Good morning, we installed this update last week on our reverseproxys for our customers.
After the updates were installed customer claims that some of their (really really old) clients (Win7, Win8.1 with IE11) cannot connect to the reverseproxy site with https anymore. After downgrading apache2 back to 2.4.56 they were able to connect again. We checked the https configuration (strict TLS v1.2) and found that configured ciphers weren't allowed anymore. Before the update the ciphers looked like: Supported Server Cipher(s): Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 3072 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 3072 bits After the update: Supported Server Cipher(s): Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 So you can see the DHE-Ciphers were missing. After searching the internet I found https://bz.apache.org/bugzilla/show_bug.cgi?id=68863. I didn't try the patch but the DH-tipp in the certificate file. After including the DH in the certificate the problem was solved. I think that this patch should be imported in the Debian package? Shall I open a bug report? I didn't find anything in the debian-apache bug-database. Kind regards, Andreas Schulz Enterprise & Cyber Security Managed Security 2 Services DACH - Managed Cloud Services Fujitsu Services GmbH Konrad-Zuse-Str. 16, 74172, Neckarsulm, Germany W https://www.fujitsu-services.com Geschäftsführung: Robert Roiger, Michael Pries, Marcos Sanchez Urstadt, Lars Moscherosch Eingetragener Sitz: München, Deutschland Registergericht: Amtsgericht München Reg.- Nr. HRB 219577 Weitere Informationen: https://fujitsu-services.com/impressum Datenschutz-Hinweise: https://fujitsu-services.com/datenschutz