Hi,
On Tue, Mar 19, 2019 at 05:18:49PM +0100, Thomas Knaller wrote: > Therefore I edited /etc/apache2/mods-enabled/ssl.conf so that it > states "SSLProtocol TLSv1.2", which should disable all SSLProtocols > except for TLS1.2, but TLS1.0 und TLS1.1 are still active, as seen > with nmap: > > # nmap --script ssl-enum-ciphers -p 443 127.0.0.1 | grep TLSv > | TLSv1.0: > | TLSv1.1: > | TLSv1.2: > I could not reproduce this, either with 2.4.25-3+deb9u7 on stretch nor with 2.4.38-3 on buster. It's not very likely that this was fixed between 2.4.38-2 and 2.4.38-3, so it's probably something in your configuration. Maybe you have another sslprotocol directive somewhere else in the config? You can check with: a2enmod info apache2ctl -t -D DUMP_CONFIG|grep -i ssl a2dismod info # if it hasn't been enabled before > On Apache Bugtracker it appears that apache itself does not have that > problem but it has something to do with the deb-Package for Debian and > Ubuntu: https://bz.apache.org/bugzilla/show_bug.cgi?id=60739 That report mentions some weird interaction with SSLCipherSuite. Maybe you have that in another config file? Cheers, Stefan
