How can I disable TLS 1.0 and 1.1 in apache?

You can enable both TLS 1.2 and 1.3 this way and have everything deprecated disabled.

  SSLProtocol +TLSv1.2 +TLSv1.3
  SSLCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES

There are a lot of fine answers here, but they did not work for me or were actually overkill. The following suggestions were tested on Ubuntu 16.04 Apache 2.

A key observation is that the first virtual host on that port dictates the setting... even if its configuration doesn't explicitly specify a SSLProtocol value.

To determine the first virtual host:

bash
source /etc/apache2/envvars
apache2 -t -D DUMP_VHOSTS
exit

On CentOS, only one line will probably be needed:

httpd -t -D DUMP_VHOSTS

When you do this you should see a list of the virtual hosts and it might include a 443 section something like

*:443                  is a NameVirtualHost
     default server example.com (/etc/apache2/sites-enabled/example.com-le-ssl.conf:2)
     port 443 namevhost sample.com (/etc/apache2/sites-enabled/sample.com-le-ssl.conf:2)
     port 443 namevhost another.org (/etc/apache2/sites-enabled/another.org-le-ssl.conf:2)
     port 443 namevhost lucky.com (/etc/apache2/sites-enabled/lucky.com-le-ssl.conf:2)
             alias test15a.zzzzpost.com

When you see this, you might find that it's sufficient to update the SSLProtocol config for just that "default server" virtual host.

Another complication that you might run in to with earlier suggestions is that if you grep for occurrences of SSLProtocol in your /etc/apache2/ or /etc/httpd/ tree, you will not find configuration in other parts of your file system. This can be important if your configuration has Include directives. For example, if you've used the Let's Encrypt installer, it often adds these:

<IfModule mod_ssl.c> 
<VirtualHost *:443>  
    ServerName mydomain.com
    ...
    Include /etc/letsencrypt/options-ssl-apache.conf 
    ...
</VirtualHost>  

So my suggestions are:

1. Determine the first virtual host on the given port.  See my example above 
   for details.
2. Inspect the configuration for that virtual host carefully.    
   a. If you find that config file explicitly sets SSLProtocol, make your change there.
   b. If not, but you find it includes a config file that is setting SSLProtocol, 
      consider setting it there.
   c. Otherwise, it's likely that setting it in your ssl.conf file would work.
   d. If not, consider creating your own config file with your SSLProtocol setting
      and including it in this first virtual host config, and possibly all virtual 
      host configs.

As mentioned by others, the configuration you want is

SSLProtocol             TLSv1.2

After you make your change, you can quickly confirm it via:

systemctl reload apache2    
# This ^^^ must be done before vvvv
nmap --script ssl-enum-ciphers -p 443 sample.com | grep TLSv

If you've been successful, this lists only TLSv1.2.

I faced this problem too. I couldn't disable TLSv1 or TLSv1.1 for just one VHost by configuring it within this Vhost.

We found two solution:

1 -

Since we run several IP addresses within one Instance I disabled TLSv1 and TLSv1.1 per IP address, and so for the defined Vhosts too.

2 -

When we only configure strong ciphers, then it seams that only TLSv1.2 is available

  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
  SSLHonorCipherOrder on

Apache 2.4.23, openssl 1.0.2.

Maybe someone can verify my observations.

You need to restart the Apache service using the following command to reflect the changes.

sudo service apache2 restart

Below code will work fine for me, you can check this article to get more details, https://karthikekblog.com/how-to-disable-enable-ssl-tls-protocols-in-ubentu-apache-linux-server/

<VirtualHost *:443>
ServerName www.yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol +TLSv1.2
SSLCertificateFile /etc/apache2/certificates/certificate.crt
SSLCertificateKeyFile /etc/apache2/certificates/certificate.key 
SSLCertificateChainFile /etc/apache2/certificates/intermediate.crt
</VirtualHost>

I was struggling with this issue as well, modifying configs with the SSLProtocol directive wasn't working. I ended up adding the following to my virtual host configuration:

SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"

Which worked perfectly. You can read more about the SSLOpenSSLConfCmd directive here.

Disable TLS1.0 version in Apache.

If you have multiple virtual hosting then you have to update all configurations file, otherwise,ssl.conf is enough.

To check TSL supporting version:

# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:

Modify the Apache configuration file vi /etc/httpd/conf.d/web.conf remove all TLS and allow only TLS1.2.

SSLProtocol TLSv1.2

Validate after the modification.

# grep SSLProtocol /etc/httpd/conf.d/web.conf
SSLProtocol TLSv1.2

# nmap --script ssl-enum-ciphers -p 443 192.168.11.10 | grep TLSv
|   TLSv1.2:
# service httpd restart

When you have multiple TLS VirtualHosts and use Server Name Indication (SNI) it is an allowed syntax to have a SSLProtocol directive for each VirtualHost, but unless you have IP VirtualHosts in practice the settings from the first occurrence of the SSLProtocol directive are used for the whole server and/or all name-based VirtualHosts supporting TLS¹.

So check your main httpd.conf (and all included snippets from for instance conf.d/*.conf and similar includes) for more occurrences of the SSLProtocol directive.

You syntax is correct, although I agree with ezra-s' answer that, when you expand the all shorthand, you can slightly improve upon:

 SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

by simply using:

 SSLProtocol TLSv1.2

that you have specified is enough, it shouldn't show any other protocols. Remember SSLLABS caches recent tests. Although knowing that there are no other protocols defining it like you did is kind of convoluted on purpose.

In any case you can use that or simply:

SSLProtocol TLSv1.2