Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0

Apache 2.2 on 12.04 LTS does support TLSv1.1 and TLSv1.2 just fine.

Could you describe why you think it's not supported?

Sorry for the incomplete details.

The problem is when I set the SSLProtocol parameter in Apache as follows:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

or:

SSLProtocol TLSv1.1 TLSv1.2

I received the following message in the server logs:

[Mon Dec 08 12:32:38 2014] [error] No SSL protocols available [hint: SSLProtocol]

This is with version 2.2.22-1ubuntu1.7 installed, of the following packages:

apache2
apache2-mpm-prefork
apache2-utils
apache2.2-bin
apache2.2-common

Can you try with:

SSLProtocol +TLSv1.1 +TLSv1.2

Tried that just now. I got the following error:

Syntax error on line 29 of /etc/apache2/sites-enabled/{redacted}:
SSLProtocol: Illegal protocol 'TLSv1.1'
Action 'configtest' failed.
The Apache error log may have more information.

Error log did not have more info (probably because it was only a config test). Even if this worked however it would not likely be acceptable, as SSLv2 and SSLv3 would need to be disabled for PCI compliance checking, since their scanners cite them as vulnerable to exploits.

I believe I am using nearly the newest Apache packages, if not the newest, for 12.04.5 LTS:

root@db3:~# dpkg-query --list apache2*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii apache2 2.2.22-1ubuntu Apache HTTP Server metapackage
un apache2-common <none> (no description available)
un apache2-doc <none> (no description available)
un apache2-mpm <none> (no description available)
un apache2-mpm-ev <none> (no description available)
un apache2-mpm-it <none> (no description available)
ii apache2-mpm-pr 2.2.22-1ubuntu Apache HTTP Server - traditional non-threade
un apache2-mpm-wo <none> (no description available)
un apache2-suexec <none> (no description available)
un apache2-suexec <none> (no description available)
ii apache2-utils 2.2.22-1ubuntu utility programs for webservers
ii apache2.2-bin 2.2.22-1ubuntu Apache HTTP Server common binary files
ii apache2.2-comm 2.2.22-1ubuntu Apache HTTP Server common files

root@db3:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise

Sorry, the output of dpkg-query was rather inconveniently truncated, I am infact using version "2.2.22-1ubuntu1.7" of those packages.

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

This should not be considered imcomplete now and thus should not have expired.

While apache in Ubuntu 12.04 does support TLSv1.2, it doesn't allow specifying the configuration options to selectively disable TLSv1.0.

The following commit needs to be backported:
https://svn.apache.org/viewvc?view=revision&revision=1445104

This is a connection to the default configuration of apache on Ubuntu 12.04, showing it does support TLSv1.2:

$ openssl s_client -tls1_2 -connect test-precise:443

<snip>

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1.2
    Cipher : DHE-RSA-AES256-GCM-SHA384

<snip>

I get something similar when I run that command for my own domain name:

SSL-Session:
    Protocol : TLSv1.2
    Cipher : DHE-RSA-AES256-GCM-SHA384

However, I still get the warning in apachectl configtest :

SSLProtocol: Illegal protocol 'TLSv1.2'
Action 'configtest' failed.

I am going to assume that the problem is not the openssl, but rather Apache, and that perhaps what is going on is that Ubuntu version of Apache is to blame. My hunch is that when i enter TLSv1, it treats it as though I had enabled TLSv1, TLSv1.1, and TLSv1.2, despite the documentation for Apache 2.2 saying that TLSv1.1 and TLSv1.1 should be valid values, and my assumption that enabling TLSv1 should not enable the other two.

From the Apache 2.2 documentation:

TLSv1.1 (when using OpenSSL 1.0.1 and later)
A revision of the TLS 1.0 protocol, as defined in RFC 4346.

TLSv1.2 (when using OpenSSL 1.0.1 and later)
A revision of the TLS 1.1 protocol, as defined in RFC 5246.

I suspect that the issue is that the current version of Apache 2.2 in 12.04.5 LTS incorrectly thinks that OpenSSL is not quite at 1.0.1, despite the fact that it clearly is reported to be that way when I run dpkg-configure:

root@db3:~# dpkg-query --list apache2 openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-======================-======================-============================================================
ii apache2 2.2.22-1ubuntu1.7 Apache HTTP Server metapackage
ii openssl 1.0.1-4ubuntu5.21 Secure Socket Layer (SSL) binary and related cryptographic t

I am reasonably comfortable that this issue is not really a show-stopper anymore, but rather some sort of minor package compilation related quirk that does not really change any functionality.

Support for the TLSv1.1 and TLSv1.2 configuration options was added to Apache 2.2.24.

The version of Apache in Ubuntu 12.04 is 2.2.22, hence it needs to have the following commit backported to be able to specifically use TLSv1.1 and TLSV1.2 in the SSLProtocol directive:

https://svn.apache.org/viewvc?view=revision&revision=1445104

Im having the same issue. I need to disable TLS1, but cant do this on apache 2.2.22. Is there a package update or a workaround? I am failing my PCI because of this.

How can I resolve this?

This bug was fixed in the package apache2 - 2.2.22-1ubuntu1.9

---------------
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2015 12:26:50 -0400

I have installed the update, and testing with the latest Chrome and IE browsers on Windows 7 confirms that they now recognize our server as running TLS1.2!

Thanks for the fix!