How to disable TLSv1 in snap based install on Ubuntu 16

i am trying an simple thing but can get it done.
I would like to disable TLSv1 support on my snap based install on a Ubuntu server.

Can’t find an ssl.conf that is writeble to make change.
Would like to add an line
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Should be so simple, wasted a few hours to get it done.


usually, the ubuntu/debian structure is the same:

usually, the ssl.conf is located /etc/apache2/sites-enabled
My installation get 2 files:
000-default.conf and 000-default-le-ssl.conf

vim or nano 000-default-le-ssl.conf
I am using letsencrypt certificate. Here an working exemple:

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        # HTTP2 protocol enabled
        Protocols h2 http/1.1
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        # letsencrypt chain
        SSLCertificateFile /etc/letsencrypt/live/REDACTED/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/REDACTED/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        # OFC
        # Guarantee HTTPS for 6 Month including Sub Domains
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
# SSL CONF Paranoiac
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLHonorCipherOrder     on
# new ssl no compression method
# no compression due to testing 1.1.1pre8
# SSLCompression          on
SSLSessionTickets       off
SSLOptions +StrictRequire

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
   # EOF

This is not the case with a snap install. There is no /etc/apache2.
The ssl.conf is located at /snap/nextcloud/9868/conf/ssl.conf and it is not writable.
The whole directory is mounted read-only.
/var/lib/snapd/snaps/nextcloud_9868.snap on /snap/nextcloud/9868 type squashfs (ro,nodev,relatime,x-gdu.hide) talks about a custom.conf at /var/snap/nextcloud/current/apache/conf/custom.conf which also does not exist.

After reading snaps seem to be read-only by design. seems to fix this by providing
sudo snap set nextcloud apache.oldtls=false but it doesn’t seem to be merged yet.