Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
Hi, I could disable SSL3 and TLS1.0 with this line in the configuration of virtual hosts: GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL If I put this line in the file /etc/apache2/mods-enabled/gnutls.conf and not in virtual hosts, Apache will not restart and I have no error message. I did a test with two virtual hosts using the same IP (SNI), the certificate is wildcard type, it is used by both virtual hosts. If I put on one of the virtual hosts the line GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL and for the other virtual hosts the line GnuTLSPriorities NORMAL, the second is not taken into account. SSL3 and TLS1.0 are not available for the second. Regards. -- == | FRÉDÉRIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frede...@juliana-multimedia.com | | +33.(0)2.97.54.77.94 +33.(0)6.67.19.95.69 | ===Debian=GNU/Linux=== -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
What works¹ for me to disable SSLv3 was add the following to /etc/apache2/mods-available/gnutls.conf: GnuTLSPriorities NONE:!VERS-SSL3.0:+VERS-TLS1.0:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL That should cover not only Poodle but BEAST as well, according to http://www.g-loaded.eu/2011/09/27/mod_gnutls-rc4-cipher-beast/. - Jonas ¹ ...or actually only worked - last night I upgraded to Jessie and my Apache setup is currently broken. -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
Package: libapache2-mod-gnutls Version: 0.5.10-4 Followup-For: Bug #754960 Dear Maintainer, With the poodle bug, I tried disabling SSL3 and TLS1.0 of guntls without success. I tested a HTTPS test web site with the sslscan command and the site https://www.ssllabs.com/ssltest. I changed the GnuTLSPriorities directive without that change the test results, it's always the same versions of SSL and TLS in the results. I feel that GnuTLSPriorities directive has no effect. I tested: - GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL - GnuTLSPriorities NONE:+VERS-TLS1.1:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL - GnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSA:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBC - GnuTLSPriorities SECURE - GnuTLSPriorities PERFORMANCE Every time I restarted apache, the test results do not change. Regards. -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapache2-mod-gnutls depends on: ii apache2-bin [apache2-api-20120211] 2.4.10-3 ii libapr-memcache00.7.0-3 ii libc6 2.19-11 ii libgnutls26 2.12.23-17 libapache2-mod-gnutls recommends no packages. libapache2-mod-gnutls suggests no packages. -- Configuration Files: /etc/apache2/mods-available/gnutls.conf changed: IfModule mod_gnutls.c # The default method is to use a DBM backed cache. It's not super fast, but # it's portable and doesn't require another server to be running like # memcached #GnuTLSCache dbm /var/cache/apache2/gnutls_cache # mod_gnutls can optionaly use a memcached server to store SSL sessions. # This is useful in a cluster environment, where you want all your servers to # share a single SSL session cache #GnuTLSCache memcache 127.0.0.1 server2.example.com server3.example.com GnuTLSCache memcache 127.0.0.1 /IfModule -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
Package: libapache2-mod-gnutls
Version: 0.5.10-1.1
Severity: normal
Dear Maintainer,
when I try to disable SSLv3 on one of my virtual name based vhosts with this
line:
GnuTLSPriorities
SECURE256:-VERS-SSL3.0:-VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1
the Qualsys SSL labs test still tells me that my site is offering SSLv3. Even
worse when I try:
GnuTLSPriorities -VERS-SSL3.0:-VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1
because then no error is logged at a apache reload, but my site presents the
wrong SSL certificate.
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-gnutls depends on:
ii libapr-memcache0 0.7.0-1
ii libc6 2.13-38+deb7u3
ii libgnutls26 2.12.20-8+deb7u2
libapache2-mod-gnutls recommends no packages.
libapache2-mod-gnutls suggests no packages.
-- Configuration Files:
/etc/apache2/sites-available/default-tls changed:
IfModule mod_gnutls.c
GnuTLSCache none none
VirtualHost _default_:443
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
Directory /
Options FollowSymLinks
AllowOverride None
/Directory
Directory /var/www/
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
/Directory
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Directory /usr/lib/cgi-bin
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
/Directory
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
GnuTLSEnable On
# GnuTLSKeyFile /etc/ssl/private/apache-new.key
# GnuTLSCertificateFile /etc/ssl/certs/tuxfriends.net+cacert.pem
GnuTLSKeyFile /etc/ssl/private/apache.key
GnuTLSCertificateFile /etc/ssl/certs/binky.tuxfriends.net.pem
GnuTLSPrioritiesNORMAL
/VirtualHost
/IfModule
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
