[Bug 1665151] Re: Apache ignores disable TLSv1.0
Apache + Debian here. I just run grep -rnw '/etc' -e 'SSLCipherSuite' and found that /etc/apache2/mods-available/ssl.conf was overriding even the /etc/letsencrypt/options-ssl-apache.conf file. So I commented some lines in ssl.conf (of mods-available) and tweaked everything in options-ssl-apache.conf file. Works like a charm now... Hope it's help you! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
I could disable TLS 1.0 and 1.1 and only enable TLS 1.2 + 1.3 by doing this ``` SSLProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Comment # 20 below fixed the issue - review the letsencrypt changes to the ssl.conf file and apache2 startup. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
comment # 20 fixed the issue by updating the LetsEncrypt options file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Comment # 20 fixed my problem - people who disqualified it immediately need to pay attention! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
This solved my problem - through SSL Labs I was getting B with all the attempts in putting anything - as soon as I updated the options-ssl- apache.conf file BOOM! we got A+ Rating Brad you are awesome and I think all the commentators below and above should try this out before disqualifying it... I have Apache 2.18 for anyone interested latest version and still was a problem. well not anymore. Thanks again! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
So when will a "solution" come or is there already one? if so, how? I'm just having a hard time to wrap my head around this. I didnt have this issue before i did a yearly reset on my server ~3 weeks ago. The support for TLSv1 & TLSv1.1 seems to end in 3 days and i need help get this solved asap. Running Apache/2.4.6 (CentOS) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
** Changed in: apache2 (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
I can confirm I also experienced this issue on the same versions as reported using Ubuntu 18.04 Server (Bionic) In my instance I was using the a single virtual host with pre-defined certificate and there was no level of SSLProtocol setup vs SSLCipherSuite setting combination (described above) that would disable TLSv1 TLSv1.1, which are my (and probably many other peoples) security requirements. I tried combinations of general SSL settings and down to virtual host level. No settings appeared to be honored regardless In terms of 'what to fix'. Well I think there is enough information in the comments here to determine there is an issue between SSLProtocol and SSLCipherSuite, particularly as previous versions have been noted as working successfully. I would also note that this relationship is NOT documented (that I can find) and if this is determined to be configuration related, then clearer documentation and examples need to be provided. Clearly people are spending time on this issue, a quick google indicates this is a wide issue. Unfortunately in my case I don't have any more time to spend working out what should be a 15 minute SSL setup on a web servers. I will be switching to using NGINX and this will be my preferred setup until this issue can be resolved either in fix or documentation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
** Changed in: apache2 Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
I found that on the Debian bug nmap was used, for the sake of being different I tried like: $ nmap --script ssl-enum-ciphers -p 444 10.253.194.57 | grep TLSv But the results match what I have seen with testssl.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
And as asked there this might help as well: $ a2enmod info $ systemctl restart apache2 $ apache2ctl -t -D DUMP_CONFIG|grep -i ssl $ a2dismod info # if it hasn't been enabled before That is a slightly better info than my Greps above, but still the same result. Here of my last config trying to falsify the "default has to have TLSv1 to use it in others" apache2ctl -t -D DUMP_CONFIG|grep -i ssl # In file: /etc/apache2/mods-enabled/ssl.conf Syntax OK SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLCipherSuite HIGH:!aNULL SSLProtocol all -SSLv3 # In file: /etc/apache2/sites-enabled/custom1-ssl.conf SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars SSLProtocol All -TLSv1 -TLSv1.1 # In file: /etc/apache2/sites-enabled/custom2-ssl.conf SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars # In file: /etc/apache2/sites-enabled/default-ssl.conf SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars SSLProtocol All -TLSv1 -TLSv1.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
sabled on :443 and :444 but no effect to :445. I think this falsifies the statements, at least without further details being shared about them. --- TL;DR: I can't recreate the issue :-/ But there are enough people on the bug that say "yes, that was it and ... helped me" to each other that I want to believe there is an issue we could help with. Other comments mentioned external config files like those dropped in by letsencrypt - any of those could affect the case. Therefore I'm asking anyone affected to try to please help to recreate the issue using the same method that I did: 1. taking a fresh container or VM (report the version you used please) 2. listing all commands to install packages 3. listing all commands to change config 4. listing the command to show the issue Maybe that way it can be further debugged, but without that it is in fact incomplete. Some might be affected, but no one else can yet recreate/work on it. ** Changed in: apache2 (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
** Changed in: apache2 (Ubuntu) Status: Incomplete => Confirmed ** Bug watch added: Debian Bug tracker #925061 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925061 ** Also affects: apache2 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925061 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Confirmed, many thanks Robin! I had the same problem, even when I removed the ciphers above, TLS1.0 was still active. I added a dummy default page whithout special cipher-suite and SSLProtocol configuration, with a subdomain, which is not registered on public DNS (snakeoil cert). Now TLS1.0 dissapeared on my other virtualhosts. I'm using Apache 2.4.38 (Debian 10) Your post was really helpful to me, thanks a lot! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
I had the same problem - had! It turns out, that the SSLCipherSuite list on the default vHopst (as reported of apachectl -D DUMP_VHOSTS) has to be capable of TLSv1.1 ciphers. It is also needed, that the default vHost has TLSv1.1 enabled in order to use that on other vHosts. So, the default vHost is the key here. I cant believe that this should be correct. If I dont want to enable TLSv1.1 on the default but on the 3rd vHost, this must be working. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Many thanks Thomas ! I was searching for hours why apache did not taking into account my SSL config. It is because the letsencrypt config was applied before my virtualhost config. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
I found something in /etc/letsencrypt/options-ssl-apache.conf ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
I found something in /etc/letsencrypt/options-ssl-apache.conf ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Upstream has closed this bug as Incomplete, so I'm doing the same for Ubuntu. I think part of the problem here is that different people are reporting different underlying causes that lead to similar symptoms. See https://bz.apache.org/bugzilla/show_bug.cgi?id=60739#c25. This particular bug now seems unfortunately unfixable because it isn't clear what exactly we'd be fixing, and others have chimed in with potentially different issues, muddling the whole affair. If you'd like to see something specific fixed in Ubuntu, I suggest you file a new bug with *exact* steps to reproduce, including all commands and configuration file edits required to demonstrate the problem in Ubuntu, details of Ubuntu release and package versions used, and so on. Anyone commenting "me too" should also then make it absolutely clear which set of reproduction instructions were used. ** Changed in: apache2 (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
... and two more ciphers which "break the TLS 1.2-only" syntax for me: DHE-RSA-AES128-SHA 0x33 DHE-RSA-AES256-SHA 0x39 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
... same if I add ECDHE-RSA-AES256-SHA (c014 instead if c013). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
I have a similar problem with Ubuntu 18.04 (Apache 2.4.39 + openssl 1.1.0g) and it maybe sheds some light into this. Protocol is always SSLProtocol -All +TLSv1.2 SSLCipherSuite 1) ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128 -GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 :ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256 2) ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128 -GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 Diff is ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128 -GCM-SHA256. I played a bit around with those three (using testssl.sh) and looked to me when I enable ECDHE-RSA-AES128-SHA I have TLS 1.0 + 1.1. Which seems strange to me but it's is what I found. What is going on here? Dirk -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
I have the ame issue on Debian 9.8 with apache2 2.4.25-3+deb9u6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
@David: going through this again, this looks like some intermittent issue with changes ported to ubuntu. And it seems to be fixed now? Can we close this or what shall we look at? Thanks for your help! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
This is not a bucket for all possible improvement ideas about mod_ssl configurations. That is better discussed on the user/dev mailing lists. As to the original report, I read the history of this as: - not able to reproduce in a minimal set - the effect of nested include files, some added maybe by a 3rd party tool, e.g. certbot that were not immediately obvious We have no reproducible setup for the title of this ticket, " SSLProtocol settings seem to have no effect". Otherwise, it would be helpful to provide a minimum example setup. Otherwise we will close this ticket. We are open to discussions and improvement proposals for making better server configurations. But those should take place on the mailing lists. Thank you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
BUMP. Seeing this on 2.4.18 on Xenial ii apache2 2.4.18-2ubuntu3.9 amd64Apache HTTP Server ii apache2-bin 2.4.18-2ubuntu3.9 amd64Apache HTTP Server (modules and other binary files) ii apache2-data 2.4.18-2ubuntu3.9 all Apache HTTP Server (common files) ii apache2-utils2.4.18-2ubuntu3.9 amd64Apache HTTP Server (utility programs for web servers) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
I can confirm this behaviour on 2.4.37 on two servers. I'm using these directives, and TLSv1.0 is still available SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !DES !IDEA !RC2" SSLProtocol -All +TLSv1.1 +TLSv1.2 nmap --script ssl-enum-ciphers -p 443 xxx.xxx.xxx.xxx | grep TLSv | TLSv1.0: | TLSv1.1: | TLSv1.2: -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
While not relating to the discussion of certain SSLProtocol and SSLCipherSuite combinations halting desired SSLProtocols, I did want to add that I had an issue where Let's Encrypt was holding my desired changes back. I was attempting to use the directive: `SSLProtocols -all +TLSv1.1 +TLSv1.2` but TLSv1 was still being used. Due to this bug report I noticed that one of my upper Virtual Hosts was indeed using a cert from LE, and in that file they had a default of SSLProtocol all -SSLv2 -SSLv3 If I could make a suggestion, it would be that we work towards getting more explicit control over what SSLProtocol directives get inherited. It seems strange that a file in a single Virtual Host reference would take precedence over global directives in both my ssl.conf and httpd.conf files. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
@Aaron C: Let's Encrypt has nothing to do with your server configuration. You probably meant a config addition by an LE client, such as certbot? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
@Stefan Yes. I'm using Certbot to manage my LE Certs, and Certbot makes those configuration changes automatically. All I'm saying is it would be really useful to have a command / flag that would simply state what directives are taking precedence for configuration, because situations like this arise where some mysterious configuration I had forgotten about took precedence over a global httpd.conf directive. If I could just run a command and it says "SSLProtocol: Inherited from line 20 in .../httpd.conf" would be the simplest way to be forwardly agnostic about where or how the server get's configured. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151]
Somehow this has been fixed. Maybe a side effect of other fixes. As of Apache-2.4.34 the following works. SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Launchpad has imported 20 comments from the remote bug at https://bz.apache.org/bugzilla/show_bug.cgi?id=60739. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2017-02-16T15:15:34+00:00 David Favor wrote: Changes in SSLProtocol seem to be ignored. This can be observed in all SSL testers I've used. The testssl script provides an easy way to check this, without having to wait for minutes (like SSLLabs) for output. Problem can be shown via... testssl --protocols https://davidfavor.com/ Environment - Apache-4.2.5 + OpenSSL 1.0.2k + Ubuntu Yakkety. My goal == disable TLS 1.0 for some of my hosting clients who have PCI requirements for this level of TLS to be disabled. None of these permutations work. In fact, I can't find any SSLProtocol setting which changes protocols at all. In all cases SSL2 + SSL3 are disabled + all TLS versions are enabled. Settings tried, that fail to disable TLSv1... # SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLProtocol -All TLSv1.2 # SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLProtocol all -SSLv2 -SSLv3 -TLSv1 # SSLProtocol -all +TLSv1.2 # SSLProtocol TLSv1.2 -TLSv1 # SSLProtocol TLSv1.2 # SLProtocol -All +TLSv1.1 +TLSv1.2 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/1 On 2017-02-16T15:41:44+00:00 David Favor wrote: Setting SSLProtocols to -all produces expected behavior, which is an error about no protocols. This suggests the problem relates to setting TLSv1.2, which incorrectly seems to also enable TLSv1.1 + TLSv1.0 so maybe this is the real problem. The following also fail disabling TLSv1. # SSLProtocol all -SSLv2 -SSLv3 +TLSv1.2 -TLSv1 # SSLProtocol -all +TLSv1.2 -TLSv1 Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/3 On 2017-02-16T15:43:48+00:00 David Favor wrote: The following also works oddly. SSLProtocol -all +TLSv1 This enables TLS 1.0 + 1.1 + 1.2 rather than just 1.0 as expected. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/4 On 2017-02-26T15:56:08+00:00 David Favor wrote: This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting SSLProtocol use to be honored. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/7 On 2017-02-27T15:04:56+00:00 David Favor wrote: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151 - related Ubuntu bug ticket. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/8 On 2017-03-14T17:23:49+00:00 Apache-bugzilla wrote: I have tested this with Apache 2.4.25 and OpenSSL 1.0.2k, with global settings and also with virtual host settings. It works for me. For example, with "SSLProtocol -All +TLSv1.1 +TLSv1.2", TLS 1.0 is not possible, TLS 1.1 and TLS 1.2 are possible. Could you please provide a minimal, stand-alone Apache configuration that shows the problem? Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/10 On 2017-03-16T11:36:54+00:00 David Favor wrote: The problem seems to be an interaction between the Cipher List + SSLProtocol. Depending on setting of Cipher List SSLProtocol seems to work or be ignored. These settings disable TLSv1.0 # support old Android phones SSLProtocol All -SSLv2 -SSLv3 -TLSv1 # Force using custom cipher list SSLHonorCipherOrder on Define sslCiphers -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW Define sslCiphers ${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA SSLCipherSuite ${sslCiphers} Other sslCiphers settings cause SSLProtocol to be ignored. I think the fix is either to have SSLProtocol cause a prune of sslCiphers settings or if there's a conflict between SSLProtocol + sslCiphers then have some sort of warning about the conflict. All in all, the problem is far more complex than it appears on the surface. For now, I'll resolve my situation by using the above settings. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/11 On 2017-03-16T1
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apache2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
** Changed in: apache2 Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
** Changed in: apache2 Status: Unknown => Confirmed ** Changed in: apache2 Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Be great if someone from Ubuntu could verify this problem + update the upstream bug, so this problem can be resolved. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
You're welcome. I haven't gone back through the recent patches + I'm guessing this is a fairly recent situation, as I'm fairly sure I was able to change this setting around version 2.4.18 + problem seems to have crept in around version 2.4.23 (best guess). Thanks for scheduling this for a fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Thanks for your report David, I added the upstream bug to the tracker so that this bug automatically gets updates on its status. ** Also affects: apache2 via https://bz.apache.org/bugzilla/show_bug.cgi?id=60739 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] Re: Apache ignores disable TLSv1.0
Upstream bug opened... https://bz.apache.org/bugzilla/show_bug.cgi?id=60739 ** Bug watch added: bz.apache.org/bugzilla/ #60739 https://bz.apache.org/bugzilla/show_bug.cgi?id=60739 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1665151] [NEW] Apache ignores disable TLSv1.0
Public bug reported: None of these settings correctly disable TLSv1.0 as stated in Apache docs. ___ # SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLProtocol -All TLSv1.2 # SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLProtocol all -SSLv2 -SSLv3 -TLSv1 # SSLProtocol -all +TLSv1.2 # SSLProtocol TLSv1.2 -TLSv1 # SSLProtocol TLSv1.2 # SSLProtocol -All +TLSv1.1 +TLSv1.2 Likely the best setting is this, which will eventually pickup TLSv1.3+ when these protocols become available. This also fails... SSLProtocol all -SSLv2 -SSLv3 -TLSv1 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs