Launchpad has imported 20 comments from the remote bug at https://bz.apache.org/bugzilla/show_bug.cgi?id=60739.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2017-02-16T15:15:34+00:00 David Favor wrote: Changes in SSLProtocol seem to be ignored. This can be observed in all SSL testers I've used. The testssl script provides an easy way to check this, without having to wait for minutes (like SSLLabs) for output. Problem can be shown via... testssl --protocols https://davidfavor.com/ Environment - Apache-4.2.5 + OpenSSL 1.0.2k + Ubuntu Yakkety. My goal == disable TLS 1.0 for some of my hosting clients who have PCI requirements for this level of TLS to be disabled. None of these permutations work. In fact, I can't find any SSLProtocol setting which changes protocols at all. In all cases SSL2 + SSL3 are disabled + all TLS versions are enabled. Settings tried, that fail to disable TLSv1... # SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLProtocol -All TLSv1.2 # SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLProtocol all -SSLv2 -SSLv3 -TLSv1 # SSLProtocol -all +TLSv1.2 # SSLProtocol TLSv1.2 -TLSv1 # SSLProtocol TLSv1.2 # SLProtocol -All +TLSv1.1 +TLSv1.2 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/1 ------------------------------------------------------------------------ On 2017-02-16T15:41:44+00:00 David Favor wrote: Setting SSLProtocols to -all produces expected behavior, which is an error about no protocols. This suggests the problem relates to setting TLSv1.2, which incorrectly seems to also enable TLSv1.1 + TLSv1.0 so maybe this is the real problem. The following also fail disabling TLSv1. # SSLProtocol all -SSLv2 -SSLv3 +TLSv1.2 -TLSv1 # SSLProtocol -all +TLSv1.2 -TLSv1 Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/3 ------------------------------------------------------------------------ On 2017-02-16T15:43:48+00:00 David Favor wrote: The following also works oddly. SSLProtocol -all +TLSv1 This enables TLS 1.0 + 1.1 + 1.2 rather than just 1.0 as expected. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/4 ------------------------------------------------------------------------ On 2017-02-26T15:56:08+00:00 David Favor wrote: This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting SSLProtocol use to be honored. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/7 ------------------------------------------------------------------------ On 2017-02-27T15:04:56+00:00 David Favor wrote: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151 - related Ubuntu bug ticket. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/8 ------------------------------------------------------------------------ On 2017-03-14T17:23:49+00:00 Apache-bugzilla wrote: I have tested this with Apache 2.4.25 and OpenSSL 1.0.2k, with global settings and also with virtual host settings. It works for me. For example, with "SSLProtocol -All +TLSv1.1 +TLSv1.2", TLS 1.0 is not possible, TLS 1.1 and TLS 1.2 are possible. Could you please provide a minimal, stand-alone Apache configuration that shows the problem? Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/10 ------------------------------------------------------------------------ On 2017-03-16T11:36:54+00:00 David Favor wrote: The problem seems to be an interaction between the Cipher List + SSLProtocol. Depending on setting of Cipher List SSLProtocol seems to work or be ignored. These settings disable TLSv1.0 # support old Android phones SSLProtocol All -SSLv2 -SSLv3 -TLSv1 # Force using custom cipher list SSLHonorCipherOrder on Define sslCiphers -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW Define sslCiphers ${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA SSLCipherSuite ${sslCiphers} Other sslCiphers settings cause SSLProtocol to be ignored. I think the fix is either to have SSLProtocol cause a prune of sslCiphers settings or if there's a conflict between SSLProtocol + sslCiphers then have some sort of warning about the conflict. All in all, the problem is far more complex than it appears on the surface. For now, I'll resolve my situation by using the above settings. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/11 ------------------------------------------------------------------------ On 2017-03-16T12:48:42+00:00 Covener-0 wrote: (In reply to David Favor from comment #6) > The problem seems to be an interaction between the Cipher List + SSLProtocol. > > Depending on setting of Cipher List SSLProtocol seems to work or be ignored. > > These settings disable TLSv1.0 > > # support old Android phones > SSLProtocol All -SSLv2 -SSLv3 -TLSv1 > > # Force using custom cipher list > SSLHonorCipherOrder on > > Define sslCiphers > -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:! > LOW > Define sslCiphers > ${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA- > AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256- > SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA > SSLCipherSuite ${sslCiphers} > > Other sslCiphers settings cause SSLProtocol to be ignored. > Can you share a specific pair with unexpected results? Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/12 ------------------------------------------------------------------------ On 2017-04-03T16:22:30+00:00 Martin PANEL wrote: I have similar issue. Whatever I set in SSLProtocol it's ignored. apache2ctl -v Server version: Apache/2.4.10 (Debian) Server built: Feb 24 2017 18:40:28 openssl version OpenSSL 1.0.1t 3 May 2016 If I use the settings provided by David Favor : SSLProtocol All -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA I got only TLSv1.2 enabled, not TLSv1.1. I could find a way to activate TLSv1.1, with or without TLSv1. All the time, only TLSv1.2 (I tried a lot of different ciphers suite). Note that if I try with the openssl s_server command, all is working as expected. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/13 ------------------------------------------------------------------------ On 2017-04-03T16:39:18+00:00 Martin PANEL wrote: Fix: > I CANNOT find a way to activate TLSv1.1, with or without TLSv1. All the time, > only TLSv1.2 (I tried a lot of different ciphers suite). Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/14 ------------------------------------------------------------------------ On 2017-04-03T16:52:57+00:00 David Favor wrote: Per my other comment above, it appears SSLProtocol is strongly effected by SSLCipherSuite list. This means SSLProtocol may or may not have any effect, based on SSLCipherSuite list. Likely this is a complex fix, which might be accomplished by... 1) process SSLCipherSuite 2) then removed any SSLCipherSuite ciphers based on SSLProtocol setting Simple to describe. Complex to implement. Another solution might be to just deprecate the SSLProtocol setting. This would mean SSLCipherSuite determines protocol selection, which appears to be what's actually occurring. This would involve, removing all code related to SSLProtocol processing + updating documentation for SSLCipherSuite saying, protocols set derive from SSLCipherSuite list provided. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/15 ------------------------------------------------------------------------ On 2017-04-03T17:06:44+00:00 Martin PANEL wrote: The SSLCipherSuite seems has no effect on the protocol my side. Whatever I put : SSLCipherSuite ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5 or SSLCipherSuite ALL or SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP I got no changes in protocol, only TLSv1.2 is enabled. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/16 ------------------------------------------------------------------------ On 2017-04-03T18:46:54+00:00 Jchampion wrote: I'm also unable to reproduce. httpd 2.4.25, OpenSSL 1.0.2g -- the protocols are honored correctly with the example ciphersuite lines that have been given in this bug. For those who can repro: can you please provide the exact set of configuration directives that reproduces the issue? Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/17 ------------------------------------------------------------------------ On 2017-04-04T17:35:31+00:00 Martin PANEL wrote: Well, my bad... After trying to reproduce it on a dockerized version, I found I add a false config hidden..... I confirm that I can use TLSv1.1 as well as TLSv1.2 with this simple config : SSLProtocol all -SSLv3 -TLSv1 SSLCipherSuite HIGH:!aNULL Server version: Apache/2.4.10 (Debian) Server built: Feb 24 2017 18:40:28 OpenSSL 1.0.1t 3 May 2016 @David Favor : I'm not able to reproduce the issue (having TLS activated depends of ciphers). If you have a ciphers list with which you seen some protocols disabled, share us and I will try. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/18 ------------------------------------------------------------------------ On 2018-05-15T15:10:00+00:00 Brad Lanam wrote: The letsencrypt setup process adds the following line, which includes SSLProtocol and SSLCipherSuite setup. Quite annoying as a grep for SSLProtocol will not find it. Include /etc/letsencrypt/options-ssl-apache.conf Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/20 ------------------------------------------------------------------------ On 2018-05-15T17:09:49+00:00 Wrowe wrote: The ASF HTTP Server project has nothing to do with letencrypt distributed solutions. Comment #14 does not enhance this report. (This is distinct from mod_md, which is httpd's response for users to provision letsencrypt certs.) Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/21 ------------------------------------------------------------------------ On 2018-05-16T14:38:06+00:00 Brad Lanam wrote: I was not entirely clear. The letsencrypt configuration that gets installed will override any SSLProtocol and SSLCipherSuite commands with their config. I tried to get TLSv1 to turn off for a day before noticing the additional configuration. It is likely that other followers of this bug are having issues configuring TLSv1 due to the letencrypt override. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/22 ------------------------------------------------------------------------ On 2018-08-23T07:36:35+00:00 A-sklepas wrote: Hi, i can confirm the issue. I have searched all configs and VHosts no overides are made it should work but nmap --script ssl-enum-ciphers -p 443 IP | grep TLSv returns TLS1.0, TLSv1.1 I also investigated the claims about letsencrypt: Read this topic: https://community.letsencrypt.org/t/how-to-disable-tlsv1/49117/4 On some systems the options-ssl-apache.conf seems to be included in the virtual hosts. "Include /etc/letsencrypt/options-ssl-apache.conf" Anyway not in my case plus i have disabled the options in that file to be certain. PS. Why are we waiting to fix this one? I do see servers that have disabled TLS1 btw... My info: Apache/2.4.33 Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/23 ------------------------------------------------------------------------ On 2018-08-23T11:39:29+00:00 Covener-0 wrote: (In reply to A.Sklepas from comment #17) > Hi, i can confirm the issue. > I have searched all configs and VHosts no overides are made it should work > but > nmap --script ssl-enum-ciphers -p 443 IP | grep TLSv > returns TLS1.0, TLSv1.1 > > I also investigated the claims about letsencrypt: > Read this topic: > https://community.letsencrypt.org/t/how-to-disable-tlsv1/49117/4 > On some systems the options-ssl-apache.conf seems to be included in the > virtual hosts. > "Include /etc/letsencrypt/options-ssl-apache.conf" > > Anyway not in my case plus i have disabled the options in that file to be > certain. > PS. Why are we waiting to fix this one? I do see servers that have disabled > TLS1 btw... > > > My info: Apache/2.4.33 Show a minimal configuration that does something unexpected if you can. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/24 ------------------------------------------------------------------------ On 2018-08-24T08:58:52+00:00 A-sklepas wrote: Hi, unfortunately i cannot provide a minimal configuration. I can give you more info as a run some more test in my two Centos 7 DS. Server 1: Apache/2.4.33 (IUS)* latest Centos: Openssl 1.0.2k TLS1 & 1.1 cannot be disabled Server 2: Server version: Apache/2.4.6 (CentOS) latest Centos: Openssl 1.0.2k TLS1 & 1.1 Disabled successfully. I can understand this means an Apache issue. I am not sure if it is somehow an IUS issue, i will contact them too. *https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/repoview/httpd24u.html Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151/comments/25 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1665151 Title: Apache ignores disable TLSv1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1665151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
