Greg Dougherty Greg Dougherty - 3 months ago 29
Apache Configuration Question

How do I specify "TLSv1.2 protocol or later" for Apache httpd

The extra/httpd-ssl.conf file shipped with Apache httpd 2.4.20 says

By the end of 2016, only the TLSv1.2 protocol or later should remain
in use

But unlike with SSLCipherSuite, they do not give an example of how to do this. I could do

SSLProtocol -all +TLSv1.2

but that would not appear to meet the "or later" part. Does

SSLProtocol all -SSLv3 -TLSv1
SSLProxyProtocol all -SSLv3 -TLSv1

cover it? Are there others that should be disabled, too?


TLS 1.3 is not yet released, so, for now:

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

is all that you need.

If you want to support "later" in a more flexible way, just do:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

For Apache 2.4, these are the only protocols supported.