[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925061: apache2: Cannot disabled old TLS Versions (prior to TLS1.2)

Package: apache2
Version: 2.4.38-2
Severity: important

Dear Maintainer,

I wanted to get an A+ rating on ssllabs.com so I tried to disable all SSLProtocols except for TLS1.2

Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it states "SSLProtocol TLSv1.2", which should disable all SSLProtocols except for TLS1.2, but TLS1.0 und TLS1.1 are still active, as seen with nmap:

# nmap --script ssl-enum-ciphers -p 443 127.0.0.1 | grep TLSv
|   TLSv1.0:
|   TLSv1.1:
|   TLSv1.2:


On Apache Bugtracker it appears that apache itself does not have that problem but it has something to do with the deb-Package for Debian and Ubuntu: https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

Tried with stretch-stable first, updated to testing because reportbug told me there is a newer version.

I would really appreciate it if someone else is able to reproduce this problem and figure out what is going on.

Best,
Thomas

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-8-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.38-2
ii  apache2-data   2.4.38-2
ii  apache2-utils  2.4.38-2
ii  dpkg           1.18.25
ii  lsb-base       10.2019031300
ii  mime-support   3.62
ii  perl           5.24.1-3+deb9u5
ii  procps         2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-34+deb9u1

Versions of packages apache2-bin depends on:
ii  libapr1                  1.6.5-1+b1
ii  libaprutil1              1.6.1-3+b2
ii  libaprutil1-dbd-sqlite3  1.6.1-3+b2
ii  libaprutil1-ldap         1.6.1-3+b2
ii  libbrotli1               1.0.7-2
ii  libc6                    2.28-8
ii  libcurl4                 7.64.0-1
ii  libjansson4              2.12-1
ii  libldap-2.4-2            2.4.47+dfsg-3
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.36.0-2
ii  libpcre3                 2:8.39-12
ii  libssl1.1                1.1.1b-1
ii  libxml2                  2.9.4+dfsg1-2.2+deb9u2
ii  perl                     5.24.1-3+deb9u5
ii  zlib1g                   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-34+deb9u1

Versions of packages apache2 is related to:
ii  apache2      2.4.38-2
ii  apache2-bin  2.4.38-2

-- Configuration Files:
/etc/apache2/mods-available/ssl.conf changed:
<IfModule mod_ssl.c>
	# Pseudo Random Number Generator (PRNG):
	# Configure one or more sources to seed the PRNG of the SSL library.
	# The seed data should be of good random quality.
	# WARNING! On some platforms /dev/random blocks if not enough entropy
	# is available. This means you then cannot use the /dev/random device
	# because it would lead to very long connection times (as long as
	# it requires to make more entropy available). But usually those
	# platforms additionally provide a /dev/urandom device which doesn't
	# block. So, if available, use this one instead. Read the mod_ssl User
	# Manual for more details.
	#
	SSLRandomSeed startup builtin
	SSLRandomSeed startup file:/dev/urandom 512
	SSLRandomSeed connect builtin
	SSLRandomSeed connect file:/dev/urandom 512
	##
	##  SSL Global Context
	##
	##  All SSL configuration in this context applies both to
	##  the main server and all SSL-enabled virtual hosts.
	##
	#
	#   Some MIME-types for downloading Certificates and CRLs
	#
	AddType application/x-x509-ca-cert .crt
	AddType application/x-pkcs7-crl	.crl
	#   Pass Phrase Dialog:
	#   Configure the pass phrase gathering process.
	#   The filtering dialog program (`builtin' is a internal
	#   terminal dialog) has to provide the pass phrase on stdout.
	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
	#   Inter-Process Session Cache:
	#   Configure the SSL Session Cache: First the mechanism 
	#   to use and second the expiring timeout (in seconds).
	#   (The mechanism dbm has known memory leaks and should not be used).
	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
	SSLSessionCacheTimeout  300
	#   Semaphore:
	#   Configure the path to the mutual exclusion semaphore the
	#   SSL engine uses internally for inter-process synchronization. 
	#   (Disabled by default, the global Mutex directive consolidates by default
	#   this)
	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
	#   SSL Cipher Suite:
	#   List the ciphers that the client is permitted to negotiate. See the
	#   ciphers(1) man page from the openssl package for list of all available
	#   options.
	#   Enable only secure ciphers:
	SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
	# SSL server cipher order preference:
	# Use server priorities for cipher algorithm choice.
	# Clients may prefer lower grade encryption.  You should enable this
	# option if you want to enforce stronger encryption, and can afford
	# the CPU cost, and did not override SSLCipherSuite in a way that puts
	# insecure ciphers first.
	# Default: Off
	SSLHonorCipherOrder on
	#   The protocols to enable.
	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
	#   SSL v2  is no longer supported
	SSLProtocol TLSv1.2
	#   Allow insecure renegotiation with clients which do not yet support the
	#   secure renegotiation protocol. Default: Off
	#SSLInsecureRenegotiation on
	#   Whether to forbid non-SNI clients to access name based virtual hosts.
	#   Default: Off
	#SSLStrictSNIVHostCheck On
</IfModule>

/etc/apache2/ports.conf changed:
Listen 80
<IfModule ssl_module>
	Listen 443
	Listen 5000
	Listen 5001
</IfModule>
<IfModule mod_gnutls.c>
	Listen 443
</IfModule>

/etc/apache2/sites-available/000-default.conf changed:
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName itmns.at
	ServerAdmin webmaster@itmns.at
	DocumentRoot /var/www/html
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =itmns.at
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>


-- no debconf information
Reply to: