Univention Bugzilla – Bug 38632
apache2: Make SSLCipherSuite configurable (3.2)
Last modified: 2018-01-18 09:39:56 CET
It would be good to backport the configurability of the SSLCipherSuite option to allow uses to mitigate the effects of the Logjam issue.
Note: The option SSLCompression is not yet available in apache 2.2.16-6+squeeze12, so no protection against the "CRIME" MITM attack without backporting the patch from 2.2.22-12. Likewise, the option SSLProtocol doesn't support TLSv1.2 yet in that version.
+++ This bug was initially created as a clone of Bug #37566 +++
It would be useful to allow more configuration options for mod_ssl (it's already a UCR template: /etc/univention/templates/files/etc/apache2/mods-available/ssl.conf)
FYI: Bug #36173 already added options to disable SSLv2 and SSLv3 (r54575,r54554) in UCS-3.2-3
FYI: Apache-2.2 in UCS-3.2 only supports TLSv1.0, not 1.1 or newer!
r61842 | Bug #38632 Apache: Add UCRVs to configure more SSL options
Add apache2/ssl/ciphersuite and apache2/ssl/honorcipherorder
r61844 | Bug #38632 Apache: Add UCRVs to configure more SSL options YAML
QA: See Bug #27656 for some tests - also work on UCS-3.2-6.
OK: backport from UCS 4
OK: with default settings applied, the ssllabs check for cipher strength improves from 60/100 to 90/100
Reopen: r61842 introduces a link from UCRV apache2/ssl/tlsv11 to ssl.conf - but the variable not evaluated. Probably a remnant from the backport, as apache 2.2 does not support TLS 1.1 as mentioned in comment #1. Please remove the variable from univention-apache.univention-config-registry to avoid confusion.
(In reply to Erik Damrose from comment #2)
> Reopen: r61842 introduces a link from UCRV apache2/ssl/tlsv11 to ssl.conf -
r62065 | Bug #38632 Apache: Remove unsupported UCRVs for TLSv1.1
r62066 | Bug #38632 Apache: Remove unsupported UCRVs for TLSv1.1 YAML
OK: removal of apache2/ssl/tlsv11