Question posted in 
This is my first experience with Amazon Lighsail, WordPress Multisite, Bitnami
and even with Let’s Encrypt; now it seems everything just works, except for SSL directives in my virtualhost file.
Because it seems that major browsers – aka Chrome, Safari/Webkit, Mozilla Firefox and IE/Edge – are going to remove support to TLS 1.0 and TLS 1.1, as soon as the beginning of the new year – precisely among January and March – I would want to know how to disable them for my new WordPress Multisite instance in Lightsail.
After I obtained a Let’s Encript SSL certificate and successfully deployed it I tested it to verify that TLS 1.0 and TLS 1.1 are enabled along with TLS 1.2.
Now it seems that my Apache version 2.4.39 supports also TLS 1.3 and I am trying to enable even it and disable the two older versions.
Reading on the net I found that I must change the httpd.conf file to insert this directive
SSLProtocol -all +TLSv1.2
so, inside the httpd.conf file I found this block, that seems the right place:
# Default SSL Virtual Host configuration.
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA$
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/mydomain.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/mydomain.key"
<Directory "/opt/bitnami/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>
# Error Documents
ErrorDocument 503 /503.html
# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>
I tryed to simply update the httpd.conf and the httpd-ssl.conf, but nothing appens: TLS 1.3 does not work and TLS 1.0 and TLS 1.1 are always anabled.
Now, and I read even this question
Disabling TLS 1.0 in Apache 2.4
after my adds, this is my ssl directives in httpd-ssl.conf file:
# SSLProtocol all -SSLv3
SSLProtocol +TLSv1.2 +TLSv1.3
#SSLProtocol all -TLSv1 -SSLv3
SSLProxyProtocol all +TLSv1.2 +TLSv1.3
But nothing changed and now I really do not know how to enable TLS 1.3 and disable TLS 1.0 and TLS 1.1.
Of course after every change I used to restart Apache.
3
Answers
Probably it is not yet possible to enable TLSv1.3. According to this bitnami's community thread:
[ https://community.bitnami.com/t/tlsv1-3-support-for-new-lamp-stack-installers/67672 ]
Waiting for updates...
I was also having this problem and put together the following solution:
Listen 443
.#SSLProtocol -SSLv2 -SSLv3
Now remove the hastag from the following lines so they read as:
Reboot apache with: sudo /opt/bitnami/ctlscript.sh restart apache
Check your site at both:
https://www.whynopadlock.com
https://www.ssllabs.com/ssltest
You should now receive and A score and no TLS 1.0 amd TLS 1.1 protocols being supported.
If your site is behind Cloudflare or a similar service, then you will need to make the TLS changes on Cloudflare itself, regardless of whether you have set up the
SSLProtocolcorrectly inbitnami.conf.