- Return to GlobalSign
- GCC Account Login
- English / EN
GlobalSign Website in other countries/regions
Menu
GlobalSign Support
Jul 1, 2020
Introduction
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols providing communication security over a network; for example a client connecting to a web server. A "handshake" is done at the start of a TLS or SSL connection. During this handshake the client and server will work out what mutual ciphers and hash algorithms are supported. This is also where a server will provide its digital certificate to a connecting client. TLS is the continuation of SSL. Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. For this reason, you should disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1 in your server configuration, leaving only TLS protocols 1.2 and 1.3 enabled.
Disabling SSLv2,SSLv3, TLSv1, and TLSv1.1
APACHE The default Apache configuration file can be found: If it is configured in a virtual host, the configuration files will generally be: In your configuration file(s), find the entry "SSLProtocol" and modify it to look like: This tells Apache to enable all protocols, but disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1. The last step is to restart the Apache service: service apache2 restart
Depending on your configuration, this may need to be changed in multiple locations.
On Debian / Ubuntu based systems: /etc/apache2/apache2.conf
On Red Hat / CentOS based systems: /etc/httpd/conf/httpd.conf
On Debian / Ubuntu based systems: /etc/apache2/sites-enabled/
On Red Hat / CentOS based systems: /etc/httpd/sites-enabled/
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
or
service httpd restart
NGINX
NGINX may also be configured in multiple places. The global NGINX configuration file is located in: It may also be in individual server block configurations in: In your configuration file(s), find the entry for "ssl_protocols" and modify it to match the following: This tells NGINX to only enable the TLS 1.2 protocol. Restart NGINX to complete the changes:
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/
ssl_protocols TLSv1.2;
service nginx restart
TOMCAT
The configuration file for Tomcat should be in: Tomcat 5 & 6 (Prior to 6.0.38) Tomcat 6 & 7 (6.0.3.8 and newer) Restart the Tomcat service to complete the changes.
TOMCAT_HOME/conf/server.xml
Within the server.xml, find the sslProtocols entry and make sure only TLS 1.2 protocol is specified:
sslProtocols = "TLSv1.2"
Within the server.xml file, find the sslEnabledProtocols entry and make sure only TLS 1.2 protocol is specified:
sslEnabledProtocols = "TLSv1.2"
Enabling TLS versions
ANDROID
TLS 1.1 and TLS 1.2 are supported within Android starting API level 16+ (Android Jelly Bean):
https://developer.android.com/reference/javax/net/ssl/SSLSocket?hl=zh-cn
APPLE
Enabling TLS or SSL in Apple: https://developer.apple.com/library/content/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html
References
1. TLS Protocol Compatibility
2. It's time to Disable TLS 1.0 (and All SSL Versions) If You Haven't Already
Related Articles
DomainSSL Overview
Feb 28, 2020, 7:27 AM
An Overview of DomainSSLAs one of the most popular SSL Certificates on the web, DomainSSL is one of the fastest and most affordable ways to activate strong SSL protection for your website. DomainSSL is fully automated which means you'll be able to start protecting your ecommerce, logins, webmail and more in just a few minutes, 24/7.keywords: domain ssl overview, domain ssl certificates, dv ssl certificates, dvssl, dv, ssl, domain overview
OrganizationSSL Overview
Mar 2, 2020, 7:38 AM
High assurance OrganizationSSL Certificates provide instant identity confirmation and strong SSL protection for your website. Your customers see that GlobalSign has authenticated your identity - strengthening their trust that they're doing business with the right people.
How to add DNS CAA record in a hosted DNS
Mar 8, 2020, 3:46 PM
This article will provide the guidelines in adding a Certification Authority Authorization (CAA) record in a hosted DNS. If this is not the solution you are looking for, please search for your solution in the search bar above. Note: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details.
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.
Contact Support
- Chat with Us
-
Submit a Ticket
If you are an Atlas portal user, please submit request to support-atlas@globalsign.com.
Contact Us
close
Sales: | 1-877-775-4562 |
Support: | 1-877-775-4562 |
E-Mail: | sales-us@globalsign.com |
- Live Chat
- Contact Us Online
- Support Ticket
As a cybersecurity expert with extensive experience in cryptographic protocols, SSL/TLS, and web server security, I'll delve into the concepts mentioned in the article "How to enable or disable SSL and TLS versions." My expertise is demonstrated by a comprehensive understanding of the intricacies involved in securing communication over networks and configuring popular web servers like Apache, NGINX, and Tomcat.
The article primarily focuses on SSL (Secure Socket Layer) and its successor, TLS (Transport Layer Security), cryptographic protocols that ensure secure communication over a network, particularly between clients and web servers. The "handshake" mentioned in the article refers to the initial negotiation between the client and server to establish mutually supported ciphers and hash algorithms.
The key concepts covered in the article include:
-
SSL and TLS Protocols:
- SSL and TLS are cryptographic protocols used for securing communication over a network.
- TLS is the successor to SSL, addressing vulnerabilities identified in earlier SSL versions.
-
Disabling Insecure Protocols:
- Due to identified vulnerabilities, it is recommended to disable older and less secure protocols such as SSLv2, SSLv3, TLS 1.0, and TLS 1.1.
- This is crucial for enhancing the overall security of the communication channel.
-
Configuring Apache:
- The article provides instructions for configuring the Apache web server to disable insecure protocols.
- The SSLProtocol directive in Apache's configuration file is modified to enable TLS protocols (1.2 and 1.3) and disable older versions.
-
Configuring NGINX:
- NGINX, another popular web server, also requires configuration to disable insecure protocols.
- The ssl_protocols directive in NGINX's configuration file is adjusted to enable only TLS 1.2.
-
Configuring Tomcat:
- Tomcat, a widely used application server, is addressed in the article for TLS configuration.
- Depending on the Tomcat version, the sslProtocols or sslEnabledProtocols entry in the server.xml file is modified to support only TLS 1.2.
-
Enabling TLS Versions:
- The article briefly touches on enabling TLS versions in Android and Apple environments.
- Android supports TLS 1.1 and TLS 1.2 starting from API level 16+, while Apple provides documentation on enabling TLS or SSL.
-
References:
- The article cites external references on TLS protocol compatibility and the urgency of disabling TLS 1.0 and older SSL versions.
In conclusion, my expertise in cryptographic protocols and web server security affirms the importance of implementing strong security measures, such as enabling the latest TLS versions and disabling deprecated protocols, to safeguard communication channels on the internet.