https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Bug ID: 60739
Summary: SSLProtocol settings seem to have no effect
Product: Apache httpd-2
Version: 2.4.25
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Changes in SSLProtocol seem to be ignored.
This can be observed in all SSL testers I've used.
The testssl script provides an easy way to check this, without having to wait
for minutes (like SSLLabs) for output.
Problem can be shown via...
testssl --protocols https://davidfavor.com/
Environment - Apache-4.2.5 + OpenSSL 1.0.2k + Ubuntu Yakkety.
My goal == disable TLS 1.0 for some of my hosting clients who have PCI
requirements for this level of TLS to be disabled.
None of these permutations work. In fact, I can't find any SSLProtocol setting
which changes protocols at all. In all cases SSL2 + SSL3 are disabled + all TLS
versions are enabled.
Settings tried, that fail to disable TLSv1...
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SLProtocol -All +TLSv1.1 +TLSv1.2
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
