I want to turn off TLS 1.0 or TLS 1.1 in my Amazon Lightsail instance.
Short description
All versions of the SSL/TLS protocol prior to TLS 1.2 are no longer updated and considered insecure. Most web servers still have these TLS versions turned on by default. Modify the SSLProtocol directive in the web server configuration files to turn these protocols off. The following resolution covers how to turn off these non-updated TLS versions in Lightsail instances for Apache and NGINX web servers.
Note: If you use Amazon Lightsail load balancer for your website, then you must also turn off TLS version 1.0 and 1.1 in the load balancer. However, turning off TLS versions in Lightsail load balancer isn't currently supported. To turn off these TLS versions and also use the Lightsail load balancer, use an Amazon Application Load Balancer instead of a Lightsail load balancer.
Resolution
Note: The file paths mentioned in this article might change based on the following:
- The instance has a Bitnami stack and the Bitnami stack uses native Linux system packages (Approach A).
- The instance has a Bitnami stack and it's a self-contained installation (Approach B).
If you use a Lightsail instance with a Bitnami stack, then run the following command to identify your Bitnami installation type:
Lightsail instances with a Bitnami stack
Apache web service
1. Open the configuration file:
Bitnami stack under Approach A
sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami-ssl.conf
Bitnami stack under Approach B
sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf
2. In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3:
SSLProtocol +TLSv1.2 +TLSv1.3
Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version by running the command openssl version.
3. Save the file. Press esc, type :wq! and then press ENTER.
4. Restart the Apache service:
sudo /opt/bitnami/ctlscript.sh restart apache
NGINX web service
1. Open the configuration file:
sudo vi /opt/bitnami/nginx/conf/nginx.conf
2. In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3:
ssl_protocols TLSv1.2 TLSv1.3;
Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version with the command openssl version.
3. Save the file. Press esc, type :wq! and then press ENTER.
4. Restart the Apache service:
sudo /opt/bitnami/ctlscript.sh restart nginx
Lightsail instances without a Bitnami stack
Apache web service
1. Open the configuration file:
For Linux distributions such as Amazon Linux 2 and CentOS
sudo vi /etc/httpd/conf.d/ssl.conf
For Linux distributions such as Ubuntu and Debian
sudo vi /etc/apache2/mods-enabled/ssl.conf
2. In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.
SSLProtocol +TLSv1.2 +TLSv1.3
Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version with the command openssl version.
3. Save the file. Press esc, type :wq! and then press ENTER.
4. Restart the Apache service:
For Linux distributions such as Amazon Linux 2 and CentOS
sudo systemctl restart httpd
For Linux distributions such as Ubuntu and Debian
sudo systemctl restart apache2
NGINX web service
1. Open the configuration file:
sudo vi /etc/nginx/nginx.conf
2. In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.
ssl_protocols TLSv1.2 TLSv1.3;
Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. Verify the version with the command openssl version.
3. Save the file. Press esc, type :wq! and then press ENTER.
4. Restart the Apache service:
sudo systemctl restart nginx