Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default

To: submit@bugs.debian.org
Subject: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
From: Kurt Roeckx <kurt@roeckx.be>
Date: Thu, 24 Oct 2019 17:50:50 +0200
Message-id: <[🔎] 20191024155050.GA22125@roeckx.be>
Reply-to: Kurt Roeckx <kurt@roeckx.be>, 943415@bugs.debian.org

Package: apache2
Version: 2.4.38-3

Hi,

I was expecting TLS 1.0 and 1.1 to be disabled, since that's the
OpenSSL default. But it seems that apache2 always calls
SSL_CTX_set_min_proto_version, with the lowest version that's
enabled in the config file, even if the config file doesn't
doesn't actually set it.

Could you change the default to:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

It might not fix it for everybody. I have an
/etc/letsencrypt/options-ssl-apache.conf file that also has an
SSLProtocol line in it.


Kurt

Reply to:

Prev by Date: ☝ Enkel onze bevoorrechte relaties, tips die altijd nuttig zijn.
Next by Date: Apache suddenly downloads PHP instead of executing it ... but only on one virtual site?
Previous by thread: ☝ Enkel onze bevoorrechte relaties, tips die altijd nuttig zijn.
Next by thread: Apache suddenly downloads PHP instead of executing it ... but only on one virtual site?
Index(es):
- Date
- Thread