Stephen Hill's picture

When trying to remove support for TLS v1.0 and 1.1 in the WebMin interface:

I get this message when I restart the machine:

Any idea how to disable TLSv1 and 1.1?



Jeremy Davis's picture

Apologies that I've been a little slow to respond. I've had my head down working on our next upcoming major release, v16.0 (based on Debian 10/Buster).

Looking at the error message you've pasted, my guess is that you should try with the "SSLv2" option unticked and see if that helps. As noted in the error, Apache no longer supports SSLv2 regardless of what settings you give it. SSlv3 should also be disabled (i.e. untick that too).

Having said that, if you continue to have issues with it (even with SSLv2 unticked), please let me know. Either way, we possibly should consider logging a bug with the Webmin developers.

Worst case, you could manually adjust the relevant Apache config file. The one that you'll want to edit is /etc/apache2/mods-available/ssl.conf. And the specific config option that needs adjustment is the SSLProtocol line (should be line 73). By default, it should look like this:

	SSLProtocol all -SSLv3

To support only TLSv1.2 and higher, change it to this:

	SSLProtocol -SSLv3 -TLSv1 -TLSv1.1

Then restart Apache:

systemctl restart apache2

FWIW, here's a sed line that should edit it for you (you'll still need to restart Apache as per above):

sed -i.bak "s|\(SSLProtocol\).*|\1 -SSLv3 -TLSv1 -TLSv1.1|" /etc/apache2/mods-available/ssl.conf

I hope that helps. Please note that I haven't 100% tested all that, but I'm confident that the info should be good. Please let me know if you have any troubles applying it.

Also, it's possibly worth noting, that I don't think that our v15.x appliances support TLSv1.3 yet (TLSv1.2 should be fine though). It should be available from our next (upcoming, in progress) major release (v16.0) onwards. I've also opened an issue regarding disabling anything less than TLSv1.2 for v16.x.

Add new comment