Skip to main content

How to disable TLS 1.0 and TLS 1.1 on Ubuntu

Example of website that only supports TLS v1.0, which is rejected by the client

Overivew

TLS v1.3 is the latest standard for secure communication over the internet. It is widely supported by desktops, servers and mobile phones. Recently Ubuntu 18.04 LTS received OpenSSL 1.1.1 update bringing the ability to potentially establish TLS v1.3 connections on the latest Ubuntu LTS release. Qualys SSL Labs Pulse report shows more than 15% adoption of TLS v1.3. It really is time to migrate from TLS v1.0 and TLS v1.1.

As announced on the 15th of October 2018 Apple, Google, and Microsoft will disable TLS v1.0 and TLS v1.1 support by default and thus require TLS v1.2 to be supported by all clients and servers. Similarly, Ubuntu 20.04 LTS will also require TLS v1.2 as the minimum TLS version as well.

To prepare for the move to TLS v1.2, it is a good idea to disable TLS v1.0 and TLS v1.1 on your local systems and start observing and reporting any websites, systems and applications that do not support TLS v1.2.

How to disable TLS v1.0 and TLS v1.1 in Google Chrome on Ubuntu

  1. Create policy directory
    sudo mkdir -p /etc/opt/chrome/policies/managed
  2. Create /etc/opt/chrome/policies/managed/mintlsver.json with
    {
        "SSLVersionMin" : "tls1.2"

How to disable TLS v1.0 and TLS v1.1 in Firefox on Ubuntu

  1. Navigate to about:config in the URL bar
  2. Search for security.tls.version.min setting
  3. Set it to 3, which stand for minimum TLS v1.2

How to disable TLS v1.0 and TLS v1.1 in OpenSSL

  1. Edit /etc/ssl/openssl.cnf
  2. After oid_section stanza add
    # System default
    openssl_conf = default_conf
  3. After oid_section stanza add
    [default_conf]
    ssl_conf = ssl_sect

    [ssl_sect]
    system_default = system_default_sect

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
  4.  Save the file

How to disable TLS v1.0 and TLS v1.1 in GnuTLS

  1. Create config directory
    sudo mkdir -p /etc/gnutls/
  2. Create /etc/gnutls/default-priorities with
    SYSTEM=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2 
After performing above tasks most common applications will use TLS v1.2+

I have set these defaults on my systems, and I occasionally hit websites that only support TLS v1.0 and I report them. Have you found any websites and systems you use that do not support TLS v1.2 yet?
Labels:

Comments

  1. gQuigs30 August 2019 at 21:17

    Been running with TLS1.0/1.1 disabled in Firefox for over a year. It's rare that I find a site without it these
    Dell has some old sites like https://search.dell.com/ (but AFAICT they are actively moving to a new search system)

    >Similarly, Ubuntu 20.04 LTS will also require TLS v1.2 as the minimum TLS version as well.
    Do we have a published plan like the other vendors? Will we be disabling support at compile time or just in default configs (for items we control like openssl, gnutls)?

    Would it be worth disabling TLS1.0/1.1 in 19.10 for more testing before the LTS? Back in the day I made a Firefox add-on to disable SSLv3.0 to make it easier for average users to disable - but AFAICT extensions can no longer make those kinds of changes.

    ReplyDelete
  2. Dimitri John Ledkov6 September 2019 at 11:25

    @gQuigs

    Doing the switch in 19.10 would be 6 months too early. Published plan - not as such, it was discussed on the 1.1.1 OpenSSL SRU bug and the mailing list threads related to it. I know, best place ever.

    So, I want it to be the compiled-in default, such that without any config files min requirement is 1.2, and code or configs can be used to bring the minimum back down (meaning that libraries API/ABI still supports 1.0/1.1, but needs to be toggled on). This is inline with other vendors.

    ReplyDelete
  3. Unknown9 May 2020 at 12:17

    Well, I have obvious problem old clients connecting to ejabberd on Ubuntu 20.04.
    How can I enable tls 1.1 for them until they will be upgraded?

    Thank you!

    ReplyDelete
  4. Unknown10 May 2020 at 15:03

    Well, it is in /etc/ssl/openssl.cnf , works for ejabberd too, looks like clients can't do 1.2..

    ReplyDelete
  5. Unknown7 August 2020 at 21:26

    Only loosely related to your post but I wanted to say thank you for this comment: https://bugs.launchpad.net/ubuntu/+source/pure-ftpd/+bug/1832998/comments/14

    It was the only solution that worked for me after a lot of searching. Much appreciated.

    ReplyDelete
  6. wendahackworth3 March 2022 at 13:08

    Slotyro Casino, Lomachenko – Mapyro
    Casino & Hotel 과천 출장안마 in Lomachenko, Russia. Hotel, Casino, 하남 출장안마 Hotel, 경상남도 출장마사지 Pool, Poker Room & Sports Book. View Map. 여주 출장안마 Hotel, Casino, Hotel, Pool, 여주 출장안마 Poker Room & Sports Book.

    ReplyDelete

Post a Comment

Popular posts from this blog

Ubuntu Livepatch service now supports over 60 different kernels

Linux kernel getting a livepatch whilst running a marathon. Generated with AI. Livepatch service eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. Originally the service launched in 2016 with just a single kernel flavour supported. Over the years, additional kernels were added: new LTS releases, ESM kernels, Public Cloud kernels, and most recently HWE kernels too. Recently livepatch support was expanded for FIPS compliant kernels, Public cloud FIPS compliant kernels, and as well IBM Z (mainframe) kernels. Bringing the total of kernel flavours support to over 60 distinct kernel flavours supported in parallel. The table of supported kernels in the documentation lists the supported kernel flavours ABIs, the duration of individual build's support window, supported architectures, and the Ubuntu release. This work was only possible thanks to the collaboration with the Ubuntu C...
Post a Comment
Read more

Ubuntu 23.10 significantly reduces the installed kernel footprint

Photo by Pixabay Ubuntu systems typically have up to 3 kernels installed, before they are auto-removed by apt on classic installs. Historically the installation was optimized for metered download size only. However, kernel size growth and usage no longer warrant such optimizations. During the 23.10 Mantic Minatour cycle, I led a coordinated effort across multiple teams to implement lots of optimizations that together achieved unprecedented install footprint improvements. Given a typical install of 3 generic kernel ABIs in the default configuration on a regular-sized VM (2 CPU cores 8GB of RAM) the following metrics are achieved in Ubuntu 23.10 versus Ubuntu 22.04 LTS: 2x less disk space used (1,417MB vs 2,940MB, including initrd) 3x less peak RAM usage for the initrd boot (68MB vs 204MB) 0.5x increase in download size (949MB vs 600MB) 2.5x faster initrd generation (4.5s vs 11.3s) approximately the same total time (103s vs 98s, hardware dependent) For minimal cloud images that do not in...
Read more