First Last Prev Next    This bug is not in your last search results.
Bug 54306 - unable to harden used TLS protocols without removing TLS 1.3
unable to harden used TLS protocols without removing TLS 1.3
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Apache
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Florian Best
Sönke Schwardt-Krummrich
https://git.knut.univention.de/univen...
:
: 54524 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-06 16:06 CET by Dirk Ahrnke
Modified: 2022-03-16 15:18 CET (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Ahrnke univentionstaff 2022-01-06 16:06:30 CET 
Apache/2.4.38 delivered with UCS 5.0 is able to offer TLS 1.3 but will also offer TLS 1.0 and 1.1 by default.
It is currently not possible to disable the unsecure protocol versions without disabling TLS 1.3 too because the template /etc/univention/templates/files/etc/apache2/mods-available/ssl.conf doesnt know to handle "+TLSv1.3"
Comment 1 Florian Best univentionstaff 2022-03-04 16:00:50 CET 
Added the UCR variable `apache2/ssl/tlsv13=true` to support this in Merge Request: https://git.knut.univention.de/univention/ucs/-/merge_requests/298
Comment 2 Florian Best univentionstaff 2022-03-04 18:01:59 CET 
TLSv1.3 only is now configurable via the UCR variable `apache2/ssl/tlsv13=true`.

The test case 23_apache/20_ssl-protocols has been adjusted to test all possible combinations.

univention-apache.yaml
25e4ad1a06f9 | Bug #54306: make it possible to allow only TLS 1.3

univention-apache (12.0.1-1)
1ef354994c43 | Bug #54306: re-add Python 2 compatibility
25e4ad1a06f9 | Bug #54306: make it possible to allow only TLS 1.3

ucs-test (10.0.6-101)
25e4ad1a06f9 | Bug #54306: make it possible to allow only TLS 1.3
Comment 3 Erik Damrose univentionstaff 2022-03-08 18:55:51 CET 
*** Bug 54524 has been marked as a duplicate of this bug. ***
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2022-03-14 22:50:58 CET 
OK: package built
OK: manual installation + test
OK: ucs-test with devel errata
OK: ucs-test with currently released errata (fails as expected)
OK: YAML
First Last Prev Next    This bug is not in your last search results.