[BlueOnyx:23538] 5207R/5208R: TLSv1.1 support removed from Apache

[Michael Stauber]

Hi all,

Just a small heads up: I've noticed that SSLlabs.com is going to cap
certificate ratings to grade "B" starting 1st January 2020 if webservers
still support TLSv1.1.

For us that means BlueOnyx 5207R/5208R would be hit by that, as we were
still supporting TLSv1.1 as a fallback there - with TLSv1.2 having priority.

So I just rolled up a new base-apache-* which will support only TLSv1.2.

I *could* configure the update in a way that it forces SSL off and back
on for all Vsites that have SSL enabled in order to write out new
configurations that have TLSv1.1 disabled. However: I decided against
having the update do that. It's just too disruptive and this close to
the holidays we all have better things to do than having an update rock
our boats.

After all: This update isn't really a security must have and is just to
provide some more pleasant optics in a metric that might not be of
utmost importance for you.

But *if* you wish to make sure that all SSL enabled Vsites of yours have
TLSv1.1 disabled after the update and before you install new SSL certs
(or LE auto-renews yours the next time around) you can run this script
from SSH or the shell:

/usr/sausalito/sbin/toggle_ssl.pl

That toggles SSL off and back on for all SSL enabled Vsites and forces
the generation of updated configs.

-- 
With best regards

Michael Stauber