A security audit of a Linux web server flags a high-risk vulnerability: the server supports connections using the obsolete TLS 1.0 and 1.1 protocols. A systems administrator is tasked with remediating this finding to adhere to current security standards. Which of the following is the most direct and effective action to resolve this specific vulnerability?
Implement a more restrictive firewall policy to limit the source IP addresses that can connect to port 443.
Run apt upgrade or dnf update to ensure all system packages, including the web server, are at the latest version.
Replace the existing TLS certificate with a new one that has a 4096-bit key and is signed with SHA-256.
Modify the web server's configuration file (e.g., ssl.conf for Apache or nginx.conf for Nginx) to explicitly disable TLS 1.0 and 1.1.
The correct action is to modify the web server's configuration file to disable the insecure protocols. The versions of the TLS protocol that a server will offer to clients are defined in the service's configuration, not by the TLS certificate itself. For example, in Apache, this is typically handled by the SSLProtocol directive, and in Nginx by the ssl_protocols directive. By explicitly removing TLS 1.0 and 1.1 from this configuration, the administrator directly resolves the vulnerability.
Replacing the TLS certificate with a stronger key does not control the protocol versions the server negotiates; this is a common misconception. While updating system packages is a critical security practice, it does not guarantee that an existing, customized configuration file will be altered to disable old protocols. Finally, a firewall restricts access based on network information like IP addresses and ports but does not inspect the TLS handshake to enforce protocol versions; therefore, the vulnerability would remain on the server.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are TLS 1.0 and 1.1 considered obsolete?
Open an interactive chat with Bash
How can you disable TLS 1.0 and 1.1 in a web server like Apache or Nginx?
Open an interactive chat with Bash
What happens if a client only supports TLS 1.0 or 1.1 after disabling these protocols?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Troubleshooting
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access