Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default

To: Vincent Lefevre <vincent@vinc17.net>
Cc: David Prévot <taffit@debian.org>, 943415@bugs.debian.org
Subject: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
From: Kurt Roeckx <kurt@roeckx.be>
Date: Thu, 17 Jul 2025 15:01:12 +0200
Message-id: <[🔎] aHj0GH5rAuwNDpKm@roeckx.be>
Reply-to: Kurt Roeckx <kurt@roeckx.be>, 943415@bugs.debian.org
In-reply-to: <[🔎] 20250716232330.GA179261@qaa.vinc17.org>
References: <20191024155050.GA22125@roeckx.be> <20191024155050.GA22125@roeckx.be> <ZVS6YNDkC8CpYekw@persil.tilapin.org> <[🔎] 20250716232330.GA179261@qaa.vinc17.org> <20191024155050.GA22125@roeckx.be>

On Thu, Jul 17, 2025 at 01:23:30AM +0200, Vincent Lefevre wrote:
> Control: found -1 2.4.63-1
> Control: found -1 2.4.64-1
> Control: tags -1 security
> 
> On 2023-11-15 13:32:32 +0100, David Prévot wrote:
> > Le Thu, Oct 24, 2019 at 05:50:50PM +0200, Kurt Roeckx a écrit :
> > > I was expecting TLS 1.0 and 1.1 to be disabled
> > 
> > Same here. Four years later, RFC 8996 (Deprecating TLS 1.0 and TLS 1.1)
> > has been published and most clients have been updated, so could we
> > please review the default SSLProtocol before Trixie gets released? 
> 
> I'm also wondering why they are still enabled by default...

Do you still see it enabled? As far as I know, OpenSSL now not
only requires you to enable the protocol, but also lower the security
level to 0 to be able to do TLs 1.0 and 1.1.


Kurt

Reply to:

References:
- Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Processed: Re: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
Next by Date: apache2_2.4.65-1_sourceonly.changes ACCEPTED into unstable
Previous by thread: Processed: Re: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
Next by thread: Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
Index(es):
- Date
- Thread