Disable TLS 1.1 & 1.2: Security Boost

G5 Cyber Security

1 month ago

TL;DR

Disabling older versions of TLS (Transport Layer Security) like 1.1 and 1.2 improves your website’s security by removing support for protocols with known vulnerabilities. This forces visitors to use more secure options, protecting them and your data.

Why Disable TLS 1.1 & 1.2?

TLS is the technology that encrypts communication between a user’s browser and your web server (HTTPS). Older versions have weaknesses attackers can exploit:

TLS 1.1: Officially deprecated for years, it has known vulnerabilities making it easier to intercept data.
TLS 1.2: While better than TLS 1.1, it’s also nearing end-of-life and has some weaknesses compared to newer versions.

By disabling these older protocols, you:

Reduce the attack surface of your website.
Comply with modern security standards (like PCI DSS).
Improve trust and confidence for your users.

How to Disable TLS 1.1 & 1.2

The process varies depending on your web server. Here’s how to do it on common servers:

1. Apache

Edit the SSL Configuration File: Open your Apache SSL configuration file (usually located in /etc/apache2/mods-enabled/ssl.conf or similar).
Find and Modify TLS Protocols: Locate the section defining TLS protocols. It might look like this:
```
SSLProtocol all -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3
```
Remove TLS 1.1 and 1.2: Change the line to only include TLS 1.3 (and optionally, TLS 1.0 if you absolutely need it for very old clients):
```
SSLProtocol all -SSLv3 +TLSv1.3
```
Restart Apache: Apply the changes by restarting your Apache server:
```
sudo systemctl restart apache2
```

2. Nginx

Edit the Server Block Configuration File: Open your Nginx server block configuration file (usually located in /etc/nginx/sites-available/your_site.conf).
Find and Modify SSL Protocols: Locate the section defining SSL protocols. It might look like this:
```
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
```
Remove TLS 1.1 and 1.2: Change the line to only include TLS 1.3:
```
ssl_protocols TLSv1.3;
```
Restart Nginx: Apply the changes by restarting your Nginx server:
```
sudo systemctl restart nginx
```

3. Microsoft IIS

Open Server Manager: Launch Server Manager on your Windows server.
Navigate to TLS/SSL Settings: Go to Internet Options > Content tab > SSL settings.
Uncheck TLS 1.1 and TLS 1.2: Deselect the checkboxes for “TLS 1.1” and “TLS 1.2”.
Apply Changes & Restart IIS: Click Apply, then restart your IIS server using Server Manager or PowerShell:
```
iisreset
```

Testing the Configuration

After making changes, verify that TLS 1.1 and 1.2 are disabled:

Use an Online SSL Checker: Tools like SSL Labs can scan your website and report the supported TLS versions.
OpenSSL Command (Advanced): You can use OpenSSL to connect to your server and check the negotiated protocol:
```
openssl s_client -connect yourdomain.com:443 -tls1_2
```
If TLS 1.2 is disabled, you should see an error message.