0

I have a test vhost on my web server for which I'm trying to enforce TLSv1.3-only but Apache refuses to disable TLSv1.2. TLSv1.3 does work however the following validation services all show that TLSv1.2 is still running on my vhost:

https://www.digicert.com/help/

https://www.ssllabs.com/ssltest/

https://www.immuniweb.com/ssl/

I've tried a few different ways including all of the following:

SSLProtocol -all +TLSv1.3
SSLProtocol +all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProtocol -all -TLSv1.2 +TLSv1.3
SSLProtocol +TLSv1.3

System info:

Ubuntu 20.04.2 LTS
OpenSSL 1.1.1f
Apache 2.4.41

Global SSL configuration:

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLCipherSuite HIGH:!aNULL
#SSLProtocol all -SSLv3
SSLUseStapling On
SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(128000000)"
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off
SSLStaplingStandardCacheTimeout 86400

vhost configuration:

<VirtualHost XX.XX.XX.XX:443>
    ServerName testing.example.com
    DocumentRoot "/var/www/test"
    ErrorLog ${APACHE_LOG_DIR}/test-error.log
    CustomLog ${APACHE_LOG_DIR}/test-access.log combined
#   Include /etc/letsencrypt/options-ssl-apache.conf
    SSLEngine on
    SSLCompression off
    SSLCertificateFile /etc/letsencrypt/live/testing.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/testing.example.com/privkey.pem
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
#   SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
#   SSLHonorCipherOrder off
    SSLProtocol -all +TLSv1.3
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
</VirtualHost>

info from "apachectl -S":

root@domain:~# apachectl -S
VirtualHost configuration:
XX.XX.XX.XX:80      is a NameVirtualHost
...
(irrelevant)
...
XX.XX.XX.XX:443     is a NameVirtualHost
         default server blah.example.com (/etc/apache2/sites-enabled/sites.conf:13)
         port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:13)
         **port 443 namevhost test.example.com (/etc/apache2/sites-enabled/sites.conf:29)**
         port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:54)
         port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:93)
         port 443 namevhost blah.example.org (/etc/apache2/sites-enabled/sites.conf:111)
         port 443 namevhost blah.example.tk (/etc/apache2/sites-enabled/sites.conf:132)
         port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:145)
[XX:XX:XX:XX:XX:XX:XX:XX]:80 is a NameVirtualHost
...
(irrelevant)
...
[XX:XX:XX:XX:XX:XX:XX:XX]:443 is a NameVirtualHost
...
(irrelevant; note the subdomain in question only has IPV4 DNS entry no IPV6)
...
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
root@domain:~#

I have it commented out of the vhost in question but other vhosts are using a letsencrypt/options-ssl-apache.conf which I'll include here in case it could be interfering somehow:

SSLEngine on
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     on
SSLSessionTickets       off
SSLOptions +StrictRequire
Displayname71
  • 109
  • 1
  • 7
  • Remove it from the global and from the virtual host, uncomment out the include for the letsencrypt file, and then add “-TLSv1.2” to the letsencrypt file and restart Apache. – Ackack Apr 18 '21 at 23:26
  • My goal is to leave 1.2 enabled on the other vhosts (for now); when you say to edit the include file will it work if I give that vhost its own include file and leave the existing include file (for the other vhosts) alone? Or do I have to effectively kill 1.2 on all vhosts? – Displayname71 Apr 18 '21 at 23:55
  • [Per-vhost `SSLProtocol` settings are documented only for 2.4.42 up](https://httpd.apache.org/docs/2.4//mod/mod_ssl.html#sslprotocol) although from the archive it appears 2.4.42 wasn't actually released, only 2.4.43 on 2020-03-30 which presumably couldn't be tested in time to make Ubuntu 20.04. You could update to non-LTS groovy (but not for long) or build from upstream source after determining whether/which Ubuntu patches still apply, and if any others are needed. – dave_thompson_085 Apr 19 '21 at 01:33
  • Oh that's embarrassing, I did actually encounter that note but I didn't look too closely at the version number and didn't realize I was one off. – Displayname71 Apr 19 '21 at 12:15
  • Further reading of docs indicated that on Apache 2.4.41, although SSLProtocol can't be customized under a vhost, SSLCipherSuite can. So I was able to reasonably approximate a solution by disabling all the TLS 1.2 ciphers on the vhost. – Displayname71 Apr 19 '21 at 23:28

0 Answers0