With the arrival of TLS 1.3, the most secure protocol till now, it has become important to disable TLS 1.0 and other less secure protocols on your website. In other words, your website must not accept requests made over TLS 1.0 to avoid attackers and bots to exploit weaknesses in TLS 1.0. In this article, we will look at how to disable TLS 1.0 in Apache server.
How to Disable TLS 1.0 in Apache
Here are the steps to disable TLS 1.0 in Apache.
1. Open Apache Configuration File
Open terminal and run the following command to open Apache configuration file.
$ sudo vi /etc/apache2/httpd.conf
Depending on your system and installation type, the path to your Apache configuration file may be any of the following.
2. Disable TLS 1.0
Add/Modify the following line containing SSLProtocol Directive to the following
SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Save and close the file. This will disable TLS 1.0 and other less secure protocols like SSL v3 across all domains and websites hosted on this server.
If you want to disable TLS 1.0 or SSL v3 in a specific website and not all domains, then open virtual host configuration file for that domain in /etc/apache2/sites-available and make the changes mentioned in this step.
3. Restart Apache Server
Restart Apache server to apply changes.
$ sudo service apache2 restart
TLS 1.3 is the most secure protocol and it is important to upgrade your website to support TLS 1.2 and TLS 1.3. Once you have made the switch, it is also necessary to explicitly disable TLS 1.0 and other protocols, so that your website does not continue to serve requests over these protocols.