In 2020, web browsers will start to remove TLS 1.0 and TLS 1.1 support. It is critically important that websites upgrade or update their SSL config to take these changes into consideration and upgrade the security of their servers.

Timescale for browsers disabling TLS 1.0/1.1:

  • January 2020: Chrome
  • March 2020: Firefox, Safari, Webkit
  • Microsoft IE/Edge have not given a specific date but suggested the first half of 2020.

I’ve noted the process below on how to remove TLS 1.0 and 1,1 for simple setups . If you have a more complex set up this process may differ.

Apache

The default configuration in /etc/httpd/conf.d/ssl.conf looks like this :

SSLProtocol all -SSLv3

Only SSLv3 has been removed and all others are permitted. We need to change this to TLS1.2 only. To do this, change:

SSLProtocol all -SSLv3

And change it to:

SSLProtocol TLSv1.2

Restart Apache using the sudo apache2ctl restart command or similar.

NGINX

The default configuration files to edit are located:

  • /etc/nginx/nginx.conf
  • /etc/nginx/sites-available/example.com (or /default)
  • If Certbot / Let’s Encrypt is used, note the configuration for SSL options: /etc/letsencrypt/options-ssl-nginx.conf

Locate the line:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Remove the TLSv1 and TLDv1.1 so the line reads:

ssl_protocols TLSv1.2 TLSv1.3;

Check the config file is valid by: nginx -t and then reload Nginx: sudo service nginx reload

IIS

The IIS server controls the settings via the registry keys and you just need to make the following changes:

Disable TLS 1.0

[HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000 [HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 [HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000 [HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Disable TLS 1.1

[HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000000 [HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001 [HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000000 [HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001

Confirming TLS Changes Make sure the service is restarted and then using nmap you can determine if the change has worked. nmap --script ssl-enum-ciphers -p 443 192.168.200.102 | grep TLSv

The only response should be TLS v1.2:

| TLSv1.2

If you see TLS v1.0, 1.1, and 1,2 then these are the versions which are expected and the change has not been made:

| TLSv1.0:

| TLSv1.1:

| TLSv1.2:

If you do need any assistance, why not contact us about our support and advisory programme or our pen-test remediation support services.