Package: apache2 Version: 2.4.38-3+deb10u3 Severity: important Dear Maintainer,
it is not possible to get rid of TLS v1. This is no duplicate of #925061, I think. What I tried: removed /etc/letsencrypt/options-ssl-apache.conf, see #950735 edited /etc/apache2/mods-enabled/ssl.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2" edited etc/apache2/conf-enabled/local.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2" Result: # apache2ctl -t -D DUMP_CONFIG|grep SSLProtocol SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLProtocol all -SSLv2 -SSLv3 Syntax OK => something is enabling TLSv1 again after all config files were parsed. So... # find /etc/apache2/ | xargs grep SSLProtocol grep: /etc/apache2/: Is a directory grep: /etc/apache2/mods-enabled: Is a directory /etc/apache2/mods-enabled/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/sites-enabled: Is a directory grep: /etc/apache2/conf-available: Is a directory /etc/apache2/conf-available/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/mods-available: Is a directory /etc/apache2/mods-available/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/sites-available: Is a directory grep: /etc/apache2/conf-enabled: Is a directory /etc/apache2/conf-enabled/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2 => TLSv1 is re-enabled no matter what the config files say. -- Package-specific info: -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.38-3+deb10u3 ii apache2-data 2.4.38-3+deb10u3 ii apache2-utils 2.4.38-3+deb10u3 ii dpkg 1.19.7 ii lsb-base 10.2019051400 ii mime-support 3.62 ii perl 5.28.1-6 ii procps 2:3.3.15-2 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2-bin depends on: ii libapr1 1.6.5-1+b1 ii libaprutil1 1.6.1-4 ii libaprutil1-dbd-sqlite3 1.6.1-4 ii libaprutil1-ldap 1.6.1-4 ii libbrotli1 1.0.7-2 ii libc6 2.28-10 ii libcurl4 7.64.0-4 ii libjansson4 2.12-1 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.36.0-2+deb10u1 ii libpcre3 2:8.39-12 ii libssl1.1 1.1.1d-0+deb10u2 ii libxml2 2.9.4+dfsg1-7+b3 ii perl 5.28.1-6 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2 is related to: ii apache2 2.4.38-3+deb10u3 ii apache2-bin 2.4.38-3+deb10u3 -- Configuration Files: /etc/apache2/conf-available/security.conf changed: ServerTokens Prod ServerSignature Off TraceEnable Off /etc/apache2/mods-available/ssl.conf changed: <IfModule mod_ssl.c> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:!aNULL # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. # Clients may prefer lower grade encryption. You should enable this # option if you want to enforce stronger encryption, and can afford # the CPU cost, and did not override SSLCipherSuite in a way that puts # insecure ciphers first. # Default: Off #SSLHonorCipherOrder on # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol -all +TLSv1.3 +TLSv1.2 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On </IfModule> /etc/apache2/sites-available/000-default.conf changed: <VirtualHost *:80> ServerName heli.tuxfriends.net # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf RewriteEngine on RewriteCond %{SERVER_NAME} =heli.tuxfriends.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> -- no debconf information