not being loaded.

Try defining SSLProtocol TLSv1.2 in the main config file "apache2.conf" or however it is called.

When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.

share|improve this answer

answered Jun 23 '17 at 9:32

ezra-sezra-s

1,5761310

add a comment | 

0

That just means the file you are configuring is not being loaded.

Try defining SSLProtocol TLSv1.2 in the main config file "apache2.conf" or however it is called.

When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.

share|improve this answer

answered Jun 23 '17 at 9:32

ezra-sezra-s

1,5761310

add a comment | 

That just means the file you are configuring is not being loaded.

Try defining SSLProtocol TLSv1.2 in the main config file "apache2.conf" or however it is called.

When you use one of this "multifile" configuration schemes from distro you need to have great control of whats happening behind the scenes. And Apache could not care less about files, it just cares about "context". So, define the above in server config context, use "mod_info" if you need to be sure the directive is being loaded correctly.

share|improve this answer

answered Jun 23 '17 at 9:32

ezra-sezra-s

1,5761310

share|improve this answer

answered Jun 23 '17 at 9:32

ezra-sezra-s

1,5761310

answered Jun 23 '17 at 9:32

ezra-sezra-s

1,5761310

answered Jun 23 '17 at 9:32

ezra-sezra-s

1,5761310