Apache ignores disable TLSv1.0

Bug #1665151 reported by David Favor on 2017-02-15
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Apache2 Web Server
apache2 (Ubuntu)

Bug Description

None of these settings correctly disable TLSv1.0 as stated in Apache docs.

# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SSLProtocol -All +TLSv1.1 +TLSv1.2

Likely the best setting is this, which will eventually pickup TLSv1.3+ when these protocols become available.

This also fails...

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Thanks for your report David, I added the upstream bug to the tracker so that this bug automatically gets updates on its status.

David Favor (davidfavor) wrote :

You're welcome.

I haven't gone back through the recent patches + I'm guessing this is a fairly recent situation, as I'm fairly sure I was able to change this setting around version 2.4.18 + problem seems to have crept in around version 2.4.23 (best guess).

Thanks for scheduling this for a fix.

David Favor (davidfavor) wrote :

Be great if someone from Ubuntu could verify this problem + update the upstream bug, so this problem can be resolved.


Changed in apache2:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in apache2:
status: Confirmed → Incomplete
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.