Ubuntu – How force that all connections to the Apache use TLSv1.1 or TLSv1.2

Apache2mod-sslopensslssltls

I tested on Ubuntu 12.04 (apache 2.2.22-1ubuntu1.4 and openssl 1.0.1-4ubuntu5.10) and Ubuntu 13.04 (apache 2.2.22-6ubuntu5.1 and openssl 1.0.1c-4ubuntu8.1).

here explain how to do so, but I have the following problems:

When try to use:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

I got the following error:

[error] No SSL protocols available [hint: SSLProtocol]

when try to use:

SSLProtocol TLSv1.1 TLSv1.2

I got the following error:

[error] No SSL protocols available [hint: SSLProtocol]

Th funny thing is that when I use:

SSLProtocol all -SSLv2 -TLSv1

apache don't complain and this test reported that my server not support SSLv2 and TLSv1.0, but yes SSLv3, TLSv1.1 and TLSv1.2.

Any explanation to that odd behavior? maybe the test tool is broken?

How can I enable just TLSv1.1 and TLSv1.2?

Best Answer

Setting SSLCipherSuite with just ciphers that are just supported in TLSv1.2 bypass the Apache 2.2 limitation of parse TLSv1.1 string to limited TLS to version over 1.0.

Related Question