Vincent Lefevre wrote: > Bob Proulx wrote: > > The Debian default Apache2 configuration for ssl is in local-ssl and > > it configures the self-signed so called "snakeoil" certificates. > > No, it is /etc/apache2/mods-available/ssl.conf, where you have the > SSLProtocol line, which is the line that needs to be modified.
No, (I will just turn your reply around) that entry is commented out. It isn't an *active* part of the Debian configuration. The local admin must actually do something. Changing one commented out entry to another commented out entry is still a commented out entry. (Although it should wake up the admin that they need to merge files if they modified it. But I all too often see local admins simply keep their previous version of files without merging. Look at all of the people with trouble after the sudo secure_path change for examples.) Almost the same thing for the local-ssl file. It isn't commented out there but there isn't any enabling symlink to it. But if it is enabled then a package upgrade would change the cipher list. But still using the snakeoil self-signed certificate. > > Anyone actually setting up SSL for secure public use *must* set a > > local configuration. > > Yes, but the /etc/apache2/mods-available/ssl.conf file does *not* need > to be modified for that. The configuration concerning the certificate > and so on is under the /etc/apache2/sites-available directory. The /etc/apache2/mods-available/ssl.conf doesn't need to be modifed by the local admin because the cipher list there is commented out. Bob
signature.asc
Description: Digital signature
