Bug#987156: mod_ssl depends on mod_setenvif while it does not

To: 987156@bugs.debian.org
Subject: Bug#987156: mod_ssl depends on mod_setenvif while it does not
From: MichaIng <micha@dietpi.com>
Date: Thu, 22 Apr 2021 11:12:25 +0200
Message-id: <[🔎] eee0bd7d-f4c0-9794-008a-0975e4b9ba31@dietpi.com>
Reply-to: MichaIng <micha@dietpi.com>, 987156@bugs.debian.org
In-reply-to: <[🔎] 8311da70-415b-be5b-5955-e72bab0df340@sfritsch.de>
References: <[🔎] bb0455fc-4c00-87d2-f899-d795219ac1fe@dietpi.com> <[🔎] 8311da70-415b-be5b-5955-e72bab0df340@sfritsch.de> <[🔎] bb0455fc-4c00-87d2-f899-d795219ac1fe@dietpi.com>

Am 19.04.2021 um 23:49 schrieb Stefan Fritsch:

Am 18.04.21 um 17:10 schrieb MichaIng:
The dependency is declared in /etc/apache2/mods-available/ssl.load andis a Debian packaging thing, not relevant to upstream.


Now I see the "comment" in the .load files, thanks for the hint!

I think it has been used for some workarounds for the MS internetexplorer. It's still in sites-enabled/default-ssl.conf, but it'scommented out nowadays. If the dependency is removed, the commented outsection should be removed, too.


That is true, here the section:
-------
# BrowserMatch "MSIE [2-6]" \
#		nokeepalive ssl-unclean-shutdown \
#		downgrade-1.0 force-response-1.0
-------

Although I've never seen this default-ssl.conf being used, not even asstarting point, but replaced, e.g. by Certbot's 000-default-le-ssl.conf,I agree that also with that section commented, either the dependencyneeds to be kept, or a note added that it's required for the used"BrowserMatch" directive.

But as this refers to ancient MS Internet Explorer 2-6, who suffer frommany issues apart from TLS with modern websites, IMO it should be simplyremoved. Keeping a module dependency only for a single commenteddirective, addressing ancient brain-dead browser versions, doesn't seemreasonable.

A merge request would go here?https://salsa.debian.org/apache-team/apache2/-/blob/master/debian/config-dir/sites-available/default-ssl.confThere we see that you commented that workaround > 5 years ago, which wasthe last touch of that file.

Off-topic: Generally the default-ssl.conf could benefit from someupdates, explaining or using more common/modern TLS directives asreplacement for old/uncommon ones, like disabling or re-enabling the nowdeprecated TLSv1.0 and TLSv1.1 protocols or enabling HSTS and/or OCSPstapling. This would double with mods-available/ssl.conf, but I'verarely seen admins editing the modules config files, but taking these asdefaults to override with vhost config instead.


Best regards,

Micha

Reply to:

References:
- Bug#987156: mod_ssl depends on mod_setenvif while it does not
  - From: MichaIng <micha@dietpi.com>
- Bug#987156: mod_ssl depends on mod_setenvif while it does not
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#987245: apache2: After=network.target should be After=network-online.target
Next by Date: Bug#951067: apache2: unable to disable TLSv1
Previous by thread: Bug#987156: mod_ssl depends on mod_setenvif while it does not
Next by thread: Bug#174028: Projects
Index(es):
- Date
- Thread