Opened 8 years ago
Closed 7 years ago
#29 closed defect (fixed)
Disabling SSL3 and TLS1.0 don't work
Reported by: | Frederic Massot | Owned by: | Daniel Kahn Gillmor |
---|---|---|---|
Priority: | major | Component: | code |
Version: | 5.10 | Keywords: | |
Cc: | frederic.massot@… |
Description
Hi,
I tried disabling SSL3 and TLS1.0 without success.
I put the same line "GnuTLSPriorities
NORMAL:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1:!MD5" in:
- all virtual hosts that use HTTPS,
- the configuration of GNUTLS (/etc/apache2/mods-available/gnutls.conf),
- the default-tls file (/etc/apache2/sites-available/default-tls) which I do not use and that is not activated,
- the apache2.conf file.
I restarted Apache. The result is always the same SSL3 and TLS 1.0 is still active.
There is a Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754960
Regards.
Change History (4)
comment:1 Changed 8 years ago by
Version: | → 5.10 |
---|
comment:2 Changed 8 years ago by
Cc: | frederic.massot@… added |
---|
comment:3 Changed 8 years ago by
comment:4 Changed 7 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
This bug is no longer present as of version 0.7.2 (I assume this was actually fixed in 0.6 but didn't check explicitly). Note that in recent GnuTLS versions SSLv3 is not included in the NORMAL priorities. With two vhosts configured with
GnuTLSPriorities NORMAL:-VERS-TLS1.0
and
GnuTLSPriorities NORMAL
respectively, the first one is not reachable with a client configured to use TLS 1.0 only, while the second one is. Switching the priority strings has the expected effect of reversing the reachability by TLS 1.0.
Hi,
I could disable SSL3 and TLS1.0 with this line in the configuration of virtual hosts:
GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL
If I put this line in the file "/etc/apache2/mods-enabled/gnutls.conf" and not in virtual hosts, Apache will not restart and I have no error message.
I did a test with two virtual hosts using the same IP (SNI), the certificate is wildcard type, it is used by both virtual hosts. If I put on one of the virtual hosts the line "GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL" and the other line "GnuTLSPriorities NORMAL", the second is not taken into account. SSL3 and TLS1.0 are not available for the second.
Regards.