How to Disable Older TLS Versions in Apache and Nginx

TLS versions 1.0 and 1.1 are now considered insecure with TLS 1.2 being the current standard and TLS 1.3 being the newest version available today. However, many web server environments leave the older TLS versions enabled to ensure compatibility for new users. This is a quick, but valuable way to harden your Linux server to protect your data and website visitors.

To test what TLS versions your Linux web server uses, you can use third party tools such as the Qualys SSL Labs online tool, included in the Mozilla Observatory Header Scanner.

Below we cover how to disable older TLS versions and enable TLS 1.3 on:

• cPanel VPS/Dedicated Servers
• Nginx Servers
• Apache Servers

Disable TLS 1.0 and TLS 1.1 in cPanel

1. Log into WebHost Manager (WHM) as root.
2. On the left, select Apache Configuration.
3. Select Global Configuration.
4. Beside SSL/TLS Protocols. you’ll likely see text similar to the following: SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1. Select the radio button beside “TLSv1.2default.” If you wish to support the latest TLS version, TLS 1.3, select the radio button beside the text field and type the following:

   TLSv1.2 +TLSv1.3 

   
5. At the bottom, select Save.
6. Select Rebuild Configuration and Restart Apache.
7. If your cPanel server runs Nginx, follow the Nginx section below. If not, test your TLS settings.

Disable Older TLS Versions on Nginx Servers

If your cPanel server runs Nginx, including users with the cPanel Cache Manager, you’ll need to do some advanced Nginx configuration:

Steps may differ if not managing an InMotion Hosting server.

1. Log into SSH or WHM Terminal as root.
2. Edit your default Nginx configuration file:

   nano /opt/ngxconf/templates/default_server.j2

3. Look for the ssl_protocols line at the bottom of the file. Remove TLSv1.1.
4. Save changes.
5. Rebuild your Nginx configuration:

   ngxconf -Rrd --force

6. Purge your Nginx cache:

   ngxutil -Z

7. Test your TLS settings.

Disable Older TLS Versions on Apache Servers

Follow these steps to harden unmanged Linux servers.

1. SSH into your server as root.
2. Edit your Apache configuration file. You can use the find command if it’s not below:
   
   CentOS:

   nano /etc/httpd/conf.d

   Debian/Ubuntu:

   nano /etc/apache2/mods-enabled/ssl.conf

   
   

   find / -iname ssl.conf

3. Edit the SSLProtocol line. Ensure it states the following:

   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

4. Save changes.
5. Restart Apache:

   systemctl restart apache2

6. Test your TLS settings.

Test your SSL/TLS Settings

After you finish configuring your TLS settings, there are two easy methods to check your TLS changes.

The easiest option is to use the Qualys SSL Labs test. Make sure to check the box stating “Do not show the results on the boards” for some anonymity.

• At the top, you should not see “This server supports TLS 1.0 and TLS 1.1.”
• If you enabled TLS 1.3, you should see “This server supports TLS 1.3” in green.
• View the related cPanel forum threads for more information on how to support Forward Secrecy.
• If you have a CAA DNS record, you’ll also see “DNS Certification Authority Authorization (CAA) Policy found for this domain.”

For terminal users with Nmap installed, you can use it or the Zenmap graphical application to check for insecure TLS ciphers.

nmap --script ssl-enum-ciphers -p 443 YourDomain.com

Be sure to bookmark our guide on VPS Security to learn more ways to protect your server. Have any questions about disabling older TLS protocols or SSL certificates? Let us know in our Community Forum.