How To: Disable TLS 1.0, TLS 1.1, and RC4
=========================================

Due to potential flags by PCI tests, it may be required to disable TLS 1.0, TLS 1.1, 
and/or RC4. This task must be completed by server administrators at the CLI.

.. contents::

How to Disable TLS 1.0 and 1.1
------------------------------

#. Log in to the server at the CLI as root, either via SSH or from the terminal
#. At the CLI, using a text editor, open ``/etc/httpd/conf.d/ssl.conf``. The following
   example uses the Vim text editor:

   .. code-block::

      vim /etc/httpd/conf.d/ssl.conf

#. Locate the ``SSLProtocol`` setting. It will look like this by default:

   .. code-block:: 

      SSLProtocol all -SSLv2 -SSLv3

#. Append the ``SSLProtocol`` line to add ``-TLSv1 -TLSv1.1``:

   .. code-block::

      SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

#. Save and exit the file
#. Restart Apache

   .. code-block::

      systemctl restart httpd 

How to Disable RC4
------------------

#. Log in to the server at the CLI as root, either via SSH or from the terminal
#. At the CLI, using a text editor, open ``/etc/httpd/conf.d/ssl.conf``. The following
   example uses the Vim text editor:

   .. code-block::

      vim /etc/httpd/conf.d/ssl.conf

#. Locate the ``SSLCipherSuite`` setting. It will look like this by default:

   .. code-block:: 

      SSLCipherSuite HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW

#. Edit the ``SSLCipherSuite`` line to add ``!RC4`` at the beginning:

   .. code-block::

      SSLCipherSuite !RC4:HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW:!EXP

#. Save and exit the file
#. Restart Apache

   .. code-block::

      systemctl restart httpd