How To: Disable TLS 1.0, TLS 1.1, and RC4¶
Due to potential flags by PCI tests, it may be required to disable TLS 1.0, TLS 1.1, and/or RC4. This task must be completed by server administrators at the CLI.
Contents
How to Disable TLS 1.0 and 1.1¶
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, using a text editor, open
/etc/httpd/conf.d/ssl.conf
. The following example uses the Vim text editor:vim /etc/httpd/conf.d/ssl.conf
Locate the
SSLProtocol
setting. It will look like this by default:SSLProtocol all -SSLv2 -SSLv3
Append the
SSLProtocol
line to add-TLSv1 -TLSv1.1
:SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Save and exit the file
Restart Apache
systemctl restart httpd
How to Disable RC4¶
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, using a text editor, open
/etc/httpd/conf.d/ssl.conf
. The following example uses the Vim text editor:vim /etc/httpd/conf.d/ssl.conf
Locate the
SSLCipherSuite
setting. It will look like this by default:SSLCipherSuite HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW
Edit the
SSLCipherSuite
line to add!RC4
at the beginning:SSLCipherSuite !RC4:HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW:!EXP
Save and exit the file
Restart Apache
systemctl restart httpd