Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
Hi, I could disable SSL3 and TLS1.0 with this line in the configuration of virtual hosts: GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL If I put this line in the file /etc/apache2/mods-enabled/gnutls.conf and not in virtual hosts, Apache will not restart and I have no error message. I did a test with two virtual hosts using the same IP (SNI), the certificate is wildcard type, it is used by both virtual hosts. If I put on one of the virtual hosts the line GnuTLSPriorities NONE:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL and for the other virtual hosts the line GnuTLSPriorities NORMAL, the second is not taken into account. SSL3 and TLS1.0 are not available for the second. Regards. -- == | FRÉDÉRIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frede...@juliana-multimedia.com | | +33.(0)2.97.54.77.94 +33.(0)6.67.19.95.69 | ===Debian=GNU/Linux=== -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
What works¹ for me to disable SSLv3 was add the following to /etc/apache2/mods-available/gnutls.conf: GnuTLSPriorities NONE:!VERS-SSL3.0:+VERS-TLS1.0:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL That should cover not only Poodle but BEAST as well, according to http://www.g-loaded.eu/2011/09/27/mod_gnutls-rc4-cipher-beast/. - Jonas ¹ ...or actually only worked - last night I upgraded to Jessie and my Apache setup is currently broken. -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
Package: libapache2-mod-gnutls Version: 0.5.10-4 Followup-For: Bug #754960 Dear Maintainer, With the poodle bug, I tried disabling SSL3 and TLS1.0 of guntls without success. I tested a HTTPS test web site with the sslscan command and the site https://www.ssllabs.com/ssltest. I changed the GnuTLSPriorities directive without that change the test results, it's always the same versions of SSL and TLS in the results. I feel that GnuTLSPriorities directive has no effect. I tested: - GnuTLSPriorities NONE:+AES-128-CBC:+ARCFOUR-128:+RSA:+SHA1:+MD5:+COMP-NULL - GnuTLSPriorities NONE:+VERS-TLS1.1:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL - GnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSA:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBC - GnuTLSPriorities SECURE - GnuTLSPriorities PERFORMANCE Every time I restarted apache, the test results do not change. Regards. -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapache2-mod-gnutls depends on: ii apache2-bin [apache2-api-20120211] 2.4.10-3 ii libapr-memcache00.7.0-3 ii libc6 2.19-11 ii libgnutls26 2.12.23-17 libapache2-mod-gnutls recommends no packages. libapache2-mod-gnutls suggests no packages. -- Configuration Files: /etc/apache2/mods-available/gnutls.conf changed: IfModule mod_gnutls.c # The default method is to use a DBM backed cache. It's not super fast, but # it's portable and doesn't require another server to be running like # memcached #GnuTLSCache dbm /var/cache/apache2/gnutls_cache # mod_gnutls can optionaly use a memcached server to store SSL sessions. # This is useful in a cluster environment, where you want all your servers to # share a single SSL session cache #GnuTLSCache memcache 127.0.0.1 server2.example.com server3.example.com GnuTLSCache memcache 127.0.0.1 /IfModule -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754960: libapache2-mod-gnutls: cannot disable SSLv3
Package: libapache2-mod-gnutls Version: 0.5.10-1.1 Severity: normal Dear Maintainer, when I try to disable SSLv3 on one of my virtual name based vhosts with this line: GnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1 the Qualsys SSL labs test still tells me that my site is offering SSLv3. Even worse when I try: GnuTLSPriorities -VERS-SSL3.0:-VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1 because then no error is logged at a apache reload, but my site presents the wrong SSL certificate. -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapache2-mod-gnutls depends on: ii libapr-memcache0 0.7.0-1 ii libc6 2.13-38+deb7u3 ii libgnutls26 2.12.20-8+deb7u2 libapache2-mod-gnutls recommends no packages. libapache2-mod-gnutls suggests no packages. -- Configuration Files: /etc/apache2/sites-available/default-tls changed: IfModule mod_gnutls.c GnuTLSCache none none VirtualHost _default_:443 ServerAdmin webmaster@localhost DocumentRoot /var/www/ Directory / Options FollowSymLinks AllowOverride None /Directory Directory /var/www/ Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all /Directory ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ Directory /usr/lib/cgi-bin AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all /Directory ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined GnuTLSEnable On # GnuTLSKeyFile /etc/ssl/private/apache-new.key # GnuTLSCertificateFile /etc/ssl/certs/tuxfriends.net+cacert.pem GnuTLSKeyFile /etc/ssl/private/apache.key GnuTLSCertificateFile /etc/ssl/certs/binky.tuxfriends.net.pem GnuTLSPrioritiesNORMAL /VirtualHost /IfModule -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org