How can I turn off TLS 1.0 or TLS 1.1 in my Lightsail instance?

Last updated: 2021-10-22

How can I turn off TLS 1.0 or TLS 1.1 in my Amazon Lightsail instance?

Short description

All versions of the SSL/TLS protocol prior to TLS 1.2 are deprecated and considered insecure. Most web servers still have these TLS versions enabled by default. You can turn these protocols off by modifying the SSLProtocol directive in the web server configuration files. The following resolution covers turning off these deprecated TLS versions in Lightsail instances for Apache and NGINX web servers.

Note: If you're using Amazon Lightsail load balancer for your website, then you must also disable TLS version 1.0 and 1.1 in the load balancer. However, disabling TLS versions in Lightsail load balancer isn't currently supported. To disable these TLS versions and also use the Lightsail load balancer, use an Amazon Application Load Balancer instead of a Lightsail load balancer.

Resolution

Note: The file paths mentioned in this article might change depending on the following:

  • The instance has a Bitnami stack and the Bitnami stack uses native Linux system packages (Approach A).
  • The instance has a Bitnami stack and it's a self-contained installation (Approach B).

If you're using a Lightsail instance with a Bitnami stack, run the following command to identify your Bitnami installation type:

test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."

Lightsail instances with a Bitnami stack

Apache web service

1.    Open the configuration file:

Bitnami stack under Approach A

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami-ssl.conf

Bitnami stack under Approach B

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.

SSLProtocol +TLSv1.2 +TLSv1.3

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. You can verify the version by running the command openssl version.

3.    Save the file by pressing esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

sudo /opt/bitnami/ctlscript.sh restart apache

Nginx webservice

1.    Open the configuration file:

sudo vi /opt/bitnami/nginx/conf/nginx.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.

ssl_protocol TLSv1.2 TLSv1.3;

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. You can verify the version by running the command openssl version.

3.    Save the file by pressing esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

sudo /opt/bitnami/ctlscript.sh restart nginx

Lightsail instances without a Bitnami stack

Apache webservice

1.    Open the configuration file:
For Linux distributions such as Amazon Linux 2 and CentOS

sudo vi /etc/httpd/conf.d/ssl.conf

For Linux distributions such as Ubuntu and Debian

sudo vi /etc/apache2/mods-enabled/ssl.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.

SSLProtocol +TLSv1.2 +TLSv1.3

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. You can verify the version by running the command openssl version.

3.    Save the file by pressing esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

For Linux distributions such as Amazon Linux 2 and CentOS

sudo systemctl restart httpd

For Linux distributions such as Ubuntu and Debian

sudo systemctl restart apache2

NGINX webservice

1.    Open the configuration file:

sudo vi /etc/nginx/nginx.conf

2.    In the configuration file, modify the SSLProtocol directive to reflect the TLS version that you want to use. In the following example, the TLS version is 1.2 and 1.3.

ssl_protocol TLSv1.2 TLSv1.3;

Note: Use TLSv1.3 only if you have OpenSSL version 1.1.1 in your server. You can verify the version by running the command openssl version.

3.    Save the file by pressing esc, type :wq! and then press ENTER.

4.    Restart the Apache service:

sudo systemctl restart nginx

Did this article help?


Do you need billing or technical support?