You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
I have the information to switch from Mac OS X Server TLS 1.0 to TLS 1.1. But I do not know what file to add.
"SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
SSLCompression Off
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH"
What files do I need to attach these settings to?
Mac mini, OS X Mavericks (10.9)
Please have a complete backup of your environment before you proceed with the following.
The version of TLS available is generally part of the operating system, so upgrades usually mean either patches to the operating system (rarely) or upgrades to the version of macOS and Server.app. Which version of macOS and Server.app is in use? If you're really running macOS 10.9. that's unfortunately rather old and might not even have TLS 1.2 software. There've likely been some security patches and security updates since then.
As for your question, the settings you're referencing go into the httpd.conf file, or whatever the macOS equivalent for your version is. (Apple has moved this file around several times and has renamed it over various server releases, and I don't recall the setup on 10.9 off-hand.) The general sequence for macOS 10.12 but — you already have Apache installed, so the file paths listed in that article are for macOS client and are incorrect for macOS Server configurations. In most recent versions of Server.app, the equivalent of the httpd.conf Apache configuration file is named /library/server/web/config/apache2/httpd_server_app.conf — and in Sierra, the following block is present by default, and almost what you want. (IIRC, the settings for Mac OS X 10.9 with Server.app installed are also under /library/server/web, too, but it's been a while since I've looked at that release.)
# Secure (SSL/TLS) connections
<IfModule mod_ssl.c>
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLPassPhraseDialog exec:/Library/Server/Web/Config/apache2/getsslpassphrase
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert crt
AddType application/x-pkcs7-crl crl
</IfModule>
Switch that one line in the above to SSLProtocol -all +TLSv1.1 +TLSv1.2 to elide TLSv1 (your cited configuration file line didn't need to explicitly negate the SSLv2 and SSLv3 versions, given the use of -all in that same line), and then add your other changes into that block, and test. It's also possible to add these settings to the individual virtual host blocks as shown in the earlier example, and those settings are stored in the per-site configuration files located over in the /library/server/web/config/apache2/sites directory.
You're going to be using a command-line editor — vim, emacs or — if you're not familiar with command-line editors — nano — or the free TextWrangler editor, or GUI versions of vim or emacs. Many other GUI text editors cannot read and write these files correctly.
Here are the Mozilla recommendations for TLS on servers, and here is a handy generator for the settings, though these resources do expect some understanding of Apache configuration files and TLS security settings.
If the above is unclear or you need other assistance, ask away. Also from the above, you should have some more search strings available to rummage around the 'net for details, too.
Please have a complete backup of your environment before you proceed with the following.
The version of TLS available is generally part of the operating system, so upgrades usually mean either patches to the operating system (rarely) or upgrades to the version of macOS and Server.app. Which version of macOS and Server.app is in use? If you're really running macOS 10.9. that's unfortunately rather old and might not even have TLS 1.2 software. There've likely been some security patches and security updates since then.
As for your question, the settings you're referencing go into the httpd.conf file, or whatever the macOS equivalent for your version is. (Apple has moved this file around several times and has renamed it over various server releases, and I don't recall the setup on 10.9 off-hand.) The general sequence for macOS 10.12 but — you already have Apache installed, so the file paths listed in that article are for macOS client and are incorrect for macOS Server configurations. In most recent versions of Server.app, the equivalent of the httpd.conf Apache configuration file is named /library/server/web/config/apache2/httpd_server_app.conf — and in Sierra, the following block is present by default, and almost what you want. (IIRC, the settings for Mac OS X 10.9 with Server.app installed are also under /library/server/web, too, but it's been a while since I've looked at that release.)
# Secure (SSL/TLS) connections
<IfModule mod_ssl.c>
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLPassPhraseDialog exec:/Library/Server/Web/Config/apache2/getsslpassphrase
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert crt
AddType application/x-pkcs7-crl crl
</IfModule>
Switch that one line in the above to SSLProtocol -all +TLSv1.1 +TLSv1.2 to elide TLSv1 (your cited configuration file line didn't need to explicitly negate the SSLv2 and SSLv3 versions, given the use of -all in that same line), and then add your other changes into that block, and test. It's also possible to add these settings to the individual virtual host blocks as shown in the earlier example, and those settings are stored in the per-site configuration files located over in the /library/server/web/config/apache2/sites directory.
You're going to be using a command-line editor — vim, emacs or — if you're not familiar with command-line editors — nano — or the free TextWrangler editor, or GUI versions of vim or emacs. Many other GUI text editors cannot read and write these files correctly.
Here are the Mozilla recommendations for TLS on servers, and here is a handy generator for the settings, though these resources do expect some understanding of Apache configuration files and TLS security settings.
If the above is unclear or you need other assistance, ask away. Also from the above, you should have some more search strings available to rummage around the 'net for details, too.
How update TSL 1.0 to TLS 1.2 version in a macosx server
