TLS 1.1+ settings

We want to reject TLS 1.0 connections. I can’t find a place where this is set for HTTPD24/nginx. Where can we set the SSLProtocol?

If you are running OnDemand 1.5, check

/opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf

There’s a section in that file

SSL Protocol support:

List the enable protocol levels with which clients will be able to

connect. Disable SSLv2 access by default:

SSLProtocol all -SSLv2

I think you could add a “-TLSv1”, etc. to that list. See

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

under SSLProtocol Directive for more info.

I think the file location is the same in older versions, but I don’t remember for sure,
Ric

@gwylym, that seems to be the correct answer. Did it work for you? If so, can you mark his answer as the solution.

If I may ask, is it just a security concern for you to disable v1, are there serious vulnerabilities we should be on the lookout for?

Yes, it is a security concern. There are a number of different TLS and ciphers that are no longer considered secure and best practice in the industry indicates to disable them.

For Apache we do the following which includes setting a medium cipher suite:

SSLProtocol -ALL +TLSv1.1 +TLSv1.2

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA

Rather than editing an RPM controlled file (…/conf.d/ssl.conf), I wound up adding
/opt/rh/httpd24/root/etc/httpd/conf.d/sslnessus.conf
although any file name the collates after ssl.conf should work. My add-on file contains:

# This is not in ssl.conf, we don't have to alter RPM owned file
# (e.g., ../conf/httpd.conf or ./ssl.conf).
#
TraceEnable Off
FileETag None

SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
#
#-end of sslnessus.conf