skip to Main Content

This is my first experience with Amazon Lighsail, WordPress Multisite, Bitnami
and even with Let’s Encrypt; now it seems everything just works, except for SSL directives in my virtualhost file.

Because it seems that major browsers – aka Chrome, Safari/Webkit, Mozilla Firefox and IE/Edge – are going to remove support to TLS 1.0 and TLS 1.1, as soon as the beginning of the new year – precisely among January and March – I would want to know how to disable them for my new WordPress Multisite instance in Lightsail.

After I obtained a Let’s Encript SSL certificate and successfully deployed it I tested it to verify that TLS 1.0 and TLS 1.1 are enabled along with TLS 1.2.
Now it seems that my Apache version 2.4.39 supports also TLS 1.3 and I am trying to enable even it and disable the two older versions.
Reading on the net I found that I must change the httpd.conf file to insert this directive

SSLProtocol -all +TLSv1.2

so, inside the httpd.conf file I found this block, that seems the right place:

# Default SSL Virtual Host configuration.

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>

Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA$
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/mydomain.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/mydomain.key"

<Directory "/opt/bitnami/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>

# Error Documents
ErrorDocument 503 /503.html

# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

I tryed to simply update the httpd.conf and the httpd-ssl.conf, but nothing appens: TLS 1.3 does not work and TLS 1.0 and TLS 1.1 are always anabled.

Now, and I read even this question

Disabling TLS 1.0 in Apache 2.4

after my adds, this is my ssl directives in httpd-ssl.conf file:

# SSLProtocol all -SSLv3
SSLProtocol  +TLSv1.2 +TLSv1.3
#SSLProtocol all -TLSv1 -SSLv3
SSLProxyProtocol all +TLSv1.2 +TLSv1.3

But nothing changed and now I really do not know how to enable TLS 1.3 and disable TLS 1.0 and TLS 1.1.
Of course after every change I used to restart Apache.

3

Answers


  1. Chosen as BEST ANSWER

    Probably it is not yet possible to enable TLSv1.3. According to this bitnami's community thread:

    [ https://community.bitnami.com/t/tlsv1-3-support-for-new-lamp-stack-installers/67672 ]

    TLSv1.3 is only supported with Apache version 2.4.36 and OpenSSL 1.1.1...our stacks include OpenSSL 1.0.2 so it's not currently possible to enable that protocol. Sorry for the inco…

    Waiting for updates...


  2. I was also having this problem and put together the following solution:

    1. Open an instance of SSH from your Lightsail dashboard
    2. Navigate to: /opt/bitnami/apache2/conf/bitnami/
    3. Add the following line to the bitnami.conf file under where it says:

    Listen 443
    .#SSLProtocol -SSLv2 -SSLv3

    SSLProtocol TLSv1.2

    1. Navigate to: /opt/bitnami/apache2/conf/extra
    2. In the httpd-ssl.conf file, add the hashtag to the following lines (without the . ):

    .#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
    .#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

    Now remove the hastag from the following lines so they read as:

    SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
    SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

    1. Now under #SSL Protocol Support, change the settings to look like this:

    .#SSLProtocol all -SSLv3
    SSLProtocol -TLSv1.2 -TLSv1.3 -SSLv3
    .#SSLProxyProtocol all -SSLv3
    SSLProxyProtocol -TLSv1.2 -TLSv1.3 -SSLv3

    Reboot apache with: sudo /opt/bitnami/ctlscript.sh restart apache

    Check your site at both:
    https://www.whynopadlock.com
    https://www.ssllabs.com/ssltest

    You should now receive and A score and no TLS 1.0 amd TLS 1.1 protocols being supported.

    Login or Signup to reply.
  3. If your site is behind Cloudflare or a similar service, then you will need to make the TLS changes on Cloudflare itself, regardless of whether you have set up the SSLProtocol correctly in bitnami.conf.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search