Enabling TLSv1 and TLSv1.1

[Jeet]

Hello,

I recently moved my site to a new server after 4 years. Both old and new servers are running on Centos7 / WHMv88. However, it seems that the new server currently only supports TLSv1.2 and TLSv1.3. I have a legacy Windows app which needs to be connected to the site which has TLSv1 hardcoded in the connection settings.

I know this may be less desirable, but I really want my site to support TLSv1 and TLSv1.1 until the windows application is updated. I have added the following to the SSL/TLS protocols in WHM.

All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1

However, SSLlabs still shows as the site doesn't support TLSv1 or TLSv1.1.
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

This is the same setting I have in my old server which supports TLSv1 and TLSv1.1

Any help to enable TLSv1 and TLSv1.1 on the new server would be highly appreciated.

Thanks,

 

[cPAdminsMichael]

Replacing with +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3 should work

 

[Jeet]

Hi Michael, thanks for the reply. However, it still doesn't work. Ssllabs still shows the following and the app is not able to connect.

TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

 

[cPAdminsMichael]

Hmm - and this is a basic cPanel setup with Apache? Or do you use NGINX, LiteSpeed or have anything (proxy, Cloudflare, etc.) in front?

 

[Jeet]

Apache only. Only differences between the old and new servers are one is running Centos 7.7/PHP 5.6 whereas the other one Centos 7.8/PHP 7.3. Strangely, TLSv1 and TLSv1.1 works in the old server.

 

[cPAdminsMichael]

Ah... yes of course. You'd need to change also the SSL Ciphers. Sorry, haven't done TLS1 for a long time
You can read more here:

How to Adjust Cipher Protocols | cPanel & WHM Documentation

This document lists the interfaces in cPanel & WHM in which you can adjust OpenSSL's protocols and cipher stacks for those services.

docs.cpanel.net

 

[Jeet]

Thanks a lot! That did the trick.

 

[cPAdminsMichael]

Great!
... and I probably don't have to mention that this also downgrades the cipher for the other TLS protocols, right? ;-)
(As you can probably see in SSLLabs.com)
I'd recommend migrating the old/legacy app off to an isolated server.

 

[Jeet]

Indeed. Was happy to see a "B" instead of "A".
Yes, we need to work on migrating the app. Though didn't realize it before moving the site. So this was required as a temp solution. Thanks again for your help.

 

[cPanelLauren]

Glad to see you were able to get this resolved and I am even happier to see that this is just going to be a temp fix.


Thanks!

 

[Prakash00070]

Ah... yes of course. You'd need to change also the SSL Ciphers. Sorry, haven't done TLS1 for a long time
You can read more here:

How to Adjust Cipher Protocols | cPanel & WHM Documentation

This document lists the interfaces in cPanel & WHM in which you can adjust OpenSSL's protocols and cipher stacks for those services.

docs.cpanel.net

your link not working please give new link for that ?

 

[cPAdminsMichael]

Yeah - I can see that it's not working anylonger... hmm..
Maybe you can use this link as guidance which cipher suite to have with your setup:

Security/Server Side TLS - MozillaWiki

wiki.mozilla.org

 

[cPRex]

We combined that page into a more general page here: How to Update Ciphers and TLS Protocols | cPanel & WHM Documentation