Comment 6 for bug 1665151

Revision history for this message
In , David Favor (davidfavor) wrote :

Changes in SSLProtocol seem to be ignored.

This can be observed in all SSL testers I've used.

The testssl script provides an easy way to check this, without having to wait for minutes (like SSLLabs) for output.

Problem can be shown via...

testssl --protocols

Environment - Apache-4.2.5 + OpenSSL 1.0.2k + Ubuntu Yakkety.

My goal == disable TLS 1.0 for some of my hosting clients who have PCI requirements for this level of TLS to be disabled.

None of these permutations work. In fact, I can't find any SSLProtocol setting which changes protocols at all. In all cases SSL2 + SSL3 are disabled + all TLS versions are enabled.

Settings tried, that fail to disable TLSv1...

# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SLProtocol -All +TLSv1.1 +TLSv1.2

SSLProtocol all -SSLv2 -SSLv3 -TLSv1