Bug#951067: apache2: unable to disable TLSv1

To: 951067@bugs.debian.org
Subject: Bug#951067: apache2: unable to disable TLSv1
From: MichaIng <micha@dietpi.com>
Date: Thu, 22 Apr 2021 11:30:09 +0200
Message-id: <[🔎] f654fd6d-f4c1-0d05-a144-b812381c910f@dietpi.com>
Reply-to: MichaIng <micha@dietpi.com>, 951067@bugs.debian.org
References: <158134870490.4990.13795751744438783892.reportbug@heli>

I think "all" cannot be used like that.

From the docs:https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol

"all" is an alias for "+SSLv3 +TLSv1 +...", so while the raw config filesyntax is fine, internally "-all" is probably seen as invalid andreplaced by the default "SSLProtocol all -SSLv2 -SSLv3" you see as lastline in the config dump, but not as part of any config file.

Using "-all" generally doesn't make much sense. If you want to override(=remove) all previously added protocols, skip the "+" for the firstnamed one.


-------
SSLProtocol TLSv1.2 +TLSv1.3
-------

The +/- behaviour is explained at the SSLOptions section of the docs:https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions


Best regards,

Micha

Reply to:

Prev by Date: Bug#987156: mod_ssl depends on mod_setenvif while it does not
Next by Date: Bug#987245: apache2: After=network.target should be After=network-online.target
Previous by thread: Bug#987245: apache2: After=network.target should be After=network-online.target
Next by thread: Processing of apache2_2.4.47-1_sourceonly.changes
Index(es):
- Date
- Thread