在Apache 2.4中禁用TLS 1.0 [英] Disabling TLS 1.0 in Apache 2.4
问题描述
我是非技术性但可以阅读手册的网站所有者.我在Debian 9.0服务器上运行Apache 2.4.10.我想禁用TLS 1.0.我已阅读有关SSLProtocol指令的Apache文档./p>
在我的虚拟主机文件中,我使用了以下指令:
SSLProtocol all -TLSv1 -SSLv3
即使重新加载然后重新启动Apache之后,该操作也无法正常工作.然后,我还要向ssl.conf文件中添加相同的指令,以确保即使重新加载并重新启动后也没有运气.我还使用以下指令尝试了相同的操作:
SSLProtocol +TLSv1.1 +TLSv1.2
仍然没有运气.我进行了以下搜索,只是为了查看是否在配置文件中的其他地方使用了SSLProtocol指令,但是再次失败了:
grep -R 'SSLProtocol' .
我还检查了网站的.htaccess文件,以确保没有覆盖任何内容(尽管我不知道您可以在.htaccess文件中更改此设置).有任何想法吗?谢谢您的帮助!
在很多情况下,对于此错误",事实表明,如果在服务器上安装了letencrypt,则配置文件会设置取代ssl的协议.conf或虚拟主机的设置:
/etc/letsencrypt/options-ssl-apache.conf
I'm a non-technical-but-able-to-read-the-manual website owner. I am running Apache 2.4.10 on a Debian 9.0 server. I would like to disable TLS 1.0. I have read the Apache documentation for the SSLProtocol directive.
In my virtual host file, I used the following directive:
SSLProtocol all -TLSv1 -SSLv3
That didn't work, even after reloading and then restarting Apache. I then added the same directive to the ssl.conf file as well, just to be sure, and still no luck, even after reloading and restarting. I also tried the same things with the following directive:
SSLProtocol +TLSv1.1 +TLSv1.2
Still no luck. I did the following search just to see if I had used the SSLProtocol directive somewhere else in my configuration files, but again, no luck:
grep -R 'SSLProtocol' .
I also checked the .htaccess file for the website to make sure I hadn't overridden anything (though I don't know that you could change this setting in an .htaccess file). Any ideas? Thank you for your help!
In a large amount of cases for this "bug" it turns out that if you have letsencrypt installed on your server, it's configuration file sets protocols which are superseding ssl.conf or vhosts' settings:
/etc/letsencrypt/options-ssl-apache.conf
Bug 60739 - SSLProtocol settings seem to have no effect
这篇关于在Apache 2.4中禁用TLS 1.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
