[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925061: apache2: Cannot disabled old TLS Versions (prior to TLS1.2)

Hi,


On Tue, Mar 19, 2019 at 05:18:49PM +0100, Thomas Knaller wrote:
> Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it
> states "SSLProtocol TLSv1.2", which should disable all SSLProtocols
> except for TLS1.2, but TLS1.0 und TLS1.1 are still active, as seen
> with nmap:
> 
> # nmap --script ssl-enum-ciphers -p 443 127.0.0.1 | grep TLSv
> |   TLSv1.0:
> |   TLSv1.1:
> |   TLSv1.2:
> 

I could not reproduce this, either with 2.4.25-3+deb9u7 on stretch nor
with 2.4.38-3 on buster. It's not very likely that this was fixed
between 2.4.38-2 and 2.4.38-3, so it's probably something in your
configuration.

Maybe you have another sslprotocol directive somewhere else in the
config? You can check with:

a2enmod info
apache2ctl -t -D DUMP_CONFIG|grep -i ssl
a2dismod info # if it hasn't been enabled before

> On Apache Bugtracker it appears that apache itself does not have that
> problem but it has something to do with the deb-Package for Debian and
> Ubuntu: https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

That report mentions some weird interaction with SSLCipherSuite. Maybe
you have that in another config file?

Cheers,
Stefan
Reply to: