[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why no security update of apache2 concerning SSLv3?



On 2015-03-19 16:03:38 -0600, Bob Proulx wrote:
> Vincent Lefevre wrote:
> > Bob Proulx wrote:
> > > The Debian default Apache2 configuration for ssl is in local-ssl and
> > > it configures the self-signed so called "snakeoil" certificates.
> > 
> > No, it is /etc/apache2/mods-available/ssl.conf, where you have the
> > SSLProtocol line, which is the line that needs to be modified.
> 
> No, (I will just turn your reply around) that entry is commented out.

No, it is not commented out. The default in unstable is:

  SSLProtocol all -SSLv3

And the default in wheezy is:

  SSLProtocol all -SSLv2

You can check in apache2.2-common 2.2.22-13+deb7u4.

> It isn't an *active* part of the Debian configuration.  The local
> admin must actually do something.  Changing one commented out entry to
> another commented out entry is still a commented out entry.

Even if it were commented out by default, there could be two solutions:

1. The configuration tool could uncomment the entry and change it.

2. The default (i.e. hardcoded value) could be changed, if possible.

> (Although it should wake up the admin that they need to merge files if
> they modified it.  But I all too often see local admins simply keep
> their previous version of files without merging.  Look at all of the
> people with trouble after the sudo secure_path change for examples.)

Note that I suggested the change in the case the file was *not*
modified. The admin I was mentioning wanted to keep Debian's
default (i.e. without any local change).

> The /etc/apache2/mods-available/ssl.conf doesn't need to be modifed by
> the local admin because the cipher list there is commented out.

No, it is not commented out. ./etc/apache2/mods-available/ssl.conf
in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains:

  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


Reply to: