This would likely be http, as a default SME 9 installation will support TLS 1.0, 1.1, and 1.2. Doyle appears to be facing a third-party requirement to disable TLS 1.0 by next June, most likely related to accepting credit cards (I presume this since that's what PCI deals with). It appears (based on my limited web searching) that vulnerabilities in TLS 1.0 can be mitigated, if not defeated, by ensuring use of RC4, but that then exposes you to potential vulnerabilities in RC4.
TLS 1.0 can be disabled in httpd.conf by setting SSLProtocol to all -SSLv3 -TLSv1--I made that change on my production server, restarted httpd-e-smith, and ran the SSL test from ssllabs.com. Result was that TLS 1.0 was in fact disabled.
To do it the "e-smith way," you'd need to make a custom template fragment.
# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
# nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
Make it look like this:
{
# Specify which SSL Protocols to accept for this context
$OUT .= "SSLProtocol all";
$OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
$OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
}
Set your configuration properly, rebuild the httpd configuration file, and restart Apache:
# config setprop httpd-e-smith TLSv1 disabled
# config setprop httpd-e-smith TLSv1.1 enabled
# expand-template /etc/httpd/conf/httpd.conf
# service httpd-e-smith restart
Now, I'm fairly confident that this will disable TLS v1.0 on your server. If you want to disable TLS 1.1 as well, change the second command above to "TLSv1.1 disabled". I can't vouch for the wisdom of doing so, or address any other impacts it may have.
Note that disabling TLS 1.0 will break https for a bunch of older clients. Clients that support TLS 1.2 will use it anyway--having TLS 1.0 enabled does not force your clients to use that protocol.