Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

I’ve tried preventing TLSv1.0 and TLS1.1 in Apache, but the protocols are still active

by |Published

I have a web site (one of a few) on a server. I’m trying to up the score of my domain in https://www.ssllabs.com/ssltest – but it doesn’t seem to be working.

Contents of:
/etc/apache2/sites-available/<my-doamin>-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName <my-doamin>

        DocumentRoot /var/www/<my-doamin>

        SSLEngine on
        SSLProtocol -all +TLSv1.2 +TLSv1.3
        SSLCipherSuite HIGH:!aNULL:!MD5
        SSLHonorCipherOrder on
        SSLCipherSuite HIGH:!aNULL:!MD5:!RSA:!DES:!DSS:!RC4:!3DES:!ECDH:!ECDSA
        ServerAdmin webadmin@<my-doamin>

        SSLCertificateFile /etc/letsencrypt/live/<my-doamin>/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/<my-doamin>/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

And here’s the score in the SSL Test
Screenshot:
enter image description here

Also having run this command from an external source:
openssl s_client -connect <my-domain>:443 -tls1

I get this:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = <my-domain>
verify return:1
405765AEA07F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:../ssl/statem/statem_clnt.c:2254:
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = <my-domain>
   i:C = US, O = Let's Encrypt, CN = E1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 29 03:26:59 2024 GMT; NotAfter: Apr 28 03:26:58 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = E1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhzCCAw6gAwIBAgISBKR91GClJ2JyCdcF4wDKc+DMMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
MTAeFw0yNDAxMjkwMzI2NTlaFw0yNDA0MjgwMzI2NThaMBcxFTATBgNVBAMTDGJs
dWUtdGVhbS5jYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL/AThKeow/xORC6
o0q7YkIwiTULx+qAvFi1C9SO+qc5wAtE58fo+1n8kACySqKU5J5/slVDa60Eck/J
ii4knaWjggIdMIICGTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGrmg7iCgUtO6awO
Z4XpaJp/RQoDMB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUGCCsG
AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3JnMCIG
CCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMCcGA1UdEQQgMB6CDiou
Ymx1ZS10ZWFtLmNhggxibHVeLXRlYW0uY2EwEwYDVR0gBAwwCjAIBgZngQwBAgEw
ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQBIsONr2qZHNA/lagL6nTDrHFIBy1bd
LIHZu7+rOdiEcwAAAY1TeHawAAAEAwBGMEQCIBz+Z+XIW0FFXQ2xI5kqzT9V8iPU
IyNo5t896Z4Q4u33AiBvfinhTQhte4V/rNkw7lJg3j7Hdw0WiRi3nqc9ZWQFvQB2
ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABjVN4dq8AAAQDAEcw
RQIgMcN+qbAoU9TL7CaNb2tdVaJTxlNaKIZe8oR3vF10OT4CIQDKk/L35P/N8fp4
/r77fD/MyHKbdkubxeTkgUSXwHAmjzAKBggqhkjOPQQDAwNnADBkAjBPHSAIZKq5
VjaMkh4v6dp3GhEmodkVkJEV27Y5xA/JElNnDk7hI1HSvWCN9MEU+pcCMF/keTxj
H99ZByK8kWn9QWEm8JHXtCvgqDe74LLWF0GGDHuTaTa85y6nJ7N7EFsdJA==
-----END CERTIFICATE-----
subject=CN = <my-domain>
issuer=C = US, O = Let's Encrypt, CN = E1
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4340 bytes and written 132 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1711398075
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

You may also like