Bug#951067: apache2: unable to disable TLSv1
Package: apache2 Version: 2.4.38-3+deb10u3 Severity: important Dear Maintainer, it is not possible to get rid of TLS v1. This is no duplicate of #925061, I think. What I tried: removed /etc/letsencrypt/options-ssl-apache.conf, see #950735 edited /etc/apache2/mods-enabled/ssl.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2" edited etc/apache2/conf-enabled/local.conf: "SSLProtocol -all +TLSv1.3 +TLSv1.2" Result: # apache2ctl -t -D DUMP_CONFIG|grep SSLProtocol SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLProtocol all -SSLv2 -SSLv3 Syntax OK => something is enabling TLSv1 again after all config files were parsed. So... # find /etc/apache2/ | xargs grep SSLProtocol grep: /etc/apache2/: Is a directory grep: /etc/apache2/mods-enabled: Is a directory /etc/apache2/mods-enabled/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/sites-enabled: Is a directory grep: /etc/apache2/conf-available: Is a directory /etc/apache2/conf-available/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/mods-available: Is a directory /etc/apache2/mods-available/ssl.conf: SSLProtocol -all +TLSv1.3 +TLSv1.2 grep: /etc/apache2/sites-available: Is a directory grep: /etc/apache2/conf-enabled: Is a directory /etc/apache2/conf-enabled/local.conf:SSLProtocol -all +TLSv1.3 +TLSv1.2 => TLSv1 is re-enabled no matter what the config files say. -- Package-specific info: -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin2.4.38-3+deb10u3 ii apache2-data 2.4.38-3+deb10u3 ii apache2-utils 2.4.38-3+deb10u3 ii dpkg 1.19.7 ii lsb-base 10.2019051400 ii mime-support 3.62 ii perl 5.28.1-6 ii procps 2:3.3.15-2 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2-bin depends on: ii libapr1 1.6.5-1+b1 ii libaprutil1 1.6.1-4 ii libaprutil1-dbd-sqlite3 1.6.1-4 ii libaprutil1-ldap 1.6.1-4 ii libbrotli1 1.0.7-2 ii libc62.28-10 ii libcurl4 7.64.0-4 ii libjansson4 2.12-1 ii libldap-2.4-22.4.47+dfsg-3+deb10u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.36.0-2+deb10u1 ii libpcre3 2:8.39-12 ii libssl1.11.1.1d-0+deb10u2 ii libxml2 2.9.4+dfsg1-7+b3 ii perl 5.28.1-6 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2 is related to: ii apache2 2.4.38-3+deb10u3 ii apache2-bin 2.4.38-3+deb10u3 -- Configuration Files: /etc/apache2/conf-available/security.conf changed: ServerTokens Prod ServerSignature Off TraceEnable Off /etc/apache2/mods-available/ssl.conf changed: # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide th
Bug#928173: .
I did a cross check with Apache 2.4.39 on my FreeBSD box, it is working as expected.
Bug#928173: apache2: SSLCipherSuite is ignored
Package: apache2 Version: 2.4.25-3+deb9u7 Severity: normal Dear Maintainer, I have set SSLCipherSuite "-ALL ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384" in mods-enabled/ssl.conf SSLProtocol is not defined anywhere. SSLCipherSuite is only defined here. According to Qualsys SSL labs test, non-defined ciphers are being used, e.g. ECDHE-RSA-AES128-GCM-SHA256 Expectation: only defined three ciphers are being used. -- Package-specific info: -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u7 ii apache2-data 2.4.25-3+deb9u7 ii apache2-utils2.4.25-3+deb9u7 ii dpkg 1.18.25 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii w3m [www-browser]0.5.3-34+deb9u1 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc62.24-11+deb9u4 ii libldap-2.4-22.4.44+dfsg-5+deb9u2 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-141.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2r-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom ii w3m [www-browser]0.5.3-34+deb9u1 Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u7 ii apache2-bin 2.4.25-3+deb9u7 -- Configuration Files: /etc/apache2/conf-available/localized-error-pages.conf changed [not included] /etc/apache2/conf-available/security.conf changed [not included] /etc/apache2/mods-available/deflate.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/apache2/sites-available/default-ssl.conf changed [not included] /etc/logrotate.d/apache2 changed [not included] -- no debconf information
Bug#690232: apache2: Apache2 listens on tcp6 only
Am 20.10.2012 01:09, schrieb Arno Töll: tags 690232 +moreingo thanks On 11.10.2012 14:50, Olaf Zaplinski wrote: funny is: I disabled IPv6, now everything works as expected. Frankly, neither Stefan or me have a clear understanding where and how this would a bug. We're aware of a similar sounding issue recored as PR 52709 upstream [1] but that's fixed in Wheezy already. [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=52709 I just checked another host that is working fine on IPv6 and IPv4. No idea what was wrong on the 1st host. Please close this bug, and sorry for the noise. Olaf -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50824b4b.7090...@zaplinski.de
Bug#690232: apache2: Apache2 listens on tcp6 only
Hi, funny is: I disabled IPv6, now everything works as expected. Olaf -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e7be027ab78b0ecb33bb9908941625c@localhost
Bug#690232: apache2: Apache2 listens on tcp6 only
Package: apache2.2-common Version: 2.2.16-6+squeeze8 Severity: normal -- Package-specific info: List of enabled modules from 'apache2 -M': alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env mime negotiation php5 reqtimeout setenvif status List of enabled php5 extensions: mysql mysqli pdo pdo_mysql suhosin -- System Information: Debian Release: 6.0.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2 depends on: ii apache2-mpm-prefork2.2.16-6+squeeze8 Apache HTTP Server - traditional n ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files apache2 recommends no packages. apache2 suggests no packages. Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.16-6+squeeze8 utility programs for webservers ii apache2.2-bin 2.2.16-6+squeeze8 Apache HTTP Server common binary f ii libmagic1 5.04-5+squeeze2 File type determination library us ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii mime-support 3.48-1MIME files 'mime.types' & 'mailcap ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction ii procps 1:3.2.8-9squeeze1 /proc file system utilities -- no debconf information after restarting apache2, I see: # netstat -tanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1415/sshd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 7985/master tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 5908/mysqld tcp0 0 10.52.152.164:2210.52.81.146:49538 ESTABLISHED 1433/0 tcp0 0 10.52.152.164:2210.52.81.146:50363 ESTABLISHED 10488/2 tcp0 0 10.52.152.164:2210.52.81.146:49909 ESTABLISHED 4229/1 tcp6 0 0 :::80 :::*LISTEN 10525/apache2 tcp6 0 0 :::22 :::*LISTEN 1415/sshd ports.conf is default: NameVirtualHost *:80 Listen 80 So I did a "echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf && reboot" with the following result: # netstat -tanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1249/apache2 tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1521/sshd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1655/master tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1489/mysqld tcp0 52 10.52.152.164:2210.52.81.146:50385 ESTABLISHED 1742/0 -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e75d39bad48455084ee47d614aadabbf@localhost
Bug#378737: strange virtual server config for default server
Package: apache2 Version: 2.0.54-5 In /etc/apache2/sites-enabled/000-default I defined: # globale Optionen fuer alle virtuellen Server: ServerSignature Email ServerTokensProductOnly NameVirtualHost 62.206.102.82:80 [snip] AddType application/x-x509-ca-cert .der AddType application/x-pkcs7-crl.crl This works fine as long as I use the URL http://62.206.102.82/ca.der because Firefox tells me that this certificate would exists. But when I use a FQDN that is not defined as a virtual server, Firefox wants to download ca.der. The behaviour should be the same as with the IP address, as 000-default is the valid config for all requests that are not defined as virtual server. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#315847: .htaccess is ignored
Package: apache2 Version: 2.0.54-4 Severity: grave I just upgraded from my self compiled apache1 to Debians apache2. Now .htaccess directives are ignored. my sites-available/default: NameVirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/ Options Indexes FollowSymLinks MultiViews AllowOverride None ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all AccessFileName .htaccess Options none AllowOverride AuthConfig ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 But if I browse to http://[ip address]/logs, I am not asked for a password. apache1 worked fine. Of course I have a .htaccess file in /var/www/logs: AuthUserFile /etc/httpd/htpasswd AuthName Logs AuthType Basic require user olaf I even re-created /etc/httpd/htpasswd. "apache2ctl -l" says: Compiled in modules: core.c mod_access.c mod_auth.c mod_log_config.c mod_logio.c mod_env.c mod_setenvif.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_negotiation.c mod_dir.c mod_alias.c mod_so.c -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
