We want to reject TLS 1.0 connections. I can’t find a place where this is set for HTTPD24/nginx. Where can we set the SSLProtocol?
If you are running OnDemand 1.5, check
/opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf
There’s a section in that file
SSL Protocol support:
List the enable protocol levels with which clients will be able to
connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
I think you could add a “-TLSv1”, etc. to that list. See
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
under SSLProtocol Directive for more info.
I think the file location is the same in older versions, but I don’t remember for sure,
Ric
@gwylym, that seems to be the correct answer. Did it work for you? If so, can you mark his answer as the solution.
If I may ask, is it just a security concern for you to disable v1, are there serious vulnerabilities we should be on the lookout for?
Yes, it is a security concern. There are a number of different TLS and ciphers that are no longer considered secure and best practice in the industry indicates to disable them.
For Apache we do the following which includes setting a medium cipher suite:
SSLProtocol -ALL +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA
Rather than editing an RPM controlled file (…/conf.d/ssl.conf), I wound up adding
/opt/rh/httpd24/root/etc/httpd/conf.d/sslnessus.conf
although any file name the collates after ssl.conf should work. My add-on file contains:
# This is not in ssl.conf, we don't have to alter RPM owned file
# (e.g., ../conf/httpd.conf or ./ssl.conf).
#
TraceEnable Off
FileETag None
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
#
#-end of sslnessus.conf