lcdservices

Member
Aug 7, 2014
11
0
51
cPanel Access Level
Reseller Owner
There are some other threads regarding this issue but they've not helped solve the problem, and most reference older versions of WHM.

I'm trying to disable TLS v1 and v1.1 on my WHM/cPanel server, running WHM v90.0.18. I've navigated to Home > Service Configuration > Apache Configuration > Global Configuration and changed the SSL/TLS Protocols to TLSv1.2, and also confirmed that the change was made to /etc/apache2/conf/httpd.conf -- but after restarting the server and running the domain through SSLLabs and other SSL-checking sites, it still comes back with those two protocols enabled.

What am I missing?
 

kodeslogic

Well-Known Member
Apr 26, 2020
293
103
118
IN
cPanel Access Level
Root Administrator
Are you facing this issue for any particular domain or for all domains hosted on your server?
May I know if any CDN service such as Cloudflare you are using for websites?
 

vacancy

Well-Known Member
Sep 20, 2012
459
160
93
Turkey
cPanel Access Level
Root Administrator
In version 90, tls 1.0 and tls 1.1 should already be disabled. If it is still active even though you disable it via Apache configuration, make sure your site is not using cloudflare or a different cdn service. If your site uses cloudflare, cloudflare TLS rules will apply, as your traffic returns through cloudflare servers.

If you are using Cloudflare, edit the following setting from the cloudflare panel.

SSL/TLS > Edge Certificates > Minimum TLS Version > TLS 1.2
 

lcdservices

Member
Aug 7, 2014
11
0
51
cPanel Access Level
Reseller Owner
It's impacting all sites on the server. No -- we're not using Cloudflare. Yes -- I know they should be disabled, which is why this is so puzzling.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,044
773
313
cPanel Access Level
Root Administrator
Hey there! I just checked a site on my personal box that has been updated from version 38 to 92 and confirmed the behavior, but they also aren't specifically disabled.

If you change this:

"sslprotocol" : "all -SSLv2 -SSLv3",

to this

"sslprotocol" : "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"

your grade will get bumped to an A on SSL Labs and you'll see it is completely off. Can you try that?
 

lcdservices

Member
Aug 7, 2014
11
0
51
cPanel Access Level
Reseller Owner
that's what it was originally set to. I've since changed it to: TLSv1.2
however -- SSLLabs still indicates v1 a v1.1 are enabled. it makes no sense.