How to disable TLS 1.0 on Apache or nginx

If your webserver is running Transport Layer Security (TLS) Version 1.0 on port 443, Cloud Cultivator will detect it. TLS 1.0 has several flaws. An attacker can cause connection failures which they can trigger the use of TLS 1.0 to exploit vulnerabilities like BEAST (Browser Exploit Against SSL/TLS). As such, attackers can perform man-in-the-middle attacks and observe the encrypted traffic between the website and its visitors. This allows an attacker who has set up a ‘man-in-the-middle’ server to theoretically recover data that would normally be encrypted. The most likely attack vector would be for the hacker to obtain the session cookies or other session data that was encrypted.

To disable TLS 1.0 and below on your site on your Apache server, configure it using the following configuration:

Apache/HTTPD

Find the line in the configuration file (usually /etc/httpd/conf/ssl.conf or /etc/httpd/conf/httpd.conf) which starts with the line SSLProtocol and make sure it follows the following setting:

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1

This enables all protocols with exception of SSL version 2 and 3, and TLS version 1.0.

To check that the configuration is correct, run the following command:

sudo httpd -t

Then to restart the service, enter one the following commands, depending on your Linux distribution:

sudo service httpd restart

sudo systemctl restart httpd

sudo service apache2 restart

sudo systemctl restart apache2

To disable TLS 1.0 and below on your site on your nginx server, configure it using the following configuration:

Nginx

Edit the line starting with ssl_protocols to be the following in the nginx configuration (usually in /etc/nginx/nginx.conf):
ssl_protocols TLSv1.1 TLSv1.2;

Check configuration:

sudo nginx -t

Then to restart the service, enter one the following commands, depending on your Linux distribution:
sudo service nginx restart

sudo systemctl restart nginx