[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
** Tags removed: openssl php ** Tags added: precise ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
I have installed the update, and testing with the latest Chrome and IE browsers on Windows 7 confirms that they now recognize our server as running TLS1.2! Thanks for the fix! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
This bug was fixed in the package apache2 - 2.2.22-1ubuntu1.9 --- apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers (LP: #1197884) - debian/patches/ecc_support.patch: add support to modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h, modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c, * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473) - debian/patches/tls_options.patch: allow specifying later TLSv1.x options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c, modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h. * SECURITY IMPROVEMENT: improve ephemeral key handling, including allowing DH parameters to be loaded from SSLCertificateFile and disabling EXPORT ciphers. - debian/patches/ephemeral_key_handling.patch: numerous improvements to modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c, modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h, modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h. -- Marc Deslauriers marc.deslauri...@ubuntu.com Thu, 28 May 2015 12:26:50 -0400 ** Changed in: apache2 (Ubuntu Precise) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
Im having the same issue. I need to disable TLS1, but cant do this on apache 2.2.22. Is there a package update or a workaround? I am failing my PCI because of this. How can I resolve this? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
Support for the TLSv1.1 and TLSv1.2 configuration options was added to Apache 2.2.24. The version of Apache in Ubuntu 12.04 is 2.2.22, hence it needs to have the following commit backported to be able to specifically use TLSv1.1 and TLSV1.2 in the SSLProtocol directive: https://svn.apache.org/viewvc?view=revisionrevision=1445104 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
From the Apache 2.2 documentation: TLSv1.1 (when using OpenSSL 1.0.1 and later) A revision of the TLS 1.0 protocol, as defined in RFC 4346. TLSv1.2 (when using OpenSSL 1.0.1 and later) A revision of the TLS 1.1 protocol, as defined in RFC 5246. I suspect that the issue is that the current version of Apache 2.2 in 12.04.5 LTS incorrectly thinks that OpenSSL is not quite at 1.0.1, despite the fact that it clearly is reported to be that way when I run dpkg-configure: root@db3:~# dpkg-query --list apache2 openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- ii apache22.2.22-1ubuntu1.7 Apache HTTP Server metapackage ii openssl1.0.1-4ubuntu5.21 Secure Socket Layer (SSL) binary and related cryptographic t I am reasonably comfortable that this issue is not really a show-stopper anymore, but rather some sort of minor package compilation related quirk that does not really change any functionality. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
I get something similar when I run that command for my own domain name: SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 However, I still get the warning in apachectl configtest : SSLProtocol: Illegal protocol 'TLSv1.2' Action 'configtest' failed. I am going to assume that the problem is not the openssl, but rather Apache, and that perhaps what is going on is that Ubuntu version of Apache is to blame. My hunch is that when i enter TLSv1, it treats it as though I had enabled TLSv1, TLSv1.1, and TLSv1.2, despite the documentation for Apache 2.2 saying that TLSv1.1 and TLSv1.1 should be valid values, and my assumption that enabling TLSv1 should not enable the other two. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
This is a connection to the default configuration of apache on Ubuntu 12.04, showing it does support TLSv1.2: $ openssl s_client -tls1_2 -connect test-precise:443 snip New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 snip ** Also affects: apache2 (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: apache2 (Ubuntu) Status: Confirmed = Fix Released ** Changed in: apache2 (Ubuntu Precise) Status: New = Confirmed ** Changed in: apache2 (Ubuntu Precise) Importance: Undecided = Wishlist -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs