Univention Bugzilla – Bug 54306
unable to harden used TLS protocols without removing TLS 1.3
Last modified: 2022-03-16 15:18:07 CET
Apache/2.4.38 delivered with UCS 5.0 is able to offer TLS 1.3 but will also offer TLS 1.0 and 1.1 by default. It is currently not possible to disable the unsecure protocol versions without disabling TLS 1.3 too because the template /etc/univention/templates/files/etc/apache2/mods-available/ssl.conf doesnt know to handle "+TLSv1.3"
Added the UCR variable `apache2/ssl/tlsv13=true` to support this in Merge Request: https://git.knut.univention.de/univention/ucs/-/merge_requests/298
TLSv1.3 only is now configurable via the UCR variable `apache2/ssl/tlsv13=true`. The test case 23_apache/20_ssl-protocols has been adjusted to test all possible combinations. univention-apache.yaml 25e4ad1a06f9 | Bug #54306: make it possible to allow only TLS 1.3 univention-apache (12.0.1-1) 1ef354994c43 | Bug #54306: re-add Python 2 compatibility 25e4ad1a06f9 | Bug #54306: make it possible to allow only TLS 1.3 ucs-test (10.0.6-101) 25e4ad1a06f9 | Bug #54306: make it possible to allow only TLS 1.3
*** Bug 54524 has been marked as a duplicate of this bug. ***
OK: package built OK: manual installation + test OK: ucs-test with devel errata OK: ucs-test with currently released errata (fails as expected) OK: YAML
<https://errata.software-univention.de/#/?erratum=5.0x246>