I have been asked to enable TLS 1.0 and 1.1 for a Rails app on an Apache 2.2 web server running on CentOS 6 to support older browsers. Currently I have the following:
/etc/httpd/conf.d/virt-00.conf:
<VirtualHost 127.0.0.1:443>
ServerName subdomain.domain.com
Include conf/ssl-bits.conf
...
</VirtualHost>
...
/etc/httpd/conf/ssl-bits.conf:
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!SSLv3:!RC4:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/conf.d/star_domain.crt
SSLCertificateKeyFile /etc/httpd/conf.d/domain.key
SSLCACertificateFile /etc/httpd/conf.d/DigiCertCA.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
As far as I can tell, the '+TLSv1 +TLSv1.1' should be all I need to turn on TLS 1.0 and 1.1, but when I try to access the page with MSIE with TLS 1.2 turned off and TLS 1.0 and 1.1 turned on it tells me:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://subdomain.domain.com again. If this error persists, it is possible that this site uses an unsupported protocol. Please contact the site administrator.
The Qualys SSL server test confirms that TLS 1.0 and 1.1 aren't turned on. The SSL request logs don't show anything. I can only think it's something to do with the SSLCipherSuite or the fact that it's on a subdomain. I have tried several different combinations for SSLProtocol like '+all -SSLv2 -SSLv3'.
