Bug#928173: apache2: SSLCipherSuite is ignored

To: Olaf Zaplinski <olaf@zaplinski.de>, 928173@bugs.debian.org
Subject: Bug#928173: apache2: SSLCipherSuite is ignored
From: Stefan Fritsch <sf@sfritsch.de>
Date: Tue, 30 Apr 2019 23:20:02 +0200
Message-id: <[🔎] 2537775.sjBxQ8trTd@k>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 928173@bugs.debian.org
In-reply-to: <[🔎] 155653697638.3647.15423788789384539383.reportbug@binky.tuxfriends.net>
References: <[🔎] 155653697638.3647.15423788789384539383.reportbug@binky.tuxfriends.net> <[🔎] 155653697638.3647.15423788789384539383.reportbug@binky.tuxfriends.net>

On Monday, 29 April 2019 13:22:56 CEST Olaf Zaplinski wrote:
> I have set
> SSLCipherSuite "-ALL ECDHE-ECDSA-CHACHA20-POLY1305
> ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384" in
> mods-enabled/ssl.conf
> 
> SSLProtocol is not defined anywhere. SSLCipherSuite is only defined here.
> 
> According to Qualsys SSL labs test, non-defined ciphers are being used, e.g.
> ECDHE-RSA-AES128-GCM-SHA256
> 
> Expectation: only defined three ciphers are being used.

apache2 in stretch still uses openssl 1.0 libs, while the command line utility 
is already 1.1. This makes it difficult to check with "openssl ciphers" what is 
actually happening.

openssl 1.0 does not support the chacha ciphers. But I don't know why apache 
does not complain about the unknown ciphers. Probably that's a bug.

In buster / Debian 10, this seems to work better, because there apache2 links 
against openssl 1.1.

But even there, things are weird. It does not seem possible to select a single 
cipher:

$ openssl ciphers ECDHE-RSA-AES256-GCM-SHA384
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-
RSA-AES256-GCM-SHA384

Reply to:

References:
- Bug#928173: apache2: SSLCipherSuite is ignored
  - From: Olaf Zaplinski <olaf@zaplinski.de>

Prev by Date: Bug#928173: .
Previous by thread: Bug#928173: .
Index(es):
- Date
- Thread