You have been subscribed to a public bug by Marc Deslauriers (mdeslaur):
Binary package hint: apache2
If I have an apache2 server for example. And then install something like
roundcube webmail it will be available on port 80, unencrypted, and port
443, encrypted.
This may be according to principle of least surprise naively - but it
will send email passwords in plaintext for unaware users.
The real problem is a lack of a dropin configuration directory for stuff
that needs to be password protected.
This would perhaps be the first step to fix that:
r...@pendor:/etc/apache2/conf.d# cat ssl.conf
# Listen 443
<VirtualHost *:443>
SSLEngine on
# General setup for the virtual host, inherited from global
configuration
DocumentRoot "/var/www"
ServerName hjemme.langfeldt.net
# Use separate log files:
ErrorLog /var/log/apache2/ssl_error.log
TransferLog /var/log/apache2/ssl_access.log
Alias /albums /var/www/albums
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/certs/apache.pem
SSLCertificateKeyFile /etc/ssl/private/apache.pem
Include /etc/apache2/conf-ssl.d/
</VirtualHost>
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apache2 2.2.16-1ubuntu3.1
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
Uname: Linux 2.6.35-24-generic i686
Architecture: i386
Date: Fri Dec 31 01:25:59 2010
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: apache2
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 maverick
--
ssl protection not default for sensitive packages
https://bugs.launchpad.net/bugs/695857
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
