Apache ignores disable TLSv1.0
Bug #1665151 reported by
David Favor
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Confirmed
|
Medium
|
|||
apache2 (Debian) |
Fix Released
|
Unknown
|
|||
apache2 (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
None of these settings correctly disable TLSv1.0 as stated in Apache docs.
_______
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SSLProtocol -All +TLSv1.1 +TLSv1.2
Likely the best setting is this, which will eventually pickup TLSv1.3+ when these protocols become available.
This also fails...
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
Changed in apache2: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Changed in apache2: | |
status: | Confirmed → Incomplete |
Changed in apache2 (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in apache2: | |
status: | Incomplete → Confirmed |
Changed in apache2 (Debian): | |
status: | Unknown → New |
Changed in apache2 (Debian): | |
status: | New → Fix Released |
To post a comment you must log in.
Changes in SSLProtocol seem to be ignored.
This can be observed in all SSL testers I've used.
The testssl script provides an easy way to check this, without having to wait for minutes (like SSLLabs) for output.
Problem can be shown via...
testssl --protocols https:/ /davidfavor. com/
Environment - Apache-4.2.5 + OpenSSL 1.0.2k + Ubuntu Yakkety.
My goal == disable TLS 1.0 for some of my hosting clients who have PCI requirements for this level of TLS to be disabled.
None of these permutations work. In fact, I can't find any SSLProtocol setting which changes protocols at all. In all cases SSL2 + SSL3 are disabled + all TLS versions are enabled.
Settings tried, that fail to disable TLSv1...
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SLProtocol -All +TLSv1.1 +TLSv1.2
SSLProtocol all -SSLv2 -SSLv3 -TLSv1