How to Disable TLS 1.0 and 1.1 to enable only TLS 1.2 and TLS 1.3 in Apache for a Wordpress Bitnami Amazon-Ligthsail instance?
This is my first experience with Amazon Lighsail, Wordpress Multisite, Bitnami and even with Let's Encrypt; now it seems everything just works, except for SSL directives in my virtualhost file.
Because it seems that major browsers – aka Chrome, Safari/Webkit, Mozilla Firefox and IE/Edge - are going to remove support to TLS 1.0 and TLS 1.1, as soon as the beginning of the new year – precisely among January and March – I would want to know how to disable them for my new Wordpress Multisite instance in Lightsail.
After I obtained a Let’s Encript SSL certificate and successfully deployed it I tested it to verify that TLS 1.0 and TLS 1.1 are enabled along with TLS 1.2. Now it seems that my Apache version 2.4.39 supports also TLS 1.3 and I am trying to enable even it and disable the two older versions. Reading on the net I found that I must change the httpd.conf file to insert this directive
SSLProtocol -all +TLSv1.2
so, inside the httpd.conf file I found this block, that seems the right place:
# Default SSL Virtual Host configuration.
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA$
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/mydomain.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/mydomain.key"
<Directory "/opt/bitnami/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>
# Error Documents
ErrorDocument 503 /503.html
# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>
I tryed to simply update the httpd.conf and the httpd-ssl.conf, but nothing appens: TLS 1.3 does not work and TLS 1.0 and TLS 1.1 are always anabled.
Now, and I read even this question
Disabling TLS 1.0 in Apache 2.4
after my adds, this is my ssl directives in httpd-ssl.conf file:
# SSLProtocol all -SSLv3
SSLProtocol +TLSv1.2 +TLSv1.3
#SSLProtocol all -TLSv1 -SSLv3
SSLProxyProtocol all +TLSv1.2 +TLSv1.3
But nothing changed and now I really do not know how to enable TLS 1.3 and disable TLS 1.0 and TLS 1.1. Of course after every change I used to restart Apache.
Answer
I was also having this problem and put together the following solution:
- Open an instance of SSH from your Lightsail dashboard
- Navigate to: /opt/bitnami/apache2/conf/bitnami/
- Add the following line to the bitnami.conf file under where it says:
Listen 443
.#SSLProtocol -SSLv2 -SSLv3
SSLProtocol TLSv1.2
- Navigate to: /opt/bitnami/apache2/conf/extra
- In the httpd-ssl.conf file, add the hashtag to the following lines (without the . ):
.#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
.#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
Now remove the hastag from the following lines so they read as:
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
- Now under #SSL Protocol Support, change the settings to look like this:
.#SSLProtocol all -SSLv3
SSLProtocol -TLSv1.2 -TLSv1.3 -SSLv3
.#SSLProxyProtocol all -SSLv3
SSLProxyProtocol -TLSv1.2 -TLSv1.3 -SSLv3
Reboot apache with: sudo /opt/bitnami/ctlscript.sh restart apache
Check your site at both:
https://www.whynopadlock.com
https://www.ssllabs.com/ssltest
You should now receive and A score and no TLS 1.0 amd TLS 1.1 protocols being supported.