How to Disable TLSv1.0 and TLSv1.1 [Complete Guide]

Why Disable TLSv1.0 and TLSv1.1?

An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection. Furthermore newly uncovered vulnerabilities in this protocols won’t receive security updates anymore. If you meet these errors, you may need to disable TLSv1.0 and TLSv1.1.

How Do I Disable TLSv1.0 and TLSv1.1?

It is recommended to disable the deprecated TLSv1.0 and/or TLSv1.1 protocols in favor of the TLSv1.2+ protocols. Please see the references for more information.

To disable TLSv1.0 and TLSv1.1 protocols on CentOS, you typically need to make some configuration changes. Here are the general steps:

Step 1. Configure SSL/TLS Libraries

1. Edit OpenSSL Configuration File:
   Open the OpenSSL configuration file, usually located at /etc/ssl/openssl.cnf or /etc/pki/tls/openssl.cnf, depending on your system version and installation.
2. Locate the SSL/TLS Configuration Section:
   Find or add the following section in the configuration file (if it doesn’t exist):

   [system_default_sect]
   MinProtocol = TLSv1.2

Here, MinProtocol specifies the minimum allowed protocol version, set to TLSv1.2 to allow only TLSv1.2 and above.

3. Restart Services:
   If your applications use the OpenSSL library, restart the relevant services (e.g., Apache or Nginx) to apply the configuration changes.

Step 2. Configure Web Servers

If you configure SSL/TLS protocols through a web server like Apache or Nginx, follow these steps:

1. Apache

1. Edit Apache Configuration File (usually /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/ssl.conf).
2. Locate the SSL Protocol Configuration Section:
   Ensure your configuration includes the following directive:

   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Here, -TLSv1 and -TLSv1.1 disable TLSv1.0 and TLSv1.1, respectively.

3. Restart Apache Service:
   Restart Apache using systemctl restart httpd to apply the configuration changes.

2. Nginx

1. Edit Nginx Configuration File (usually /etc/nginx/nginx.conf or /etc/nginx/conf.d/default.conf).
2. Locate the SSL Protocol Configuration Section:
   Ensure your SSL configuration includes a directive similar to:

   ssl_protocols TLSv1.2;

Here, TLSv1.2 specifies allowing only TLSv1.2.

3. Restart Nginx Service:
   Restart Nginx using systemctl restart nginx to apply the configuration changes.

Step 3. Verification

After making these configuration changes, you can verify whether TLSv1.0 and TLSv1.1 are successfully disabled:

• Use the openssl s_client command to test connecting to your server and specify -tls1 and -tls1_1 options to attempt connections, which should result in connection failures.

Conclusion

By following these steps, you should be able to successfully disable TLSv1.0 and TLSv1.1 protocols on CentOS.