Bullseyeupdate from 2.4.56-1~deb11u2 to 2.4.59-1~deb11u1
Good morning,
we installed this update last week on our reverseproxys for our customers.
After the updates were installed customer claims that some of their (really really old) clients (Win7, Win8.1 with IE11) cannot connect to the reverseproxy site with https anymore. After downgrading apache2 back to 2.4.56 they were able to connect again.
We checked the https configuration (strict TLS v1.2) and found that configured ciphers weren't allowed anymore. Before the update the ciphers looked like:
Supported Server Cipher(s):
Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 3072 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 3072 bits
After the update:
Supported Server Cipher(s):
Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
So you can see the DHE-Ciphers were missing. After searching the internet I found https://bz.apache.org/bugzilla/show_bug.cgi?id=68863.
I didn't try the patch but the DH-tipp in the certificate file. After including the DH in the certificate the problem was solved.
I think that this patch should be imported in the Debian package? Shall I open a bug report? I didn't find anything in the debian-apache bug-database.
Kind regards,
Andreas Schulz
Enterprise & Cyber Security Managed Security 2
Services DACH - Managed Cloud Services
Fujitsu Services GmbH
Konrad-Zuse-Str. 16, 74172, Neckarsulm, Germany
W https://www.fujitsu-services.com
Geschäftsführung: Robert Roiger, Michael Pries, Marcos Sanchez Urstadt, Lars Moscherosch
Eingetragener Sitz: München, Deutschland Registergericht: Amtsgericht München Reg.- Nr. HRB 219577
Weitere Informationen: https://fujitsu-services.com/impressum
Datenschutz-Hinweise: https://fujitsu-services.com/datenschutz
Reply to: