[Bug 60739] SSLProtocol settings seem to have no effect

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

Matt Walsh <ma...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #32 from Matt Walsh <ma...@gmail.com> ---
I can confirm I also experienced this issue on the same versions as reported
using Ubuntu 18.04 Server (Bionic)

In my instance I was using the a single virtual host with pre-defined
certificate and there was no level of SSLProtocol setup vs SSLCipherSuite
setting combination (described above) that would disable TLSv1 TLSv1.1, which
are my (and probably many other peoples) security requirements.

I tried combinations of general SSL settings and down to virtual host level. 
No settings appeared to be honored regardless

In terms of 'what to fix'.  Well I think there is enough information in the
comments here to determine there is an issue between SSLProtocol and
SSLCipherSuite, particularly as previous versions have been noted as working
successfully.

I would also note that this relationship is NOT documented (that I can find)
and if this is determined to be configuration related, then clearer
documentation and examples need to be provided.

Clearly people are spending time on this issue, a quick google indicates this
is a wide issue.

Unfortunately in my case I don't have any more time to spend working out what
should be a 15 minute SSL setup on a web servers.  I will be switching to using
NGINX and this will be my preferred setup until this issue can be resolved
either in fix or documentation.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org