Comment 44 for bug 1665151

This all sounds interesting.
But since recently the openssl 1.1.1 bump has impacted a lot of things lets re-test with that.
BTW TLSv1.3 might come up in bug 1845263 soon.
I installed apache2 on 18.04 and 20.04 and will test on those which means:

18.04:
apache2: 2.4.29-1ubuntu4.11
openssl: 1.1.1-1ubuntu2.1~18.04.5

20.04:
apache2: 2.4.41-1ubuntu1
openssl: 1.1.1c-1ubuntu4

I used https://github.com/drwetter/testssl.sh to get a full info on the ssl features.

# Basic install of apache2 with SSL
$ apt install apache2
$ a2enmod ssl
$ a2ensite default-ssl
$ systemctl restart apache2
# at this point the default https site should work

Adding other VHosts on extra ports with SSL enabled
$ sed -e 's/443/444/' /etc/apache2/sites-enabled/default-ssl.conf > /etc/apache2/sites-available/custom1-ssl.conf
$ sed -e 's/443/445/' /etc/apache2/sites-enabled/default-ssl.conf > /etc/apache2/sites-available/custom2-ssl.conf
$ a2ensite custom1-ssl
$ a2ensite custom2-ssl
$ sed -i -e '/443/a Listen 444\nListen 445' /etc/apache2/ports.conf
$ systemctl restart apache2
$ apachectl -D DUMP_VHOSTS
VirtualHost configuration:
*:80 f.lxd (/etc/apache2/sites-enabled/000-default.conf:1)
*:444 f.lxd (/etc/apache2/sites-enabled/custom1-ssl.conf:2)
*:445 f.lxd (/etc/apache2/sites-enabled/custom2-ssl.conf:2)
*:443 f.lxd (/etc/apache2/sites-enabled/default-ssl.conf:2)

It is worth to note that with this default setup there only is the default of SSL mod configuring Ciphers and Protocols:

$ grep -Hirn -e '^\s*SSLCipher' -e '^\s*SSLProtocol' /etc/apache2/*
/etc/apache2/mods-available/ssl.conf:59: SSLCipherSuite HIGH:!aNULL
/etc/apache2/mods-available/ssl.conf:73: SSLProtocol all -SSLv3

Check via testssl like:
$ ./testssl.sh --protocols 10.253.194.57:444
 SSLv2 not offered (OK)
 SSLv3 not offered (OK)
 TLS 1 offered (deprecated)
 TLS 1.1 offered (deprecated)
 TLS 1.2 offered (OK)
 TLS 1.3 offered (OK): final
 NPN/SPDY not offered
 ALPN/HTTP2 http/1.1 (offered)

18.04 looks the same except TLSv1.3 not being there yet.

Now with that simple and clean setup in place lets disable TLSv1.0 per vhost.
$ sed -i -e '/SSL Protocol Adjustments/a SSLProtocol -All +TLSv1.2' /etc/apache2/sites-available/custom2-ssl.conf

That works well as expected disabling 1.0 and 1.1.
 SSLv2 not offered (OK)
 SSLv3 not offered (OK)
 TLS 1 not offered
 TLS 1.1 not offered
 TLS 1.2 offered (OK)
 TLS 1.3 not offered and downgraded to a weaker protocol
 NPN/SPDY not offered
 ALPN/HTTP2 http/1.1 (offered)

This works as well +1.3:
SSLProtocol -All +TLSv1.2 +TLSv1.3

I was trying the inverse:
SSLProtocol All -TLSv1 -TLSv1.1

Still working exactly as expected:
 SSLv2 not offered (OK)
 SSLv3 not offered (OK)
 TLS 1 not offered
 TLS 1.1 not offered
 TLS 1.2 offered (OK)
 TLS 1.3 offered (OK): final
 NPN/SPDY not offered
 ALPN/HTTP2 http/1.1 (offered)

Hmm, nothing of that indicates any error yet.
TLS 1.0 and 1.1 could easily be disabled.

Let me go into the further statements ont his bug:
1. "the SSLCipherSuite list on the default vHost (as reported of apachectl -D DUMP_VHOSTS) has to be capable of TLSv1.1 ciphers.

=> Well my default isn't even ssl enabled.
=> But let me drop the default page and then add odd Ciphers to the other two vhosts on 443 and 444.

$ a2dissite 000-default
$ sed -i -e '/SSL Protocol Adjustments/a SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256' /etc/apache2/sites-available/custom1-ssl.conf
$ sed -i -e '/SSL Protocol Adjustments/a SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256' /etc/apache2/sites-available/default-ssl.conf
$ systemctl restart apache2

These Ciphers in the two other vhosts didn't affect the one on :445 which was my test target.

2. "It is also needed, that the default vHost has TLSv1.1 enabled in order to use that on other vHosts."

Ok, lets disable TLSv1.1 in all but the last vhost and check if we "can use it" in the third vHost.

# Reset the configs to the default state we started with, then
$ sed -i -e '/SSL Protocol Adjustments/a SSLProtocol All -TLSv1 -TLSv1.1' /etc/apache2/sites-available/custom1-ssl.conf
$ sed -i -e '/SSL Protocol Adjustments/a SSLProtocol All -TLSv1 -TLSv1.1' /etc/apache2/sites-available/default-ssl.conf

I see TLS 1 and 1.1 disabled on :443 and :444 but no effect to :445.
I think this falsifies the statements, at least without further details being shared about them.

---

TL;DR: I can't recreate the issue :-/

But there are enough people on the bug that say "yes, that was it and ... helped me" to each other that I want to believe there is an issue we could help with.

Other comments mentioned external config files like those dropped in by letsencrypt - any of those could affect the case.

Therefore I'm asking anyone affected to try to please help to recreate the issue using the same method that I did:
1. taking a fresh container or VM (report the version you used please)
2. listing all commands to install packages
3. listing all commands to change config
4. listing the command to show the issue

Maybe that way it can be further debugged, but without that it is in fact incomplete. Some might be affected, but no one else can yet recreate/work on it.