Package: python3-certbot-apache Version: 1.10.1-1 Tags: security upstream patch
Hello letsencrypt apache configuration snippet contains: SSLHonorCipherOrder off which is: 1/ Apache default value 2/ The worst value As a consequence, even is you upgraded your apache configuration, if you use letsencrypt, depending of the order of your includes, you may end up with your changes being overwritten for the worst possible value. Please enable SSLHonorCipherOrder Or at the very least stop resetting it! You can have a look at /etc/apache2/mods-available/ssl.conf to understand the pros and cons. Note that disabling that option results in web site being flagged as unsecured by most tools. See testssl package and the result: > Has server cipher order? no (NOT ok) Attached is a (trivial) patch. Thank you for maintaining this package.
Description: Don't force remove robust cipher order See /etc/apache2/mods-available/ssl.conf Author: Jean-Michel Vourgère <nir...@debian.org> Bug-Debian: https://bugs.debian.org/<bugnumber> Forwarded: no Reviewed-By: <name and email of someone who approved the patch> Last-Update: 2022-01-21 --- python-certbot-apache-1.10.1.orig/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf +++ python-certbot-apache-1.10.1/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf @@ -9,7 +9,7 @@ SSLEngine on # Intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 -SSLHonorCipherOrder off -SSLHonorCipherOrder on SSLSessionTickets off SSLOptions +StrictRequire
signature.asc
Description: This is a digitally signed message part.