Apache ignores disable TLSv1.0

Bug #1665151 reported by David Favor on 2017-02-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apache2 Web Server
Incomplete
Medium
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

None of these settings correctly disable TLSv1.0 as stated in Apache docs.
_______

# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SSLProtocol -All +TLSv1.1 +TLSv1.2

Likely the best setting is this, which will eventually pickup TLSv1.3+ when these protocols become available.

This also fails...

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

ChristianEhrhardt (paelzer) wrote :

Thanks for your report David, I added the upstream bug to the tracker so that this bug automatically gets updates on its status.

David Favor (davidfavor) wrote :

You're welcome.

I haven't gone back through the recent patches + I'm guessing this is a fairly recent situation, as I'm fairly sure I was able to change this setting around version 2.4.18 + problem seems to have crept in around version 2.4.23 (best guess).

Thanks for scheduling this for a fix.

David Favor (davidfavor) wrote :

Be great if someone from Ubuntu could verify this problem + update the upstream bug, so this problem can be resolved.

Thanks.

Changed in apache2:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in apache2:
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.