Opened 3 years ago

Closed 2 years ago

#29 closed defect (fixed)

Disabling SSL3 and TLS1.0 don't work

Reported by: frederic massot Owned by: https://id.mayfirst.org/dkg
Priority: major Component: code
Version: 5.10 Keywords:
Cc: frederic.massot@…

Description

Hi,

I tried disabling SSL3 and TLS1.0 without success.

I put the same line "GnuTLSPriorities
NORMAL:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1:!MD5" in:

  • all virtual hosts that use HTTPS,
  • the configuration of GNUTLS (/etc/apache2/mods-available/gnutls.conf),
  • the default-tls file (/etc/apache2/sites-available/default-tls) which I do not use and that is not activated,
  • the apache2.conf file.

I restarted Apache. The result is always the same SSL3 and TLS 1.0 is still active.

There is a Debian bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754960

Regards.

Change History (4)

comment:1 Changed 3 years ago by frederic massot

  • Version set to 5.10

comment:2 Changed 3 years ago by frederic massot

  • Cc frederic.massot@… added

comment:3 Changed 3 years ago by frederic massot

Hi,

I could disable SSL3 and TLS1.0 with this line in the configuration of virtual hosts:

GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL

If I put this line in the file "/etc/apache2/mods-enabled/gnutls.conf" and not in virtual hosts, Apache will not restart and I have no error message.

I did a test with two virtual hosts using the same IP (SNI), the certificate is wildcard type, it is used by both virtual hosts. If I put on one of the virtual hosts the line "GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL" and the other line "GnuTLSPriorities NORMAL", the second is not taken into account. SSL3 and TLS1.0 are not available for the second.

Regards.

comment:4 Changed 2 years ago by thomas klute

  • Resolution set to fixed
  • Status changed from new to closed

This bug is no longer present as of version 0.7.2 (I assume this was actually fixed in 0.6 but didn't check explicitly). Note that in recent GnuTLS versions SSLv3 is not included in the NORMAL priorities. With two vhosts configured with

GnuTLSPriorities NORMAL:-VERS-TLS1.0

and

GnuTLSPriorities NORMAL

respectively, the first one is not reachable with a client configured to use TLS 1.0 only, while the second one is. Switching the priority strings has the expected effect of reversing the reachability by TLS 1.0.

Note: See TracTickets for help on using tickets.