Bug#815852: apache2: Obsolete IE configuration cruft should be removed from default-ssl.conf

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#815852: apache2: Obsolete IE configuration cruft should be removed from default-ssl.conf
From: Paul Fisher <paul@pfish.zone>
Date: Thu, 25 Feb 2016 03:30:38 +0000
Message-id: <[🔎] 20160225033038.22584.36892.reportbug@daley.pfish.zone>
Reply-to: Paul Fisher <paul@pfish.zone>, 815852@bugs.debian.org

Package: apache2
Version: 2.4.12-2ubuntu2
Severity: normal

The default-ssl.conf configuration for apache2 contains these lines:

> BrowserMatch "MSIE [2-6]" \
>   nokeepalive ssl-unclean-shutdown \
>   downgrade-1.0 force-response-1.0
> BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

They don't serve any purpose and should be removed.


For IE 2-6:

Upstream uses 

> BrowserMatch "MSIE [2-5]" \
>   nokeepalive ssl-unclean-shutdown \
>   downgrade-1.0 force-response-1.0

in httpd-ssl.conf.in, which excludes IE6.

IE5 and below are rare enough that seems not worth including them
in the default configuration for a new secure web server today.
(I would argue the same is true for IE6.)


For IE 7 and up:

I used an IE7 VM from https://modern.ie/ to connect to a vhost
which didn't enable ssl-unclean-shutdown. 
IE7 had no problem with standard connection closes, and nothing
appeared in a debug-level SSL log.

This directive does not appear to be necessary for any more modern
versions of IE.


-- Package-specific info:

-- System Information:
Debian Release: jessie/sid
  APT prefers wily-updates
  APT policy: (500, 'wily-updates'), (500, 'wily-security'), (500, 'wily')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-23-generic (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.12-2ubuntu2
ii  apache2-data   2.4.12-2ubuntu2
ii  apache2-utils  2.4.12-2ubuntu2
ii  dpkg           1.18.2ubuntu5.1
ii  lsb-base       4.1+Debian11ubuntu8
ii  mime-support   3.58ubuntu1
ii  perl           5.20.2-6ubuntu0.1
ii  procps         1:3.3.9-1ubuntu8

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.37

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  ufw                                              0.34-2
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.2-3
ii  libaprutil1              1.5.4-1
ii  libaprutil1-dbd-sqlite3  1.5.4-1
ii  libaprutil1-ldap         1.5.4-1
ii  libc6                    2.21-0ubuntu4.1
ii  libldap-2.4-2            2.4.41+dfsg-1ubuntu2
ii  liblua5.1-0              5.1.5-8
ii  libpcre3                 2:8.35-7.1ubuntu1
ii  libssl1.0.0              1.0.2d-0ubuntu1.3
ii  libxml2                  2.9.2+zdfsg1-4ubuntu0.3
ii  perl                     5.20.2-6ubuntu0.1
ii  zlib1g                   1:1.2.8.dfsg-2ubuntu4

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.12-2ubuntu2
ii  apache2-bin  2.4.12-2ubuntu2

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]
/etc/apache2/conf-available/charset.conf changed [not included]
/etc/apache2/conf-available/security.conf changed [not included]

-- no debconf information

Reply to:

Prev by Date: Re: Debian package on Windows
Next by Date: Bug#815897: apache2-utils: Conflicting /usr/sbin/httxt2dbm when upgrading from Squeeze to Jessie
Previous by thread: Bug#815477: apr: FTBFS on kfreebsd-*: 1 test failed
Next by thread: Bug#815897: apache2-utils: Conflicting /usr/sbin/httxt2dbm when upgrading from Squeeze to Jessie
Index(es):
- Date
- Thread