How To: Disable TLS 1.0, TLS 1.1, and RC4

Due to potential flags by PCI tests, it may be required to disable TLS 1.0, TLS 1.1, and/or RC4. This task must be completed by server administrators at the CLI.

Contents

• How To: Disable TLS 1.0, TLS 1.1, and RC4

  • How to Disable TLS 1.0 and 1.1

  • How to Disable RC4

How to Disable TLS 1.0 and 1.1

1. Log in to the server at the CLI as root, either via SSH or from the terminal

2. At the CLI, using a text editor, open /etc/httpd/conf.d/ssl.conf. The following example uses the Vim text editor:

   vim /etc/httpd/conf.d/ssl.conf
   

3. Locate the SSLProtocol setting. It will look like this by default:

   SSLProtocol all -SSLv2 -SSLv3
   

4. Append the SSLProtocol line to add -TLSv1 -TLSv1.1:

   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   

5. Save and exit the file

6. Restart Apache

   systemctl restart httpd
   

How to Disable RC4

1. Log in to the server at the CLI as root, either via SSH or from the terminal

2. At the CLI, using a text editor, open /etc/httpd/conf.d/ssl.conf. The following example uses the Vim text editor:

   vim /etc/httpd/conf.d/ssl.conf
   

3. Locate the SSLCipherSuite setting. It will look like this by default:

   SSLCipherSuite HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW
   

4. Edit the SSLCipherSuite line to add !RC4 at the beginning:

   SSLCipherSuite !RC4:HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW:!EXP
   

5. Save and exit the file

6. Restart Apache

   systemctl restart httpd