How can I turn off TLS 1.0 or TLS 1.1 in my Lightsail instance?

4 minute read
0

I want to turn off TLS 1.0 or TLS 1.1 in my Amazon Lightsail instance.

Short description

All versions of the SSL/TLS protocol prior to TLS 1.2 are no longer updated and considered insecure. Most web servers still have these TLS versions turned on by default. Modify the SSLProtocol directive in the web server configuration files to turn these protocols off. The following resolution covers how to turn off these non-updated TLS versions in Lightsail instances for Apache and NGINX web servers.

Note: If you use Amazon Lightsail load balancer for your website, then you must also turn off TLS version 1.0 and 1.1 in the load balancer. However, turning off TLS versions in Lightsail load balancer isn't currently supported. To turn off these TLS versions and also use the Lightsail load balancer, use an Amazon Application Load Balancer instead of a Lightsail load balancer.

Resolution

Note: The file paths mentioned in this article might change based on the following:

  • The instance has a Bitnami stack and the Bitnami stack uses native Linux system packages (Approach A).
  • The instance has a Bitnami stack and it's a self-contained installation (Approach B).

If you use a Lightsail instance with a Bitnami stack, then run the following command to identify your Bitnami installation type:

Lightsail instances with a Bitnami stack

Apache web service

1.    Open the configuration file:

Bitnami stack under Approach A

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami-ssl.conf

Bitnami stack under Approach B

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3:

SSLProtocol +TLSv1.2 +TLSv1.3

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version by running the command openssl version.

3.    Save the file. Press esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

sudo /opt/bitnami/ctlscript.sh restart apache

NGINX web service

1.    Open the configuration file:

sudo vi /opt/bitnami/nginx/conf/nginx.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3:

ssl_protocols TLSv1.2 TLSv1.3;

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version with the command openssl version.

3.    Save the file. Press esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

sudo /opt/bitnami/ctlscript.sh restart nginx

Lightsail instances without a Bitnami stack

Apache web service

1.    Open the configuration file:
For Linux distributions such as Amazon Linux 2 and CentOS

sudo vi /etc/httpd/conf.d/ssl.conf

For Linux distributions such as Ubuntu and Debian

sudo vi /etc/apache2/mods-enabled/ssl.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.

SSLProtocol +TLSv1.2 +TLSv1.3

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version with the command openssl version.

3.    Save the file. Press esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

For Linux distributions such as Amazon Linux 2 and CentOS

sudo systemctl restart httpd

For Linux distributions such as Ubuntu and Debian

sudo systemctl restart apache2

NGINX web service

1.    Open the configuration file:

sudo vi /etc/nginx/nginx.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.

ssl_protocols TLSv1.2 TLSv1.3;

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version with the command openssl version.

3.    Save the file. Press esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

sudo systemctl restart nginx
AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago