TLS versions 1.0 and 1.1 are now considered insecure with TLS 1.2 being the current standard and TLS 1.3 being the newest version available today. However, many web server environments leave the older TLS versions enabled to ensure compatibility for new users. This is a quick, but valuable way to harden your Linux server to protect your data and website visitors.
To test what TLS versions your Linux web server uses, you can use third party tools such as the Qualys SSL Labs online tool, included in the Mozilla Observatory Header Scanner.
Below we cover how to disable older TLS versions and enable TLS 1.3 on:
Disable TLS 1.0 and TLS 1.1 in cPanel
Follow these steps to harden cPanel-managed servers.
- Log into WebHost Manager (WHM) as root.
- On the left, select Apache Configuration.
- Select Global Configuration.
- Beside SSL/TLS Protocols. you’ll likely see text similar to the following:
SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
. Select the radio button beside “TLSv1.2default
.” If you wish to support the latest TLS version, TLS 1.3, select the radio button beside the text field and type the following:TLSv1.2 +TLSv1.3
- At the bottom, select Save.
- Select Rebuild Configuration and Restart Apache.
- If your cPanel server runs Nginx, follow the Nginx section below. If not, test your TLS settings.
Disable Older TLS Versions on Nginx Servers
If your cPanel server runs Nginx, including users with the cPanel Cache Manager, you’ll need to do some advanced Nginx configuration:
Steps may differ if not managing an InMotion Hosting server.
- Log into SSH or WHM Terminal as root.
- Edit your default Nginx configuration file:
nano /opt/ngxconf/templates/default_server.j2
- Look for the
ssl_protocols
line at the bottom of the file. RemoveTLSv1.1
. - Save changes.
- Rebuild your Nginx configuration:
ngxconf -Rrd --force
- Purge your Nginx cache:
ngxutil -Z
- Test your TLS settings.
Disable Older TLS Versions on Apache Servers
Follow these steps to harden unmanged Linux servers.
- SSH into your server as root.
- Edit your Apache configuration file. You can use the find command if it’s not below:
CentOS:nano /etc/httpd/conf.d
Debian/Ubuntu:nano /etc/apache2/mods-enabled/ssl.conf
find / -iname ssl.conf
- Edit the
SSLProtocol
line. Ensure it states the following:SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
- Save changes.
- Restart Apache:
systemctl restart apache2
- Test your TLS settings.
If you don’t need cPanel, don't pay for it. Only pay for what you need with our Cloud VPS solutions.
CentOS, Debian, or Ubuntu No bloatware SSH Key management made easy
Test your SSL/TLS Settings
After you finish configuring your TLS settings, there are two easy methods to check your TLS changes.
The easiest option is to use the Qualys SSL Labs test. Make sure to check the box stating “Do not show the results on the boards” for some anonymity.
- At the top, you should not see “This server supports TLS 1.0 and TLS 1.1.”
- If you enabled TLS 1.3, you should see “This server supports TLS 1.3” in green.
- View the related cPanel forum threads for more information on how to support Forward Secrecy.
- If you have a CAA DNS record, you’ll also see “DNS Certification Authority Authorization (CAA) Policy found for this domain.”
For terminal users with Nmap installed, you can use it or the Zenmap graphical application to check for insecure TLS ciphers.
nmap --script ssl-enum-ciphers -p 443 YourDomain.com
Have any questions about disabling older TLS protocols or SSL certificates? Let us know in our Community Forum.
How do VPS users who do not have access to WHM protect our tools and disable obsolete and unsafe TLS versions?
If you’re on a cPanel VPS, someone has access to WHM. Otherwise, you can always contact Live Support for assistance (with the article to save time).