[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
While apache in Ubuntu 12.04 does support TLSv1.2, it doesn't allow specifying the configuration options to selectively disable TLSv1.0. The following commit needs to be backported: https://svn.apache.org/viewvc?view=revision&revision=1445104 ** Package changed: openssl (Ubuntu) => apache2 (Ubuntu) ** Summary changed: - Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack + Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS doesn't allow disabling TLS1.0 Status in apache2 package in Ubuntu: Fix Released Status in apache2 source package in Precise: Confirmed Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
** Changed in: openssl (Ubuntu) Status: Expired => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack Status in openssl package in Ubuntu: Confirmed Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
This should not be considered imcomplete now and thus should not have expired. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack Status in openssl package in Ubuntu: Expired Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
[Expired for openssl (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openssl (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack Status in openssl package in Ubuntu: Expired Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
Tried that just now. I got the following error:
Syntax error on line 29 of /etc/apache2/sites-enabled/{redacted}:
SSLProtocol: Illegal protocol 'TLSv1.1'
Action 'configtest' failed.
The Apache error log may have more information.
Error log did not have more info (probably because it was only a config
test). Even if this worked however it would not likely be acceptable, as
SSLv2 and SSLv3 would need to be disabled for PCI compliance checking,
since their scanners cite them as vulnerable to exploits.
I believe I am using nearly the newest Apache packages, if not the
newest, for 12.04.5 LTS:
root@db3:~# dpkg-query --list apache2*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name VersionDescription
+++-==-==-
ii apache22.2.22-1ubuntu Apache HTTP Server metapackage
un apache2-common (no description available)
un apache2-doc (no description available)
un apache2-mpm (no description available)
un apache2-mpm-ev (no description available)
un apache2-mpm-it (no description available)
ii apache2-mpm-pr 2.2.22-1ubuntu Apache HTTP Server - traditional non-threade
un apache2-mpm-wo (no description available)
un apache2-suexec (no description available)
un apache2-suexec (no description available)
ii apache2-utils 2.2.22-1ubuntu utility programs for webservers
ii apache2.2-bin 2.2.22-1ubuntu Apache HTTP Server common binary files
ii apache2.2-comm 2.2.22-1ubuntu Apache HTTP Server common files
root@db3:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 12.04.5 LTS
Release:12.04
Codename: precise
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1400473
Title:
Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is
vulnerable to BEAST attack
Status in openssl package in Ubuntu:
Incomplete
Bug description:
For PCI compliance, one must not be vulnerable to the POODLE or BEAST
or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST
suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not
seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4
on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP
register_globals, which is required for lots of legacy production code
often used by sites with payment systems, and since Ubuntu 14.04 LTS
does not support apache 2.2, and since Ubuntu 10.04 LTS does not
support SHA256 signed SSL certificates, there may be no feasible way
for someone to run a credit card processing system with any Ubuntu LTS
system if they require both PCI compliance and PHP register_globals
support.
It looks like manually compiling PHP may be the only plausible way to
surmount this issue in this particular circumstance.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
Sorry, the output of dpkg-query was rather inconveniently truncated, I am infact using version "2.2.22-1ubuntu1.7" of those packages. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack Status in openssl package in Ubuntu: Incomplete Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
Can you try with: SSLProtocol +TLSv1.1 +TLSv1.2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack Status in openssl package in Ubuntu: Incomplete Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
Sorry for the incomplete details. The problem is when I set the SSLProtocol parameter in Apache as follows: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 or: SSLProtocol TLSv1.1 TLSv1.2 I received the following message in the server logs: [Mon Dec 08 12:32:38 2014] [error] No SSL protocols available [hint: SSLProtocol] This is with version 2.2.22-1ubuntu1.7 installed, of the following packages: apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack Status in openssl package in Ubuntu: Incomplete Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
Apache 2.2 on 12.04 LTS does support TLSv1.1 and TLSv1.2 just fine. Could you describe why you think it's not supported? ** Changed in: openssl (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1400473 Title: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack Status in openssl package in Ubuntu: Incomplete Bug description: For PCI compliance, one must not be vulnerable to the POODLE or BEAST or CRIME attacks. POODLE suggests removing SSLv2 and SSLv3, and BEAST suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4 on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP register_globals, which is required for lots of legacy production code often used by sites with payment systems, and since Ubuntu 14.04 LTS does not support apache 2.2, and since Ubuntu 10.04 LTS does not support SHA256 signed SSL certificates, there may be no feasible way for someone to run a credit card processing system with any Ubuntu LTS system if they require both PCI compliance and PHP register_globals support. It looks like manually compiling PHP may be the only plausible way to surmount this issue in this particular circumstance. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
