Bullseyeupdate from 2.4.56-1~deb11u2 to 2.4.59-1~deb11u1

Sun, 21 Apr 2024 23:48:16 -0700 

Good morning,

we installed this update last week on our reverseproxys for our customers.

After the updates were installed customer claims that some of their (really 
really old) clients (Win7, Win8.1 with IE11) cannot connect to the reverseproxy 
site with https anymore. After downgrading apache2 back to 2.4.56 they were 
able to connect again.

We checked the https configuration (strict TLS v1.2) and found that configured 
ciphers weren't allowed anymore. Before the update the ciphers looked like:
  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 3072 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 3072 bits

After the update:
  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253

So you can see the DHE-Ciphers were missing. After searching the internet I 
found https://bz.apache.org/bugzilla/show_bug.cgi?id=68863.

I didn't try the patch but the DH-tipp in the certificate file. After including 
the DH in the certificate the problem was solved.

I think that this patch should be imported in the Debian package? Shall I open 
a bug report? I didn't find anything in the debian-apache bug-database.

Kind regards,

Andreas Schulz
Enterprise & Cyber Security Managed Security 2
Services DACH - Managed Cloud Services

Fujitsu Services GmbH
Konrad-Zuse-Str. 16, 74172, Neckarsulm, Germany
W https://www.fujitsu-services.com

Geschäftsführung: Robert Roiger, Michael Pries, Marcos Sanchez Urstadt, Lars 
Moscherosch 
Eingetragener Sitz: München, Deutschland Registergericht: Amtsgericht München 
Reg.- Nr. HRB 219577

Weitere Informationen: https://fujitsu-services.com/impressum
Datenschutz-Hinweise: https://fujitsu-services.com/datenschutz

Reply via email to