| Errata ID | 103 |
|---|---|
| Date | 2015-03-11 |
| Source package | univention-apache |
| Fixed in version | 7.0.16-9.231.201503101333 |
| Description | The configuration of the SSL/TLS support in Apache has been improved: - If the new UCR variable apache2/ssl/tlsv11 is set to 'true', Apache only accepts TLS 1.1 and TLS 1.2 - If the new UCR variable apache2/ssl/tlsv12 is set to 'true', Apache only accepts TLS 1.2 - SSL compression disabled by default for security reasons, it can be enabled using the UCR variable apache2/ssl/compression. - Apache no longer accepts various insecure ciphers and hash algorithms (e.g. RC4, MD5 and the outdated "export ciphers") by default. Note that such algorithms would not have been negotiated if the TLS client supports current crypto algorithms. A different set of ciphers can be configured using the new UCR variable apache2/ssl/ciphersuite. - If the new UCR variable apache2/ssl/honorcipherorder is set, the server choice of ciphers is used instead of the ciphers preferred by the TLS client. Please refer to the UCR variable descriptions for additional details. In addition this update adds support for forcing a port in the URL shown in the ucs-overview page. This is done by setting the UCR variable ucs/web/overview/entries/*/*/port_http and .../port_https. |
| Additional notes | |
| UCS Bug number | #35456 #37566 |
