Bug#987156: mod_ssl depends on mod_setenvif while it does not
Am 19.04.2021 um 23:49 schrieb Stefan Fritsch:
Am 18.04.21 um 17:10 schrieb MichaIng:
The dependency is declared in /etc/apache2/mods-available/ssl.load and
is a Debian packaging thing, not relevant to upstream.
Now I see the "comment" in the .load files, thanks for the hint!
I think it has been used for some workarounds for the MS internet
explorer. It's still in sites-enabled/default-ssl.conf, but it's
commented out nowadays. If the dependency is removed, the commented out
section should be removed, too.
That is true, here the section:
-------
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
-------
Although I've never seen this default-ssl.conf being used, not even as
starting point, but replaced, e.g. by Certbot's 000-default-le-ssl.conf,
I agree that also with that section commented, either the dependency
needs to be kept, or a note added that it's required for the used
"BrowserMatch" directive.
But as this refers to ancient MS Internet Explorer 2-6, who suffer from
many issues apart from TLS with modern websites, IMO it should be simply
removed. Keeping a module dependency only for a single commented
directive, addressing ancient brain-dead browser versions, doesn't seem
reasonable.
A merge request would go here?
https://salsa.debian.org/apache-team/apache2/-/blob/master/debian/config-dir/sites-available/default-ssl.conf
There we see that you commented that workaround > 5 years ago, which was
the last touch of that file.
Off-topic: Generally the default-ssl.conf could benefit from some
updates, explaining or using more common/modern TLS directives as
replacement for old/uncommon ones, like disabling or re-enabling the now
deprecated TLSv1.0 and TLSv1.1 protocols or enabling HSTS and/or OCSP
stapling. This would double with mods-available/ssl.conf, but I've
rarely seen admins editing the modules config files, but taking these as
defaults to override with vhost config instead.
Best regards,
Micha
Reply to: