How can I disable TLS 1.0 and 1.1 in apache?

Better Stack Team
Updated on November 9, 2023

To disable TLS 1.0 and 1.1 in Apache, you need to modify the SSL/TLS configuration settings. This typically involves editing the Apache configuration file, such as ssl.conf or httpd.conf. Make sure you have root or superuser privileges to modify these files. Here's the general process:

  1. Open the Apache SSL configuration file:

    Using a text editor or a command-line editor like nano or vim, open the SSL/TLS configuration file. The location and name of this file may vary based on your system and Apache configuration. Common locations include /etc/httpd/conf.d/ssl.conf, /etc/apache2/sites-available/default-ssl.conf, etc.

  2. Locate the SSL/TLS configuration section:

    Look for the SSL/TLS configuration section, which includes directives related to the SSL protocol and ciphers.

  3. Disable TLS 1.0 and 1.1:

    Within the SSL/TLS configuration section, you'll typically find a line similar to this:

    SSLProtocol all -SSLv3

    Modify this line to explicitly exclude TLS 1.0 and 1.1, like this:

    SSLProtocol -SSLv3 -TLSv1 -TLSv1.1

    This configuration disables TLS 1.0 and 1.1 while allowing TLS 1.2 and higher.

  4. Save the changes and restart Apache:

    After making the necessary changes, save the configuration file and restart Apache to apply the new settings:

    sudo systemctl restart apache2   # For Ubuntu/Debian


    sudo systemctl restart httpd     # For CentOS/RHEL
  5. Verify the changes:

    Use an online SSL testing tool or a command-line utility like openssl to verify that TLS 1.0 and 1.1 are disabled:

    openssl s_client -connect -tls1

Replace with the domain hosted on the Apache server. This command attempts to connect using TLS 1.0. You should receive an error or a handshake failure if TLS 1.0 and 1.1 are disabled correctly.

Remember, before making changes to your SSL/TLS configuration, it's crucial to ensure that your users and clients support the newer TLS versions to avoid service disruptions. Additionally, always make a backup of the configuration file before making changes.

Make your mark

Join the writer's program

Are you a developer and love writing and sharing your knowledge with the world? Join our guest writing program and get paid for writing amazing technical guides. We'll get them to the right readers that will appreciate them.

Write for us
Writer of the month
Marin Bezhanov
Marin is a software engineer and architect with a broad range of experience working...
Build on top of Better Stack

Write a script, app or project on top of Better Stack and share it with the world. Make a public repository and share it with us at our email.

or submit a pull request and help us build better products for everyone.

See the full list of amazing projects on github