Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
Package: apache2
Version: 2.4.38-3
Hi,
I was expecting TLS 1.0 and 1.1 to be disabled, since that's the
OpenSSL default. But it seems that apache2 always calls
SSL_CTX_set_min_proto_version, with the lowest version that's
enabled in the config file, even if the config file doesn't
doesn't actually set it.
Could you change the default to:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
It might not fix it for everybody. I have an
/etc/letsencrypt/options-ssl-apache.conf file that also has an
SSLProtocol line in it.
Kurt
Reply to: