Bug#983385: python3-certbot-apache: TLS 1.0, 1.1, and weak ciphers (ssllabs test)

Tue, 23 Feb 2021 03:27:15 -0800 

Package: python3-certbot-apache
Version: 0.31.0-1
Severity: normal

Hello,

after installing a clean certbot with apache support,
the etc/letsencrypt/options-ssl-apache.conf 
does not disable TLS en TLS 1.1
also a number of ciphers that are reported as weak as accepted

a list of these weak ciphers (ssllabs test)
"
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits 
RSA)   FS   WEAK    128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits 
RSA)   FS   WEAK    256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 bits RSA)   
FS   WEAK       128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 bits RSA)   
FS   WEAK       256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS   WEAK   128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS   WEAK      128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS   WEAK   256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS   WEAK      256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK   128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK   256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK   128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK   256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK      128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK      256
"

proposal:
"
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
and removing the above ciphersuits from the config
"

hth,
Wim

-- System Information:
Debian Release: 10.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-14-cloud-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-certbot-apache depends on:
ii  apache2                 2.4.38-3+deb10u4
ii  certbot                 0.31.0-1+deb10u1
ii  python3                 3.7.3-1
ii  python3-acme            0.31.0-2
ii  python3-augeas          0.5.0-1
ii  python3-certbot         0.31.0-1+deb10u1
ii  python3-mock            2.0.0-4
ii  python3-pkg-resources   40.8.0-1
ii  python3-zope.component  4.3.0-1
ii  python3-zope.interface  4.3.2-1+b2

python3-certbot-apache recommends no packages.

Versions of packages python3-certbot-apache suggests:
pn  python-certbot-apache-doc  <none>

-- no debconf information

Reply via email to