Bug#925061: apache2: Cannot disabled old TLS Versions (prior to TLS1.2)
Package: apache2
Version: 2.4.38-2
Severity: important
Dear Maintainer,
I wanted to get an A+ rating on ssllabs.com so I tried to disable all SSLProtocols except for TLS1.2
Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it states "SSLProtocol TLSv1.2", which should disable all SSLProtocols except for TLS1.2, but TLS1.0 und TLS1.1 are still active, as seen with nmap:
# nmap --script ssl-enum-ciphers -p 443 127.0.0.1 | grep TLSv
| TLSv1.0:
| TLSv1.1:
| TLSv1.2:
On Apache Bugtracker it appears that apache itself does not have that problem but it has something to do with the deb-Package for Debian and Ubuntu: https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Tried with stretch-stable first, updated to testing because reportbug told me there is a newer version.
I would really appreciate it if someone else is able to reproduce this problem and figure out what is going on.
Best,
Thomas
-- Package-specific info:
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 4.9.0-8-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.38-2
ii apache2-data 2.4.38-2
ii apache2-utils 2.4.38-2
ii dpkg 1.18.25
ii lsb-base 10.2019031300
ii mime-support 3.62
ii perl 5.24.1-3+deb9u5
ii procps 2:3.3.12-3+deb9u1
Versions of packages apache2 recommends:
ii ssl-cert 1.0.39
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii w3m [www-browser] 0.5.3-34+deb9u1
Versions of packages apache2-bin depends on:
ii libapr1 1.6.5-1+b1
ii libaprutil1 1.6.1-3+b2
ii libaprutil1-dbd-sqlite3 1.6.1-3+b2
ii libaprutil1-ldap 1.6.1-3+b2
ii libbrotli1 1.0.7-2
ii libc6 2.28-8
ii libcurl4 7.64.0-1
ii libjansson4 2.12-1
ii libldap-2.4-2 2.4.47+dfsg-3
ii liblua5.2-0 5.2.4-1.1+b2
ii libnghttp2-14 1.36.0-2
ii libpcre3 2:8.39-12
ii libssl1.1 1.1.1b-1
ii libxml2 2.9.4+dfsg1-2.2+deb9u2
ii perl 5.24.1-3+deb9u5
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii w3m [www-browser] 0.5.3-34+deb9u1
Versions of packages apache2 is related to:
ii apache2 2.4.38-2
ii apache2-bin 2.4.38-2
-- Configuration Files:
/etc/apache2/mods-available/ssl.conf changed:
<IfModule mod_ssl.c>
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
# (Disabled by default, the global Mutex directive consolidates by default
# this)
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption. You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol TLSv1.2
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>
/etc/apache2/ports.conf changed:
Listen 80
<IfModule ssl_module>
Listen 443
Listen 5000
Listen 5001
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
/etc/apache2/sites-available/000-default.conf changed:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName itmns.at
ServerAdmin webmaster@itmns.at
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =itmns.at
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
-- no debconf information
Reply to: