Package: apache2 Version: 2.4.25-3+deb9u7 Severity: normal
Dear Maintainer, I have set SSLCipherSuite "-ALL ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384" in mods-enabled/ssl.conf SSLProtocol is not defined anywhere. SSLCipherSuite is only defined here. According to Qualsys SSL labs test, non-defined ciphers are being used, e.g. ECDHE-RSA-AES128-GCM-SHA256 Expectation: only defined three ciphers are being used. -- Package-specific info: -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u7 ii apache2-data 2.4.25-3+deb9u7 ii apache2-utils 2.4.25-3+deb9u7 ii dpkg 1.18.25 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii w3m [www-browser] 0.5.3-34+deb9u1 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc6 2.24-11+deb9u4 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u2 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2r-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii w3m [www-browser] 0.5.3-34+deb9u1 Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u7 ii apache2-bin 2.4.25-3+deb9u7 -- Configuration Files: /etc/apache2/conf-available/localized-error-pages.conf changed [not included] /etc/apache2/conf-available/security.conf changed [not included] /etc/apache2/mods-available/deflate.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/apache2/sites-available/default-ssl.conf changed [not included] /etc/logrotate.d/apache2 changed [not included] -- no debconf information