Disabling SSLv3, TLS 1.0 and TLS 1.1 in Ubuntu 18.04 (Bionic) Apache

By | 21st December 2018


It’s best practice to configure Apache to use a suitable TLS configuration. Ubuntu uses “available” and “enabled” directories to switch functionality on and off for this and other settings, located under “/etc/apache2”.

The SSL directives are contained in “ssl.conf”, located in /etc/apache2/mods-available.

Fortunately by default the symlink needed to enable the mod file exists. But you can double check as follows:

# cd /etc/apache2/mods-enabled ; ln -s ../mods-available/ssl.conf ssl.conf

If the file exists, the mod is enabled (good). Next, edit the mod file to review the SSL configuration settings:

# pico -$ /etc/apache2/mods-enabled/ssl.conf

By default the Ubuntu configuration omits SSLv2, and disables only SSLv3. In other words there is no functionality for SSLv2 in Apache on Bionic, and by default SSLv3 is not active. This is fairly good, but you might have a preference for a more stringent configuration.

You can, depending on your preference and client browsers, further improve this by disabling TLSv1 and TLSv1.1 by updating the line as follows:

SSLProtocol -ALL TLSv1.2 -TLSv1 -TLSv1.1 -SSLv3

It’s recommended to disable TLSv1 in all circumstances, and I’d recommend using TLSv1.2 without TLSv1.1. This is also consistent with recent PCI regulatory guidance.