Bug#928173: apache2: SSLCipherSuite is ignored

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#928173: apache2: SSLCipherSuite is ignored
From: Olaf Zaplinski <olaf@zaplinski.de>
Date: Mon, 29 Apr 2019 13:22:56 +0200
Message-id: <[🔎] 155653697638.3647.15423788789384539383.reportbug@binky.tuxfriends.net>
Reply-to: Olaf Zaplinski <olaf@zaplinski.de>, 928173@bugs.debian.org

Package: apache2
Version: 2.4.25-3+deb9u7
Severity: normal


Dear Maintainer,

I have set
SSLCipherSuite "-ALL ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384"
in mods-enabled/ssl.conf

SSLProtocol is not defined anywhere. SSLCipherSuite is only defined here.

According to Qualsys SSL labs test, non-defined ciphers are being used, e.g. ECDHE-RSA-AES128-GCM-SHA256

Expectation: only defined three ciphers are being used.


-- Package-specific info:

-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages apache2 depends on:
ii  apache2-bin          2.4.25-3+deb9u7
ii  apache2-data         2.4.25-3+deb9u7
ii  apache2-utils        2.4.25-3+deb9u7
ii  dpkg                 1.18.25
ii  init-system-helpers  1.48
ii  lsb-base             9.20161125
ii  mime-support         3.60
ii  perl                 5.24.1-3+deb9u5
ii  procps               2:3.3.12-3+deb9u1

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-34+deb9u1

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.2-5
ii  libaprutil1              1.5.4-3
ii  libaprutil1-dbd-sqlite3  1.5.4-3
ii  libaprutil1-ldap         1.5.4-3
ii  libc6                    2.24-11+deb9u4
ii  libldap-2.4-2            2.4.44+dfsg-5+deb9u2
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.18.1-1
ii  libpcre3                 2:8.39-3
ii  libssl1.0.2              1.0.2r-1~deb9u1
ii  libxml2                  2.9.4+dfsg1-2.2+deb9u2
ii  perl                     5.24.1-3+deb9u5
ii  zlib1g                   1:1.2.8.dfsg-5

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-34+deb9u1

Versions of packages apache2 is related to:
ii  apache2      2.4.25-3+deb9u7
ii  apache2-bin  2.4.25-3+deb9u7

-- Configuration Files:
/etc/apache2/conf-available/localized-error-pages.conf changed [not included]
/etc/apache2/conf-available/security.conf changed [not included]
/etc/apache2/mods-available/deflate.conf changed [not included]
/etc/apache2/mods-available/ssl.conf changed [not included]
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]
/etc/apache2/sites-available/default-ssl.conf changed [not included]
/etc/logrotate.d/apache2 changed [not included]

-- no debconf information

Reply to:

Follow-Ups:
- Bug#928173: .
  - From: Olaf Zaplinski <olaf@zaplinski.de>
- Bug#928173: apache2: SSLCipherSuite is ignored
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: [bts-link] source package apr
Next by Date: Bug#928173: .
Previous by thread: [bts-link] source package apr
Next by thread: Bug#928173: .
Index(es):
- Date
- Thread