개요
2018. 7. 30에 TLS 1.0 지원이 종료되었다. 이 페이지는 Apache webserver에서 TLS 1.0 을 사용하지 않도록 설정하는 방법을 정리한다.
/etc/httpd/conf.d/ssl.conf
변경 전
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # List the protocol versions which clients are allowed to connect with. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3
$ nmap --script ssl-enum-ciphers -p 443 localhost | grep TLSv | TLSv1.0: | TLSv1.1: | TLSv1.2:
변경 후
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # List the protocol versions which clients are allowed to connect with. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. SSLProtocol TLSv1.2 SSLProxyProtocoll TLSv1.2
$ nmap --script ssl-enum-ciphers -p 443 localhost | grep TLSv | TLSv1.2: