Opened 8 years ago

Closed 7 years ago

#29 closed defect (fixed)

Disabling SSL3 and TLS1.0 don't work

Reported by: Frederic Massot Owned by: Daniel Kahn Gillmor
Priority: major Component: code
Version: 5.10 Keywords:
Cc: frederic.massot@…



I tried disabling SSL3 and TLS1.0 without success.

I put the same line "GnuTLSPriorities

  • all virtual hosts that use HTTPS,
  • the configuration of GNUTLS (/etc/apache2/mods-available/gnutls.conf),
  • the default-tls file (/etc/apache2/sites-available/default-tls) which I do not use and that is not activated,
  • the apache2.conf file.

I restarted Apache. The result is always the same SSL3 and TLS 1.0 is still active.

There is a Debian bug report:


Change History (4)

comment:1 Changed 8 years ago by Frederic Massot

Version: 5.10

comment:2 Changed 8 years ago by Frederic Massot

Cc: frederic.massot@… added

comment:3 Changed 8 years ago by Frederic Massot


I could disable SSL3 and TLS1.0 with this line in the configuration of virtual hosts:


If I put this line in the file "/etc/apache2/mods-enabled/gnutls.conf" and not in virtual hosts, Apache will not restart and I have no error message.

I did a test with two virtual hosts using the same IP (SNI), the certificate is wildcard type, it is used by both virtual hosts. If I put on one of the virtual hosts the line "GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL" and the other line "GnuTLSPriorities NORMAL", the second is not taken into account. SSL3 and TLS1.0 are not available for the second.


comment:4 Changed 7 years ago by Thomas Klute

Resolution: fixed
Status: newclosed

This bug is no longer present as of version 0.7.2 (I assume this was actually fixed in 0.6 but didn't check explicitly). Note that in recent GnuTLS versions SSLv3 is not included in the NORMAL priorities. With two vhosts configured with

GnuTLSPriorities NORMAL:-VERS-TLS1.0


GnuTLSPriorities NORMAL

respectively, the first one is not reachable with a client configured to use TLS 1.0 only, while the second one is. Switching the priority strings has the expected effect of reversing the reachability by TLS 1.0.

Note: See TracTickets for help on using tickets.