Univention Bugzilla – Full Text Bug Listing |
Summary: | apache2: Make SSLCipherSuite configurable (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Apache | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
Severity: | enhancement | ||
Priority: | P5 | CC: | gohmann, grandjean, gulden, klaeser, lutz.willek, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-6-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=27656 https://forge.univention.org/bugzilla/show_bug.cgi?id=46065 |
||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: |
Description
Arvid Requate
2015-06-01 15:17:17 CEST
FYI: Bug #36173 already added options to disable SSLv2 and SSLv3 (r54575,r54554) in UCS-3.2-3 FYI: Apache-2.2 in UCS-3.2 only supports TLSv1.0, not 1.1 or newer! r61842 | Bug #38632 Apache: Add UCRVs to configure more SSL options Add apache2/ssl/ciphersuite and apache2/ssl/honorcipherorder Package: univention-apache Version: 6.0.16-10.239.201507071454 Branch: ucs_3.2-0 Scope: errata3.2-6 r61844 | Bug #38632 Apache: Add UCRVs to configure more SSL options YAML 2015-07-06-univention-apache.yaml QA: See Bug #27656 for some tests - also work on UCS-3.2-6. OK: backport from UCS 4 OK: with default settings applied, the ssllabs check for cipher strength improves from 60/100 to 90/100 OK: yaml Reopen: r61842 introduces a link from UCRV apache2/ssl/tlsv11 to ssl.conf - but the variable not evaluated. Probably a remnant from the backport, as apache 2.2 does not support TLS 1.1 as mentioned in comment #1. Please remove the variable from univention-apache.univention-config-registry to avoid confusion. (In reply to Erik Damrose from comment #2) > Reopen: r61842 introduces a link from UCRV apache2/ssl/tlsv11 to ssl.conf - r62065 | Bug #38632 Apache: Remove unsupported UCRVs for TLSv1.1 - apache2/ssl/tlsv11 Package: univention-apache Version: 6.0.16-11.240.201507131307 Branch: ucs_3.2-0 Scope: errata3.2-6 r62066 | Bug #38632 Apache: Remove unsupported UCRVs for TLSv1.1 YAML 2015-07-06-univention-apache.yaml OK: removal of apache2/ssl/tlsv11 OK: yaml -> Verified |