Apache disable TLS_RSA_WITH_3DES_EDE_CBC_SHA after LetsEncrypt

written by Andrew Shay on 2017-05-09

This guide is for Apache but might be similar for other web servers

If you've just installed Let's Encrypt certificates with Certbot on your web server and ran SSL Server Test, you might have warning saying your server supports TLS_RSA_WITH_3DES_EDE_CBC_SHA.

To drop support for this protocol you must

  • Open /etc/letsencrypt/options-ssl-apache.conf
  • Delete :DES-CBC3-SHA from the SSLCipherSuite line.
  • Restart apache sudo service apache2 restart

Also, here is the default conf file
https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/options-ssl-apache.conf