Bug#951067: apache2: unable to disable TLSv1
Package: apache2
Version: 2.4.38-3+deb10u3
Severity: important
Dear Maintainer,
it is not possible to get rid of TLS v1. This is no duplicate of #925061, I think.
What I tried:
removed /etc/letsencrypt/options-ssl-apache.conf, see #950735
edited /etc/apache2/mods-enabled/ssl.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2"
edited etc/apache2/conf-enabled/local.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2"
Result:
# apache2ctl -t -D DUMP_CONFIG|grep SSLProtocol
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLProtocol all -SSLv2 -SSLv3
Syntax OK
=> something is enabling TLSv1 again after all config files were parsed. So...
# find /etc/apache2/ | xargs grep SSLProtocol
grep: /etc/apache2/: Is a directory
grep: /etc/apache2/mods-enabled: Is a directory
/etc/apache2/mods-enabled/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/sites-enabled: Is a directory
grep: /etc/apache2/conf-available: Is a directory
/etc/apache2/conf-available/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/mods-available: Is a directory
/etc/apache2/mods-available/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2
grep: /etc/apache2/sites-available: Is a directory
grep: /etc/apache2/conf-enabled: Is a directory
/etc/apache2/conf-enabled/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2
=> TLSv1 is re-enabled no matter what the config files say.
-- Package-specific info:
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.38-3+deb10u3
ii apache2-data 2.4.38-3+deb10u3
ii apache2-utils 2.4.38-3+deb10u3
ii dpkg 1.19.7
ii lsb-base 10.2019051400
ii mime-support 3.62
ii perl 5.28.1-6
ii procps 2:3.3.15-2
Versions of packages apache2 recommends:
ii ssl-cert 1.0.39
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.6.5-1+b1
ii libaprutil1 1.6.1-4
ii libaprutil1-dbd-sqlite3 1.6.1-4
ii libaprutil1-ldap 1.6.1-4
ii libbrotli1 1.0.7-2
ii libc6 2.28-10
ii libcurl4 7.64.0-4
ii libjansson4 2.12-1
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u1
ii liblua5.2-0 5.2.4-1.1+b2
ii libnghttp2-14 1.36.0-2+deb10u1
ii libpcre3 2:8.39-12
ii libssl1.1 1.1.1d-0+deb10u2
ii libxml2 2.9.4+dfsg1-7+b3
ii perl 5.28.1-6
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.38-3+deb10u3
ii apache2-bin 2.4.38-3+deb10u3
-- Configuration Files:
/etc/apache2/conf-available/security.conf changed:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
/etc/apache2/mods-available/ssl.conf changed:
<IfModule mod_ssl.c>
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
# (Disabled by default, the global Mutex directive consolidates by default
# this)
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
SSLCipherSuite HIGH:!aNULL
# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption. You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
#SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol -all +TLSv1.3 +TLSv1.2
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>
/etc/apache2/sites-available/000-default.conf changed:
<VirtualHost *:80>
ServerName heli.tuxfriends.net
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =heli.tuxfriends.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
-- no debconf information
Reply to: