How To Disable Tls 1 0 And 1 1 On Linux Server – Secure Linux Server By Disabling TLS

by

Disabling TLS 1.0 and 1.1 on a Linux server improves security by removing outdated encryption protocols. If you’re wondering how to disable TLS 1 0 and 1 1 on Linux server, you’re in the right place. This guide walks you through every step, from checking current settings to applying changes across popular services like Apache, Nginx, and OpenSSL. Outdated TLS versions are vulnerable to attacks like POODLE and BEAST, so disabling them is a smart move for any production system.

Let’s get started with a clear plan. You’ll learn the exact commands and configuration tweaks needed. No fluff, just practical steps.

Why Disable Tls 1.0 And 1.1 On Linux Server

TLS 1.0 and 1.1 are obsolete. They lack modern cipher suites and are prone to security flaws. Most modern browsers and clients already support TLS 1.2 or 1.3. By disabling older versions, you reduce attack surface and meet compliance standards like PCI DSS.

Leaving them enabled is like leaving a back door open. Attackers can downgrade connections to exploit weaknesses. So, disabling them is a straightforward way to harden your server.

Security Risks Of Old Tls Versions

Here are the main risks:

  • POODLE attack on TLS 1.0 (CVE-2014-3566)
  • BEAST attack on TLS 1.0 (CVE-2011-3389)
  • Weak cipher suites like RC4 and 3DES
  • No support for modern AEAD ciphers

These vulnerabilities can lead to data theft or man-in-the-middle attacks. Disabling them eliminates these risks.

How To Disable Tls 1 0 And 1 1 On Linux Server

Now let’s dive into the actual steps. The process varies depending on what services you run. We’ll cover the most common ones: Apache, Nginx, OpenSSL, and system-wide settings.

Check Current Tls Configuration

Before making changes, check what’s currently enabled. Use OpenSSL to test:

  1. Open a terminal on your Linux server.
  2. Run: openssl s_client -connect localhost:443 -tls1 (for TLS 1.0)
  3. Run: openssl s_client -connect localhost:443 -tls1_1 (for TLS 1.1)

If the connection succeeds, the version is enabled. If it fails with an error like “SSL routines:ssl3_read_bytes:tlsv1 alert protocol version,” it’s already disabled.

You can also use tools like nmap or sslscan for a full scan. For example: nmap --script ssl-enum-ciphers -p 443 localhost.

Disable Tls 1.0 And 1.1 In Apache

Apache uses the SSLProtocol directive. Edit your SSL configuration file, typically located at /etc/httpd/conf.d/ssl.conf or /etc/apache2/mods-available/ssl.conf.

  1. Open the file with sudo: sudo nano /etc/apache2/mods-available/ssl.conf
  2. Find the line starting with SSLProtocol. It might look like: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  3. Change it to: SSLProtocol -all +TLSv1.2 +TLSv1.3
  4. Save and exit.
  5. Test configuration: sudo apachectl configtest
  6. Restart Apache: sudo systemctl restart apache2 (or httpd on RHEL/CentOS)

If you use virtual hosts, you can set the protocol per site. For example, in a block:

SSLProtocol -all +TLSv1.2 +TLSv1.3

Verify with OpenSSL again. You should see failures for TLS 1.0 and 1.1.

Disable Tls 1.0 And 1.1 In Nginx

Nginx uses the ssl_protocols directive in the server block. Edit your Nginx config file, usually /etc/nginx/nginx.conf or a site-specific file in /etc/nginx/sites-available/.

  1. Open the config: sudo nano /etc/nginx/sites-available/default
  2. Inside the server block, find or add: ssl_protocols TLSv1.2 TLSv1.3;
  3. Remove any references to TLSv1 or TLSv1.1.
  4. Save and exit.
  5. Test config: sudo nginx -t
  6. Reload Nginx: sudo systemctl reload nginx

If you have multiple server blocks, repeat for each. You can also set it globally in the http block.

Disable Tls 1.0 And 1.1 In OpenSSL

OpenSSL itself can be configured system-wide. This affects all applications using OpenSSL, like Python, PHP, or custom scripts. Edit the OpenSSL config file, usually /etc/ssl/openssl.cnf or /etc/pki/tls/openssl.cnf.

  1. Backup the file: sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
  2. Open the file: sudo nano /etc/ssl/openssl.cnf
  3. Add or modify the [system_default_sect] section. If it doesn’t exist, create it:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
  1. Save and exit.
  2. Restart any services that use OpenSSL (like Apache or Nginx).

This forces all OpenSSL connections to require at least TLS 1.2. Note that some older applications might break if they don’t support TLS 1.2.

Disable Tls 1.0 And 1.1 In Postfix Or Dovecot

Email servers also use TLS. For Postfix, edit /etc/postfix/main.cf:

smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Then restart Postfix: sudo systemctl restart postfix.

For Dovecot, edit /etc/dovecot/conf.d/10-ssl.conf:

ssl_min_protocol = TLSv1.2

Restart Dovecot: sudo systemctl restart dovecot.

Disable Tls 1.0 And 1.1 In Lighttpd

Lighttpd uses the ssl.use-sslv3 and ssl.use-tlsv1 options. Edit your config file (e.g., /etc/lighttpd/lighttpd.conf):

ssl.use-sslv3 = "disable"
ssl.use-tlsv1 = "disable"
ssl.use-tlsv11 = "disable"

Then restart Lighttpd: sudo systemctl restart lighttpd.

Verify The Changes

After applying changes, always verify. Use online tools like SSL Labs (https://www.ssllabs.com/ssltest/) or local commands:

  • openssl s_client -connect localhost:443 -tls1 should fail.
  • openssl s_client -connect localhost:443 -tls1_1 should fail.
  • openssl s_client -connect localhost:443 -tls1_2 should succeed.

You can also use curl with specific TLS versions:

  • curl --tlsv1.0 https://localhost should fail.
  • curl --tlsv1.2 https://localhost should work.

Automating With Ansible Or Scripts

If you manage multiple servers, automate the process. Here’s a simple Bash script:

#!/bin/bash
# Disable TLS 1.0 and 1.1 on Apache
sed -i 's/SSLProtocol.*/SSLProtocol -all +TLSv1.2 +TLSv1.3/' /etc/apache2/mods-available/ssl.conf
systemctl restart apache2

# Disable for Nginx
sed -i 's/ssl_protocols.*/ssl_protocols TLSv1.2 TLSv1.3;/' /etc/nginx/nginx.conf
systemctl reload nginx

# Disable for OpenSSL
echo "[system_default_sect]" >> /etc/ssl/openssl.cnf
echo "MinProtocol = TLSv1.2" >> /etc/ssl/openssl.cnf

Run it with sudo. Adjust paths for your distribution.

Common Issues And Troubleshooting

Some older clients might break. For example, Internet Explorer on Windows 7 only supports TLS 1.0. If you need backward compatibility, consider a phased rollout.

If you see errors like “no shared cipher,” your server might not have strong ciphers enabled. Ensure you have modern cipher suites configured:

  • Apache: SSLCipherSuite HIGH:!aNULL:!MD5
  • Nginx: ssl_ciphers HIGH:!aNULL:!MD5;

Also check firewall rules. Sometimes TLS handshake failures are due to blocked ports, not protocol version.

Testing With Different Tools

Use testssl.sh for a comprehensive scan. Download it from GitHub and run:

./testssl.sh --tls localhost:443

It will show which versions are supported. Another tool is nmap with the ssl-enum-ciphers script.

Best Practices After Disabling

Once you disable TLS 1.0 and 1.1, monitor logs for connection errors. Check /var/log/apache2/error.log or /var/log/nginx/error.log for handshake failures.

Consider enabling HSTS to force secure connections. Also, keep your OpenSSL version updated. Older versions might have bugs.

Document the change in your change management system. If something breaks, you’ll know what was changed.

Frequently Asked Questions

Will Disabling TLS 1.0 And 1.1 Break My Website?

It can if you have visitors using very old browsers like Internet Explorer 8 or Android 2.3. Most modern clients support TLS 1.2. Check your analytics to see if any users rely on old protocols.

How Do I Check If TLS 1.0 Is Still Enabled On My Server?

Use OpenSSL: openssl s_client -connect localhost:443 -tls1. If it connects, it’s enabled. Also use online scanners like SSL Labs.

Can I Disable TLS 1.0 And 1.1 Without Restarting Services?

No, most services require a reload or restart to pick up config changes. Plan for a brief downtime or use a reload if possible.

What About TLS 1.3? Should I Enable It?

Yes, TLS 1.3 is the latest and most secure. Enable it if your OpenSSL version supports it (1.1.1 or later). Add +TLSv1.3 to your protocol list.

Does Disabling TLS 1.0 Affect Email Servers?

Yes, if you run Postfix or Dovecot, you need to update their configs separately. Follow the steps above for email services.

Final Thoughts

Disabling TLS 1.0 and 1.1 is a critical security step. It protects your server from known attacks and aligns with industry standards. The process is straightforward once you know where to edit config files.

Remember to test thoroughly after changes. Use multiple tools to verify. If you have a staging environment, test there first.

By following this guide on how to disable TLS 1 0 and 1 1 on Linux server, you’ve made your server more secure. Keep your software updated and review security settings regularly.

Now go ahead and apply these changes. Your server will thank you.