Your message dated Fri, 2 Dec 2022 22:46:35 +0100 with message-id <[email protected]> and subject line Closed due to incorrect use of the option has caused the Debian Bug report #951067, regarding apache2: unable to disable TLSv1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 951067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951067 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: apache2 Version: 2.4.38-3+deb10u3 Severity: important Dear Maintainer, it is not possible to get rid of TLS v1. This is no duplicate of #925061, I think. What I tried: removed /etc/letsencrypt/options-ssl-apache.conf, see #950735 edited /etc/apache2/mods-enabled/ssl.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2" edited etc/apache2/conf-enabled/local.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2" Result: # apache2ctl -t -D DUMP_CONFIG|grep SSLProtocol SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLProtocol all -SSLv2 -SSLv3 Syntax OK => something is enabling TLSv1 again after all config files were parsed. So... # find /etc/apache2/ | xargs grep SSLProtocol grep: /etc/apache2/: Is a directory grep: /etc/apache2/mods-enabled: Is a directory /etc/apache2/mods-enabled/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/sites-enabled: Is a directory grep: /etc/apache2/conf-available: Is a directory /etc/apache2/conf-available/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/mods-available: Is a directory /etc/apache2/mods-available/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/sites-available: Is a directory grep: /etc/apache2/conf-enabled: Is a directory /etc/apache2/conf-enabled/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2 => TLSv1 is re-enabled no matter what the config files say. -- Package-specific info: -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.38-3+deb10u3 ii apache2-data 2.4.38-3+deb10u3 ii apache2-utils 2.4.38-3+deb10u3 ii dpkg 1.19.7 ii lsb-base 10.2019051400 ii mime-support 3.62 ii perl 5.28.1-6 ii procps 2:3.3.15-2 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2-bin depends on: ii libapr1 1.6.5-1+b1 ii libaprutil1 1.6.1-4 ii libaprutil1-dbd-sqlite3 1.6.1-4 ii libaprutil1-ldap 1.6.1-4 ii libbrotli1 1.0.7-2 ii libc6 2.28-10 ii libcurl4 7.64.0-4 ii libjansson4 2.12-1 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.36.0-2+deb10u1 ii libpcre3 2:8.39-12 ii libssl1.1 1.1.1d-0+deb10u2 ii libxml2 2.9.4+dfsg1-7+b3 ii perl 5.28.1-6 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2 is related to: ii apache2 2.4.38-3+deb10u3 ii apache2-bin 2.4.38-3+deb10u3 -- Configuration Files: /etc/apache2/conf-available/security.conf changed: ServerTokens Prod ServerSignature Off TraceEnable Off /etc/apache2/mods-available/ssl.conf changed: <IfModule mod_ssl.c> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:!aNULL # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. # Clients may prefer lower grade encryption. You should enable this # option if you want to enforce stronger encryption, and can afford # the CPU cost, and did not override SSLCipherSuite in a way that puts # insecure ciphers first. # Default: Off #SSLHonorCipherOrder on # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol -all +TLSv1.3 +TLSv1.2 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On </IfModule> /etc/apache2/sites-available/000-default.conf changed: <VirtualHost *:80> ServerName heli.tuxfriends.net # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf RewriteEngine on RewriteCond %{SERVER_NAME} =heli.tuxfriends.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> -- no debconf information
--- End Message ---
--- Begin Message ---Closed due to incorrect use of the option, not a bug.
--- End Message ---
