Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default

To: David Prévot <taffit@debian.org>, 943415@bugs.debian.org
Cc: Kurt Roeckx <kurt@roeckx.be>
Subject: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
From: Vincent Lefevre <vincent@vinc17.net>
Date: Thu, 17 Jul 2025 01:23:30 +0200
Message-id: <[🔎] 20250716232330.GA179261@qaa.vinc17.org>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 943415@bugs.debian.org
In-reply-to: <ZVS6YNDkC8CpYekw@persil.tilapin.org>
References: <20191024155050.GA22125@roeckx.be> <20191024155050.GA22125@roeckx.be> <ZVS6YNDkC8CpYekw@persil.tilapin.org> <20191024155050.GA22125@roeckx.be>

Control: found -1 2.4.63-1
Control: found -1 2.4.64-1
Control: tags -1 security

On 2023-11-15 13:32:32 +0100, David Prévot wrote:
> Le Thu, Oct 24, 2019 at 05:50:50PM +0200, Kurt Roeckx a écrit :
> > I was expecting TLS 1.0 and 1.1 to be disabled
> 
> Same here. Four years later, RFC 8996 (Deprecating TLS 1.0 and TLS 1.1)
> has been published and most clients have been updated, so could we
> please review the default SSLProtocol before Trixie gets released? 

I'm also wondering why they are still enabled by default...

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Processing of apache2_2.4.64-1_sourceonly.changes
Next by Date: Processed: Re: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
Previous by thread: Processing of apache2_2.4.64-1_sourceonly.changes
Next by thread: Processed: Re: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
Index(es):
- Date
- Thread