touch-packages team mailing list archive

Thread
Date

[Bug 1400473] Re: Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: RedScourge <1400473@xxxxxxxxxxxxxxxxxx>
Date: Tue, 13 Jan 2015 19:23:29 -0000
Reply-to: Bug 1400473 <1400473@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Tried that just now. I got the following error:

Syntax error on line 29 of /etc/apache2/sites-enabled/{redacted}:
SSLProtocol: Illegal protocol 'TLSv1.1'
Action 'configtest' failed.
The Apache error log may have more information.

Error log did not have more info (probably because it was only a config
test). Even if this worked however it would not likely be acceptable, as
SSLv2 and SSLv3 would need to be disabled for PCI compliance checking,
since their scanners cite them as vulnerable to exploits.

I believe I am using nearly the newest Apache packages, if not the
newest, for 12.04.5 LTS:

root@db3:~# dpkg-query --list apache2*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  apache2        2.2.22-1ubuntu Apache HTTP Server metapackage
un  apache2-common <none>         (no description available)
un  apache2-doc    <none>         (no description available)
un  apache2-mpm    <none>         (no description available)
un  apache2-mpm-ev <none>         (no description available)
un  apache2-mpm-it <none>         (no description available)
ii  apache2-mpm-pr 2.2.22-1ubuntu Apache HTTP Server - traditional non-threade
un  apache2-mpm-wo <none>         (no description available)
un  apache2-suexec <none>         (no description available)
un  apache2-suexec <none>         (no description available)
ii  apache2-utils  2.2.22-1ubuntu utility programs for webservers
ii  apache2.2-bin  2.2.22-1ubuntu Apache HTTP Server common binary files
ii  apache2.2-comm 2.2.22-1ubuntu Apache HTTP Server common files

root@db3:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.5 LTS
Release:        12.04
Codename:       precise

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1400473

Title:
  Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is
  vulnerable to BEAST attack

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  For PCI compliance, one must not be vulnerable to the POODLE or BEAST
  or CRIME attacks. POODLE suggests removing  SSLv2 and SSLv3, and BEAST
  suggests removing TLSv1. However, since TLSv1.1 and TLSv1.2 do not
  seem to be supported by apache 2.2 on 12.04 LTS, and since apache 2.4
  on 12.04 LTS does not support PHP 5.3.X, the last branch to allow PHP
  register_globals, which is required for lots of legacy production code
  often used by sites with payment systems, and since Ubuntu 14.04 LTS
  does not support apache 2.2, and since Ubuntu 10.04 LTS does not
  support SHA256 signed SSL certificates, there may be no feasible way
  for someone to run a credit card processing system with any Ubuntu LTS
  system if they require both PCI compliance and PHP register_globals
  support.

  It looks like manually compiling PHP may be the only plausible way to
  surmount this issue in this particular circumstance.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1400473/+subscriptions

References

[Bug 1400473] [NEW] Apache 2.2 on Ubuntu 12.04 LTS only supports TLS1.0 which is vulnerable to BEAST attack
From: RedScourge, 2014-12-08