Bug#925061: apache2: Cannot disabled old TLS Versions (prior to TLS1.2)
Hi,
On Tue, Mar 19, 2019 at 05:18:49PM +0100, Thomas Knaller wrote:
> Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it
> states "SSLProtocol TLSv1.2", which should disable all SSLProtocols
> except for TLS1.2, but TLS1.0 und TLS1.1 are still active, as seen
> with nmap:
>
> # nmap --script ssl-enum-ciphers -p 443 127.0.0.1 | grep TLSv
> | TLSv1.0:
> | TLSv1.1:
> | TLSv1.2:
>
I could not reproduce this, either with 2.4.25-3+deb9u7 on stretch nor
with 2.4.38-3 on buster. It's not very likely that this was fixed
between 2.4.38-2 and 2.4.38-3, so it's probably something in your
configuration.
Maybe you have another sslprotocol directive somewhere else in the
config? You can check with:
a2enmod info
apache2ctl -t -D DUMP_CONFIG|grep -i ssl
a2dismod info # if it hasn't been enabled before
> On Apache Bugtracker it appears that apache itself does not have that
> problem but it has something to do with the deb-Package for Debian and
> Ubuntu: https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
That report mentions some weird interaction with SSLCipherSuite. Maybe
you have that in another config file?
Cheers,
Stefan
Reply to: