Greg Dougherty Greg Dougherty - 2 months ago 20
Apache Configuration Question

How do I specify "TLSv1.2 protocol or later" for Apache httpd

The extra/httpd-ssl.conf file shipped with Apache httpd 2.4.20 says


By the end of 2016, only the TLSv1.2 protocol or later should remain
in use


But unlike with SSLCipherSuite, they do not give an example of how to do this. I could do

SSLProtocol -all +TLSv1.2


but that would not appear to meet the "or later" part. Does

SSLProtocol all -SSLv3 -TLSv1
SSLProxyProtocol all -SSLv3 -TLSv1


cover it? Are there others that should be disabled, too?

Answer

TLS 1.3 is not yet released, so, for now:

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

is all that you need.

If you want to support "later" in a more flexible way, just do:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

For Apache 2.4, these are the only protocols supported.