I have been asked to disable TLS1.0(on SSLV3) from apache running on Solaris. I am new to infrastructure stuff. I did some googling and most of them talk about something like this SSLProtocol all -TLSv1 in the ssl.conf file But, when i go to /etc/apache2/ssl.conf file there is no setting defined for SSLProtocol. Is it that since there is no settings defined for SSLProtocol that all tls versions are being allowed? Also , where should i add the SSLProtocl settings in the ssl.conf files? Many thanks for all replies
Go to the apache's folder, and just run:
grep -iRl "SSLProtocol" ./
And then, if you found a file containing it, change it to the following, or if you didn't find anything, open the ssl.conf, and add this line after the lines starting with SSL:
SSLProtocol -all +TLSv1.2
If your openssl version is above version 1.1.1 (use openssl version to check), and if your apache version is above 2.4.36 (use httpd -v to check), then you can also use TLSv1.3. If you will use it without the above mentioned requirements of the versions, then you will get an error saying Illegal Protocol. So, if you have the above requirements you can use:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Also, I am confused about the SSLv3 you mentioned. You must not use SSLv3 even if you want to. Check https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/.