How to enable TLSv1.3 in Apache2?
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited 4 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
add a comment |
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited 4 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
add a comment |
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited 4 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
apache-httpd ssl
edited 4 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
edited 4 mins ago
Vlastimil
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
edited 4 mins ago
Vlastimil
8,1011464139
edited 4 mins ago
Vlastimil
8,1011464139
edited 4 mins ago
Vlastimil
8,1011464139
8,1011464139
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
18114
18114
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
add a comment |
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38
add a comment |
4 Answers
4
active
oldest
votes
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 1 hour ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 59 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited 47 mins ago
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered 10 mins ago
VlastimilVlastimil
8,1011464139
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 1 hour ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 1 hour ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 1 hour ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited 1 hour ago
Vlastimil
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
edited 1 hour ago
Vlastimil
8,1011464139
edited 1 hour ago
Vlastimil
8,1011464139
edited 1 hour ago
Vlastimil
8,1011464139
8,1011464139
answered May 12 '18 at 5:33
BoraBora
1595
answered May 12 '18 at 5:33
BoraBora
1595
answered May 12 '18 at 5:33
BoraBora
1595
1595
add a comment |
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 59 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 59 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 59 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited 59 mins ago
Vlastimil
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
edited 59 mins ago
Vlastimil
8,1011464139
edited 59 mins ago
Vlastimil
8,1011464139
edited 59 mins ago
Vlastimil
8,1011464139
8,1011464139
answered Oct 13 '18 at 17:05
obencsobencs
6913
answered Oct 13 '18 at 17:05
obencsobencs
6913
answered Oct 13 '18 at 17:05
obencsobencs
6913
6913
add a comment |
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited 47 mins ago
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited 47 mins ago
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited 47 mins ago
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited 47 mins ago
Vlastimil
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
edited 47 mins ago
Vlastimil
8,1011464139
edited 47 mins ago
Vlastimil
8,1011464139
edited 47 mins ago
Vlastimil
8,1011464139
8,1011464139
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
1092
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)
– LinuxBabe
Nov 13 '18 at 7:07
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.
– LinuxBabe
Nov 13 '18 at 12:11
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
@Vlastimil That never happened to me.
– LinuxBabe
Nov 13 '18 at 13:22
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered 10 mins ago
VlastimilVlastimil
8,1011464139
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered 10 mins ago
VlastimilVlastimil
8,1011464139
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered 10 mins ago
VlastimilVlastimil
8,1011464139
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered 10 mins ago
VlastimilVlastimil
8,1011464139
answered 10 mins ago
VlastimilVlastimil
8,1011464139
answered 10 mins ago
VlastimilVlastimil
8,1011464139
answered 10 mins ago
VlastimilVlastimil
8,1011464139
8,1011464139
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
@WarrenYoung check my edit
– James Kowalski
May 12 '18 at 3:05
@bora, so basically I have no choice other than go to nginx or wait?
– James Kowalski
May 12 '18 at 5:16
@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.
– Bora
May 12 '18 at 5:42
Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx
– Ayesh K
Oct 22 '18 at 8:38