You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2017/02/16 15:15:34 UTC
[Bug 60739] New: SSLProtocol settings seem to have no effect
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Bug ID: 60739
Summary: SSLProtocol settings seem to have no effect
Product: Apache httpd-2
Version: 2.4.25
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: david@davidfavor.com
Target Milestone: ---
Changes in SSLProtocol seem to be ignored.
This can be observed in all SSL testers I've used.
The testssl script provides an easy way to check this, without having to wait
for minutes (like SSLLabs) for output.
Problem can be shown via...
testssl --protocols https://davidfavor.com/
Environment - Apache-4.2.5 + OpenSSL 1.0.2k + Ubuntu Yakkety.
My goal == disable TLS 1.0 for some of my hosting clients who have PCI
requirements for this level of TLS to be disabled.
None of these permutations work. In fact, I can't find any SSLProtocol setting
which changes protocols at all. In all cases SSL2 + SSL3 are disabled + all TLS
versions are enabled.
Settings tried, that fail to disable TLSv1...
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SLProtocol -All +TLSv1.1 +TLSv1.2
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Michael Kaufmann <ap...@michael-kaufmann.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|apache-bugzilla@michael-kau |
|fmann.ch |
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Matt Walsh <ma...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #32 from Matt Walsh <ma...@gmail.com> ---
I can confirm I also experienced this issue on the same versions as reported
using Ubuntu 18.04 Server (Bionic)
In my instance I was using the a single virtual host with pre-defined
certificate and there was no level of SSLProtocol setup vs SSLCipherSuite
setting combination (described above) that would disable TLSv1 TLSv1.1, which
are my (and probably many other peoples) security requirements.
I tried combinations of general SSL settings and down to virtual host level.
No settings appeared to be honored regardless
In terms of 'what to fix'. Well I think there is enough information in the
comments here to determine there is an issue between SSLProtocol and
SSLCipherSuite, particularly as previous versions have been noted as working
successfully.
I would also note that this relationship is NOT documented (that I can find)
and if this is determined to be configuration related, then clearer
documentation and examples need to be provided.
Clearly people are spending time on this issue, a quick google indicates this
is a wide issue.
Unfortunately in my case I don't have any more time to spend working out what
should be a 15 minute SSL setup on a web servers. I will be switching to using
NGINX and this will be my preferred setup until this issue can be resolved
either in fix or documentation.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #27 from thomas.knaller@gmail.com ---
I have the ame issue on Debian 9.8 with apache2 2.4.25-3+deb9u6
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #10 from David Favor <da...@davidfavor.com> ---
Per my other comment above, it appears SSLProtocol is strongly effected by
SSLCipherSuite list.
This means SSLProtocol may or may not have any effect, based on SSLCipherSuite
list.
Likely this is a complex fix, which might be accomplished by...
1) process SSLCipherSuite
2) then removed any SSLCipherSuite ciphers based on SSLProtocol setting
Simple to describe. Complex to implement.
Another solution might be to just deprecate the SSLProtocol setting.
This would mean SSLCipherSuite determines protocol selection, which appears to
be what's actually occurring.
This would involve, removing all code related to SSLProtocol processing +
updating documentation for SSLCipherSuite saying, protocols set derive from
SSLCipherSuite list provided.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
A.Sklepas <a....@digi-web.gr> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |a.sklepas@digi-web.gr
--- Comment #17 from A.Sklepas <a....@digi-web.gr> ---
Hi, i can confirm the issue.
I have searched all configs and VHosts no overides are made it should work but
nmap --script ssl-enum-ciphers -p 443 IP | grep TLSv
returns TLS1.0, TLSv1.1
I also investigated the claims about letsencrypt:
Read this topic:
https://community.letsencrypt.org/t/how-to-disable-tlsv1/49117/4
On some systems the options-ssl-apache.conf seems to be included in the virtual
hosts.
"Include /etc/letsencrypt/options-ssl-apache.conf"
Anyway not in my case plus i have disabled the options in that file to be
certain.
PS. Why are we waiting to fix this one? I do see servers that have disabled
TLS1 btw...
My info: Apache/2.4.33
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #30 from Dirk <di...@testssl.sh> ---
... and two more ciphers which "break the TLS 1.2-only" syntax for me:
DHE-RSA-AES128-SHA 0x33
DHE-RSA-AES256-SHA 0x39
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #23 from Aaron C <aa...@gmail.com> ---
@Stefan Yes. I'm using Certbot to manage my LE Certs, and Certbot makes those
configuration changes automatically. All I'm saying is it would be really
useful to have a command / flag that would simply state what directives are
taking precedence for configuration, because situations like this arise where
some mysterious configuration I had forgotten about took precedence over a
global httpd.conf directive. If I could just run a command and it says
"SSLProtocol: Inherited from line 20 in .../httpd.conf" would be the simplest
way to be forwardly agnostic about where or how the server get's configured.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #22 from Stefan Eissing <st...@eissing.org> ---
@Aaron C: Let's Encrypt has nothing to do with your server configuration. You
probably meant a config addition by an LE client, such as certbot?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #25 from Stefan Eissing <st...@eissing.org> ---
This is not a bucket for all possible improvement ideas about mod_ssl
configurations. That is better discussed on the user/dev mailing lists.
As to the original report, I read the history of this as:
- not able to reproduce in a minimal set
- the effect of nested include files, some added maybe by a 3rd party tool,
e.g. certbot that were not immediately obvious
We have no reproducible setup for the title of this ticket, " SSLProtocol
settings seem to have no effect". Otherwise, it would be helpful to provide a
minimum example setup.
Otherwise we will close this ticket. We are open to discussions and improvement
proposals for making better server configurations. But those should take place
on the mailing lists.
Thank you.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Brad Lanam <br...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #14 from Brad Lanam <br...@gmail.com> ---
The letsencrypt setup process adds the following line, which
includes SSLProtocol and SSLCipherSuite setup.
Quite annoying as a grep for SSLProtocol will not find it.
Include /etc/letsencrypt/options-ssl-apache.conf
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #20 from David Favor <da...@davidfavor.com> ---
Somehow this has been fixed. Maybe a side effect of other fixes.
As of Apache-2.4.34 the following works.
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #2 from David Favor <da...@davidfavor.com> ---
The following also works oddly.
SSLProtocol -all +TLSv1
This enables TLS 1.0 + 1.1 + 1.2 rather than just 1.0 as expected.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Michael Kaufmann <ap...@michael-kaufmann.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |apache-bugzilla@michael-kau
| |fmann.ch
--- Comment #5 from Michael Kaufmann <ap...@michael-kaufmann.ch> ---
I have tested this with Apache 2.4.25 and OpenSSL 1.0.2k, with global settings
and also with virtual host settings.
It works for me. For example, with "SSLProtocol -All +TLSv1.1 +TLSv1.2", TLS
1.0 is not possible, TLS 1.1 and TLS 1.2 are possible.
Could you please provide a minimal, stand-alone Apache configuration that shows
the problem?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #3 from David Favor <da...@davidfavor.com> ---
This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting
SSLProtocol use to be honored.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #29 from Dirk <di...@testssl.sh> ---
... same if I add ECDHE-RSA-AES256-SHA (c014 instead if c013).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
William A. Rowe Jr. <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #15 from William A. Rowe Jr. <wr...@apache.org> ---
The ASF HTTP Server project has nothing to do with letencrypt distributed
solutions. Comment #14 does not enhance this report.
(This is distinct from mod_md, which is httpd's response for users to provision
letsencrypt certs.)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #13 from martin@xorax.info ---
Well, my bad... After trying to reproduce it on a dockerized version, I found I
add a false config hidden.....
I confirm that I can use TLSv1.1 as well as TLSv1.2 with this simple config :
SSLProtocol all -SSLv3 -TLSv1
SSLCipherSuite HIGH:!aNULL
Server version: Apache/2.4.10 (Debian)
Server built: Feb 24 2017 18:40:28
OpenSSL 1.0.1t 3 May 2016
@David Favor : I'm not able to reproduce the issue (having TLS activated
depends of ciphers). If you have a ciphers list with which you seen some
protocols disabled, share us and I will try.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #7 from Eric Covener <co...@gmail.com> ---
(In reply to David Favor from comment #6)
> The problem seems to be an interaction between the Cipher List + SSLProtocol.
>
> Depending on setting of Cipher List SSLProtocol seems to work or be ignored.
>
> These settings disable TLSv1.0
>
> # support old Android phones
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1
>
> # Force using custom cipher list
> SSLHonorCipherOrder on
>
> Define sslCiphers
> -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!
> LOW
> Define sslCiphers
> ${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-
> SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
> SSLCipherSuite ${sslCiphers}
>
> Other sslCiphers settings cause SSLProtocol to be ignored.
>
Can you share a specific pair with unexpected results?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #9 from martin@xorax.info ---
Fix:
> I CANNOT find a way to activate TLSv1.1, with or without TLSv1. All the time, only TLSv1.2 (I tried a lot of different ciphers suite).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #11 from martin@xorax.info ---
The SSLCipherSuite seems has no effect on the protocol my side.
Whatever I put :
SSLCipherSuite
ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5
or
SSLCipherSuite ALL
or
SSLCipherSuite
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
I got no changes in protocol, only TLSv1.2 is enabled.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Jacob Champion <jc...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #12 from Jacob Champion <jc...@apache.org> ---
I'm also unable to reproduce. httpd 2.4.25, OpenSSL 1.0.2g -- the protocols are
honored correctly with the example ciphersuite lines that have been given in
this bug.
For those who can repro: can you please provide the exact set of configuration
directives that reproduces the issue?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #18 from Eric Covener <co...@gmail.com> ---
(In reply to A.Sklepas from comment #17)
> Hi, i can confirm the issue.
> I have searched all configs and VHosts no overides are made it should work
> but
> nmap --script ssl-enum-ciphers -p 443 IP | grep TLSv
> returns TLS1.0, TLSv1.1
>
> I also investigated the claims about letsencrypt:
> Read this topic:
> https://community.letsencrypt.org/t/how-to-disable-tlsv1/49117/4
> On some systems the options-ssl-apache.conf seems to be included in the
> virtual hosts.
> "Include /etc/letsencrypt/options-ssl-apache.conf"
>
> Anyway not in my case plus i have disabled the options in that file to be
> certain.
> PS. Why are we waiting to fix this one? I do see servers that have disabled
> TLS1 btw...
>
>
> My info: Apache/2.4.33
Show a minimal configuration that does something unexpected if you can.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #16 from Brad Lanam <br...@gmail.com> ---
I was not entirely clear.
The letsencrypt configuration that gets installed will override any
SSLProtocol and SSLCipherSuite commands with their config.
I tried to get TLSv1 to turn off for a day before noticing the
additional configuration.
It is likely that other followers of this bug are having issues
configuring TLSv1 due to the letencrypt override.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
martin@xorax.info changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |martin@xorax.info
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #24 from Arne K. Haaje <ar...@drlinux.no> ---
I can confirm this behaviour on 2.4.37 on two servers. I'm using these
directives, and TLSv1.0 is still available
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !DES !IDEA !RC2"
SSLProtocol -All +TLSv1.1 +TLSv1.2
nmap --script ssl-enum-ciphers -p 443 xxx.xxx.xxx.xxx | grep TLSv
| TLSv1.0:
| TLSv1.1:
| TLSv1.2:
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #21 from Aaron C <aa...@gmail.com> ---
While not relating to the discussion of certain SSLProtocol and SSLCipherSuite
combinations halting desired SSLProtocols, I did want to add that I had an
issue where Let's Encrypt was holding my desired changes back.
I was attempting to use the directive:
`SSLProtocols -all +TLSv1.1 +TLSv1.2` but TLSv1 was still being used. Due to
this bug report I noticed that one of my upper Virtual Hosts was indeed using a
cert from LE, and in that file they had a default of
SSLProtocol all -SSLv2 -SSLv3
If I could make a suggestion, it would be that we work towards getting more
explicit control over what SSLProtocol directives get inherited. It seems
strange that a file in a single Virtual Host reference would take precedence
over global directives in both my ssl.conf and httpd.conf files.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #8 from martin@xorax.info ---
I have similar issue. Whatever I set in SSLProtocol it's ignored.
apache2ctl -v
Server version: Apache/2.4.10 (Debian)
Server built: Feb 24 2017 18:40:28
openssl version
OpenSSL 1.0.1t 3 May 2016
If I use the settings provided by David Favor :
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite
ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
I got only TLSv1.2 enabled, not TLSv1.1.
I could find a way to activate TLSv1.1, with or without TLSv1. All the time,
only TLSv1.2 (I tried a lot of different ciphers suite).
Note that if I try with the openssl s_server command, all is working as
expected.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #31 from thomas.knaller@gmail.com ---
I found something in /etc/letsencrypt/options-ssl-apache.conf ...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #6 from David Favor <da...@davidfavor.com> ---
The problem seems to be an interaction between the Cipher List + SSLProtocol.
Depending on setting of Cipher List SSLProtocol seems to work or be ignored.
These settings disable TLSv1.0
# support old Android phones
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
# Force using custom cipher list
SSLHonorCipherOrder on
Define sslCiphers
-ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW
Define sslCiphers
${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
SSLCipherSuite ${sslCiphers}
Other sslCiphers settings cause SSLProtocol to be ignored.
I think the fix is either to have SSLProtocol cause a prune of sslCiphers
settings or if there's a conflict between SSLProtocol + sslCiphers then have
some sort of warning about the conflict.
All in all, the problem is far more complex than it appears on the surface.
For now, I'll resolve my situation by using the above settings.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #4 from David Favor <da...@davidfavor.com> ---
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151 - related Ubuntu
bug ticket.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
thomas.knaller@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |thomas.knaller@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #1 from David Favor <da...@davidfavor.com> ---
Setting SSLProtocols to -all produces expected behavior, which is an error
about no protocols.
This suggests the problem relates to setting TLSv1.2, which incorrectly seems
to also enable TLSv1.1 + TLSv1.0 so maybe this is the real problem.
The following also fail disabling TLSv1.
# SSLProtocol all -SSLv2 -SSLv3 +TLSv1.2 -TLSv1
# SSLProtocol -all +TLSv1.2 -TLSv1
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #19 from A.Sklepas <a....@digi-web.gr> ---
Hi, unfortunately i cannot provide a minimal configuration.
I can give you more info as a run some more test in my two Centos 7 DS.
Server 1:
Apache/2.4.33 (IUS)*
latest Centos: Openssl 1.0.2k
TLS1 & 1.1 cannot be disabled
Server 2:
Server version: Apache/2.4.6 (CentOS)
latest Centos: Openssl 1.0.2k
TLS1 & 1.1 Disabled successfully.
I can understand this means an Apache issue. I am not sure if it is somehow an
IUS issue, i will contact them too.
*https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/repoview/httpd24u.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
Szőgyényi Gábor <sz...@freemail.hu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |szg0000@freemail.hu
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #26 from Stefan Eissing <st...@eissing.org> ---
@David: going through this again, this looks like some intermittent issue with
changes ported to ubuntu. And it seems to be fixed now?
Can we close this or what shall we look at? Thanks for your help!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60739] SSLProtocol settings seem to have no effect
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
--- Comment #28 from Dirk <di...@testssl.sh> ---
I have a similar problem with Ubuntu 18.04 (Apache 2.4.39 + openssl 1.1.0g) and
it maybe sheds some light into this.
Protocol is always
SSLProtocol -All +TLSv1.2
SSLCipherSuite
1)
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256
2)
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256
Diff is ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA,
DHE-RSA-AES128-GCM-SHA256.
I played a bit around with those three (using testssl.sh) and looked to me when
I enable ECDHE-RSA-AES128-SHA I have TLS 1.0 + 1.1. Which seems strange to me
but it's is what I found.
What is going on here?
Dirk
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org