Re: Why no security update of apache2 concerning SSLv3?

To: debian-user@lists.debian.org
Subject: Re: Why no security update of apache2 concerning SSLv3?
From: Vincent Lefevre <vincent@vinc17.net>
Date: Fri, 20 Mar 2015 13:45:13 +0100
Message-id: <[🔎] 20150320124513.GA5086@ypig.lip.ens-lyon.fr>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20150319155327663772773.NoCcsPlease@bob.proulx.com>
References: <[🔎] 20150312120039.GE10276@ypig.lip.ens-lyon.fr> <[🔎] 20150312135546.GM8183@well-adjusted.de> <[🔎] 20150312162633.GA14080@ypig.lip.ens-lyon.fr> <[🔎] 20150312123818421639708.NoCcsPlease@bob.proulx.com> <[🔎] 20150318000347.GA24744@xvii.vinc17.org> <[🔎] 20150319155327663772773.NoCcsPlease@bob.proulx.com>

On 2015-03-19 16:03:38 -0600, Bob Proulx wrote:
> Vincent Lefevre wrote:
> > Bob Proulx wrote:
> > > The Debian default Apache2 configuration for ssl is in local-ssl and
> > > it configures the self-signed so called "snakeoil" certificates.
> > 
> > No, it is /etc/apache2/mods-available/ssl.conf, where you have the
> > SSLProtocol line, which is the line that needs to be modified.
> 
> No, (I will just turn your reply around) that entry is commented out.

No, it is not commented out. The default in unstable is:

  SSLProtocol all -SSLv3

And the default in wheezy is:

  SSLProtocol all -SSLv2

You can check in apache2.2-common 2.2.22-13+deb7u4.

> It isn't an *active* part of the Debian configuration.  The local
> admin must actually do something.  Changing one commented out entry to
> another commented out entry is still a commented out entry.

Even if it were commented out by default, there could be two solutions:

1. The configuration tool could uncomment the entry and change it.

2. The default (i.e. hardcoded value) could be changed, if possible.

> (Although it should wake up the admin that they need to merge files if
> they modified it.  But I all too often see local admins simply keep
> their previous version of files without merging.  Look at all of the
> people with trouble after the sudo secure_path change for examples.)

Note that I suggested the change in the case the file was *not*
modified. The admin I was mentioning wanted to keep Debian's
default (i.e. without any local change).

> The /etc/apache2/mods-available/ssl.conf doesn't need to be modifed by
> the local admin because the cipher list there is commented out.

No, it is not commented out. ./etc/apache2/mods-available/ssl.conf
in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains:

  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Gene Heskett <gheskett@wdtv.com>
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Bob Proulx <bob@proulx.com>

References:
- Why no security update of apache2 concerning SSLv3?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Jochen Spieker <ml@well-adjusted.de>
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Bob Proulx <bob@proulx.com>
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Why no security update of apache2 concerning SSLv3?
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: TrueType Hebrew fonts have stopped working in libreoffice writer
Next by Date: searching for a "structure viewer" tool
Previous by thread: Re: Why no security update of apache2 concerning SSLv3?
Next by thread: Re: Why no security update of apache2 concerning SSLv3?
Index(es):
- Date
- Thread