[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default

Package: apache2
Version: 2.4.38-3


I was expecting TLS 1.0 and 1.1 to be disabled, since that's the
OpenSSL default. But it seems that apache2 always calls
SSL_CTX_set_min_proto_version, with the lowest version that's
enabled in the config file, even if the config file doesn't
doesn't actually set it.

Could you change the default to:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

It might not fix it for everybody. I have an
/etc/letsencrypt/options-ssl-apache.conf file that also has an
SSLProtocol line in it.


Reply to: