Disabling SSL3 and TLS1.0 don't work

[Frederic Massot]

Hi,

I tried disabling SSL3 and TLS1.0 without success.

I put the same line "GnuTLSPriorities
NORMAL:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1:!MD5" in:

• all virtual hosts that use HTTPS,
• the configuration of GNUTLS (/etc/apache2/mods-available/gnutls.conf),
• the default-tls file (/etc/apache2/sites-available/default-tls) which I do not use and that is not activated,
• the apache2.conf file.

I restarted Apache. The result is always the same SSL3 and TLS 1.0 is still active.

There is a Debian bug report:

​https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754960

Regards.

[Frederic Massot]

Hi,

I could disable SSL3 and TLS1.0 with this line in the configuration of virtual hosts:

GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL

If I put this line in the file "/etc/apache2/mods-enabled/gnutls.conf" and not in virtual hosts, Apache will not restart and I have no error message.

I did a test with two virtual hosts using the same IP (SNI), the certificate is wildcard type, it is used by both virtual hosts. If I put on one of the virtual hosts the line "GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL" and the other line "GnuTLSPriorities NORMAL", the second is not taken into account. SSL3 and TLS1.0 are not available for the second.

Regards.

[Thomas Klute]

This bug is no longer present as of version 0.7.2 (I assume this was actually fixed in 0.6 but didn't check explicitly). Note that in recent GnuTLS versions SSLv3 is not included in the NORMAL priorities. With two vhosts configured with

GnuTLSPriorities NORMAL:-VERS-TLS1.0

and

GnuTLSPriorities NORMAL

respectively, the first one is not reachable with a client configured to use TLS 1.0 only, while the second one is. Switching the priority strings has the expected effect of reversing the reachability by TLS 1.0.