Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support.
It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance.
Changed in openssl (Ubuntu): | |
status: | Expired → Confirmed |
tags: |
added: precise removed: openssl php |
information type: | Public → Public Security |
Apache 2.2 on 12.04 LTS does support TLSv1.1 and TLSv1.2 just fine.
Could you describe why you think it's not supported?