Bug#943415: apache2: Disable TLS 1.0 and 1.1 by default
On Thu, Jul 17, 2025 at 01:23:30AM +0200, Vincent Lefevre wrote:
> Control: found -1 2.4.63-1
> Control: found -1 2.4.64-1
> Control: tags -1 security
>
> On 2023-11-15 13:32:32 +0100, David Prévot wrote:
> > Le Thu, Oct 24, 2019 at 05:50:50PM +0200, Kurt Roeckx a écrit :
> > > I was expecting TLS 1.0 and 1.1 to be disabled
> >
> > Same here. Four years later, RFC 8996 (Deprecating TLS 1.0 and TLS 1.1)
> > has been published and most clients have been updated, so could we
> > please review the default SSLProtocol before Trixie gets released?
>
> I'm also wondering why they are still enabled by default...
Do you still see it enabled? As far as I know, OpenSSL now not
only requires you to enable the protocol, but also lower the security
level to 0 to be able to do TLs 1.0 and 1.1.
Kurt
Reply to: