[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#951067: apache2: unable to disable TLSv1

Package: apache2
Version: 2.4.38-3+deb10u3
Severity: important

Dear Maintainer,

it is not possible to get rid of TLS v1. This is no duplicate of #925061, I think.

What I tried:

removed /etc/letsencrypt/options-ssl-apache.conf, see #950735
edited /etc/apache2/mods-enabled/ssl.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2"
edited etc/apache2/conf-enabled/local.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2"

# apache2ctl -t -D DUMP_CONFIG|grep SSLProtocol
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLProtocol -all +TLSv1.3 +TLSv1.2
  SSLProtocol all -SSLv2 -SSLv3
Syntax OK

=> something is enabling TLSv1 again after all config files were parsed. So...

# find /etc/apache2/ | xargs grep SSLProtocol
grep: /etc/apache2/: Is a directory
grep: /etc/apache2/mods-enabled: Is a directory
/etc/apache2/mods-enabled/ssl.conf:     SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/sites-enabled: Is a directory
grep: /etc/apache2/conf-available: Is a directory
/etc/apache2/conf-available/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/mods-available: Is a directory
/etc/apache2/mods-available/ssl.conf:   SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/sites-available: Is a directory
grep: /etc/apache2/conf-enabled: Is a directory
/etc/apache2/conf-enabled/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2

=> TLSv1 is re-enabled no matter what the config files say.

-- Package-specific info:

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.38-3+deb10u3
ii  apache2-data   2.4.38-3+deb10u3
ii  apache2-utils  2.4.38-3+deb10u3
ii  dpkg           1.19.7
ii  lsb-base       10.2019051400
ii  mime-support   3.62
ii  perl           5.28.1-6
ii  procps         2:3.3.15-2

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.6.5-1+b1
ii  libaprutil1              1.6.1-4
ii  libaprutil1-dbd-sqlite3  1.6.1-4
ii  libaprutil1-ldap         1.6.1-4
ii  libbrotli1               1.0.7-2
ii  libc6                    2.28-10
ii  libcurl4                 7.64.0-4
ii  libjansson4              2.12-1
ii  libldap-2.4-2            2.4.47+dfsg-3+deb10u1
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.36.0-2+deb10u1
ii  libpcre3                 2:8.39-12
ii  libssl1.1                1.1.1d-0+deb10u2
ii  libxml2                  2.9.4+dfsg1-7+b3
ii  perl                     5.28.1-6
ii  zlib1g                   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.38-3+deb10u3
ii  apache2-bin  2.4.38-3+deb10u3

-- Configuration Files:
/etc/apache2/conf-available/security.conf changed:
ServerTokens Prod
ServerSignature Off
TraceEnable Off

/etc/apache2/mods-available/ssl.conf changed:
<IfModule mod_ssl.c>
	# Pseudo Random Number Generator (PRNG):
	# Configure one or more sources to seed the PRNG of the SSL library.
	# The seed data should be of good random quality.
	# WARNING! On some platforms /dev/random blocks if not enough entropy
	# is available. This means you then cannot use the /dev/random device
	# because it would lead to very long connection times (as long as
	# it requires to make more entropy available). But usually those
	# platforms additionally provide a /dev/urandom device which doesn't
	# block. So, if available, use this one instead. Read the mod_ssl User
	# Manual for more details.
	SSLRandomSeed startup builtin
	SSLRandomSeed startup file:/dev/urandom 512
	SSLRandomSeed connect builtin
	SSLRandomSeed connect file:/dev/urandom 512
	##  SSL Global Context
	##  All SSL configuration in this context applies both to
	##  the main server and all SSL-enabled virtual hosts.
	#   Some MIME-types for downloading Certificates and CRLs
	AddType application/x-x509-ca-cert .crt
	AddType application/x-pkcs7-crl	.crl
	#   Pass Phrase Dialog:
	#   Configure the pass phrase gathering process.
	#   The filtering dialog program (`builtin' is a internal
	#   terminal dialog) has to provide the pass phrase on stdout.
	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
	#   Inter-Process Session Cache:
	#   Configure the SSL Session Cache: First the mechanism 
	#   to use and second the expiring timeout (in seconds).
	#   (The mechanism dbm has known memory leaks and should not be used).
	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
	SSLSessionCacheTimeout  300
	#   Semaphore:
	#   Configure the path to the mutual exclusion semaphore the
	#   SSL engine uses internally for inter-process synchronization. 
	#   (Disabled by default, the global Mutex directive consolidates by default
	#   this)
	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
	#   SSL Cipher Suite:
	#   List the ciphers that the client is permitted to negotiate. See the
	#   ciphers(1) man page from the openssl package for list of all available
	#   options.
	#   Enable only secure ciphers:
	SSLCipherSuite HIGH:!aNULL
	# SSL server cipher order preference:
	# Use server priorities for cipher algorithm choice.
	# Clients may prefer lower grade encryption.  You should enable this
	# option if you want to enforce stronger encryption, and can afford
	# the CPU cost, and did not override SSLCipherSuite in a way that puts
	# insecure ciphers first.
	# Default: Off
	#SSLHonorCipherOrder on
	#   The protocols to enable.
	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
	#   SSL v2  is no longer supported
	SSLProtocol -all +TLSv1.3 +TLSv1.2
	#   Allow insecure renegotiation with clients which do not yet support the
	#   secure renegotiation protocol. Default: Off
	#SSLInsecureRenegotiation on
	#   Whether to forbid non-SNI clients to access name based virtual hosts.
	#   Default: Off
	#SSLStrictSNIVHostCheck On

/etc/apache2/sites-available/000-default.conf changed:
<VirtualHost *:80>
	ServerName heli.tuxfriends.net
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =heli.tuxfriends.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

-- no debconf information

Reply to: