Disabling Insecure Protocols and Ciphers in Apache

You will find a lot of recommended Apache configurations to disable insecure ciphers in Apache, especially to try to make the Qualsys SSL Labs test happy. It took me a while to figure out one that isn’t over-complicated:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!SHA1:!SHA256:!SHA384:!RSA

When searching, you will generally find SSLProtocol settings that disable all protocols and then explicitly enable TLS 1.2 and TLS 1.3. I prefer to explicitly disable so that as Apache upgrades make new TLS versions available, they will automatically become available. This is obviously a rare event, so it’s all about what works best for you. You could argue that you shouldn’t make new protocols available without consciously deciding to. I see good and bad to both methods.