Package: python3-certbot-apache Version: 0.31.0-1 Severity: normal Hello,
after installing a clean certbot with apache support, the etc/letsencrypt/options-ssl-apache.conf does not disable TLS en TLS 1.1 also a number of ciphers that are reported as weak as accepted a list of these weak ciphers (ssllabs test) " TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS WEAK 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 " proposal: " SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 and removing the above ciphersuits from the config " hth, Wim -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-14-cloud-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-certbot-apache depends on: ii apache2 2.4.38-3+deb10u4 ii certbot 0.31.0-1+deb10u1 ii python3 3.7.3-1 ii python3-acme 0.31.0-2 ii python3-augeas 0.5.0-1 ii python3-certbot 0.31.0-1+deb10u1 ii python3-mock 2.0.0-4 ii python3-pkg-resources 40.8.0-1 ii python3-zope.component 4.3.0-1 ii python3-zope.interface 4.3.2-1+b2 python3-certbot-apache recommends no packages. Versions of packages python3-certbot-apache suggests: pn python-certbot-apache-doc <none> -- no debconf information