Package: apache2 Version: 2.4.38-2 Severity: important Dear Maintainer,
I wanted to get an A+ rating on ssllabs.com so I tried to disable all SSLProtocols except for TLS1.2 Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it states "SSLProtocol TLSv1.2", which should disable all SSLProtocols except for TLS1.2, but TLS1.0 und TLS1.1 are still active, as seen with nmap: # nmap --script ssl-enum-ciphers -p 443 127.0.0.1 | grep TLSv | TLSv1.0: | TLSv1.1: | TLSv1.2: On Apache Bugtracker it appears that apache itself does not have that problem but it has something to do with the deb-Package for Debian and Ubuntu: https://bz.apache.org/bugzilla/show_bug.cgi?id=60739 Tried with stretch-stable first, updated to testing because reportbug told me there is a newer version. I would really appreciate it if someone else is able to reproduce this problem and figure out what is going on. Best, Thomas -- Package-specific info: -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 4.9.0-8-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.38-2 ii apache2-data 2.4.38-2 ii apache2-utils 2.4.38-2 ii dpkg 1.18.25 ii lsb-base 10.2019031300 ii mime-support 3.62 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii w3m [www-browser] 0.5.3-34+deb9u1 Versions of packages apache2-bin depends on: ii libapr1 1.6.5-1+b1 ii libaprutil1 1.6.1-3+b2 ii libaprutil1-dbd-sqlite3 1.6.1-3+b2 ii libaprutil1-ldap 1.6.1-3+b2 ii libbrotli1 1.0.7-2 ii libc6 2.28-8 ii libcurl4 7.64.0-1 ii libjansson4 2.12-1 ii libldap-2.4-2 2.4.47+dfsg-3 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.36.0-2 ii libpcre3 2:8.39-12 ii libssl1.1 1.1.1b-1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii w3m [www-browser] 0.5.3-34+deb9u1 Versions of packages apache2 is related to: ii apache2 2.4.38-2 ii apache2-bin 2.4.38-2 -- Configuration Files: /etc/apache2/mods-available/ssl.conf changed: <IfModule mod_ssl.c> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. # Clients may prefer lower grade encryption. You should enable this # option if you want to enforce stronger encryption, and can afford # the CPU cost, and did not override SSLCipherSuite in a way that puts # insecure ciphers first. # Default: Off SSLHonorCipherOrder on # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol TLSv1.2 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On </IfModule> /etc/apache2/ports.conf changed: Listen 80 <IfModule ssl_module> Listen 443 Listen 5000 Listen 5001 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule> /etc/apache2/sites-available/000-default.conf changed: <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. ServerName itmns.at ServerAdmin webmas...@itmns.at DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf RewriteEngine on RewriteCond %{SERVER_NAME} =itmns.at RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> -- no debconf information