How can I disable TLS 1.0 and 1.1 in apache?

Does anyone know why i can't disable tls 1.0 and tls1.1 by updating the config to this.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1 and 1.0 are supported. I would like to remove these?

Solution 1:

When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of the SSLProtocol directive are used for the whole server and/or all name-based VirtualHosts supporting TLS¹.

So check your main httpd.conf (and all included snippets from for instance conf.d/*.conf and similar includes) for more occurrences of the SSLProtocol directive.

You syntax is correct, although I agree with ezra-s' answer that, when you expand the all shorthand, you can slightly improve upon:

 SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

by simply using:

 SSLProtocol TLSv1.2

Solution 2:

that you have specified is enough, it shouldn't show any other protocols. Remember SSLLABS caches recent tests. Although knowing that there are no other protocols defining it like you did is kind of convoluted on purpose.

In any case you can use that or simply:

SSLProtocol TLSv1.2