How to enable TLSv1.3 on apache2?












3















I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.










share|improve this question

























  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38
















3















I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.










share|improve this question

























  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38














3












3








3


1






I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.










share|improve this question
















I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.







apache-httpd ssl






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 3 mins ago









Vlastimil

8,1011464139




8,1011464139










asked May 12 '18 at 2:54









James KowalskiJames Kowalski

18114




18114













  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38



















  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38

















@WarrenYoung check my edit

– James Kowalski
May 12 '18 at 3:05





@WarrenYoung check my edit

– James Kowalski
May 12 '18 at 3:05













@bora, so basically I have no choice other than go to nginx or wait?

– James Kowalski
May 12 '18 at 5:16





@bora, so basically I have no choice other than go to nginx or wait?

– James Kowalski
May 12 '18 at 5:16













@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

– Bora
May 12 '18 at 5:42





@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

– Bora
May 12 '18 at 5:42













Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

– Ayesh K
Oct 22 '18 at 8:38





Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

– Ayesh K
Oct 22 '18 at 8:38










4 Answers
4






active

oldest

votes


















2














TLSv1.3 is not yet supported by Apache 2.4.



When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






share|improve this answer

































    4














    TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






    share|improve this answer

































      0














      You might use this PPA:



      sudo add-apt-repository ppa:ondrej/apache2


      Current version is:



      $ apache2 -v

      Server version: Apache/2.4.37 (Ubuntu)
      Server built: 2018-10-28T15:27:08


      TLS 1.3 is supported.



      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



      SSLProtocol -all +TLSv1.2 +TLSv1.3


      Then restart Apache2 and it should be ready for a test, notably it on these sites:



      https://www.ssllabs.com/ssltest/



      https://www.htbridge.com/ssl/



      My example result:



      TLS 1.3 enabled!






      share|improve this answer


























      • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

        – LinuxBabe
        Nov 13 '18 at 7:07











      • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

        – LinuxBabe
        Nov 13 '18 at 12:11











      • @Vlastimil That never happened to me.

        – LinuxBabe
        Nov 13 '18 at 13:22



















      0














      As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.



      As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.





      Notes, too long for a comment:






      • HTTP SITE DOES NOT REDIRECT




        The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.



        You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.




      • Your ciphers are wrong.



        Please use (excerpt from my answer on Webmasters):



        ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


        in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.



      • You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.



      TLS 1.1 is no longer mandatory.






      • You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.







      share|improve this answer


























      • What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)

        – Michael Fever
        Oct 6 '18 at 23:03











      • Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.

        – Michael Fever
        Oct 25 '18 at 23:28











      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "106"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-on-apache2%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      2














      TLSv1.3 is not yet supported by Apache 2.4.



      When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






      share|improve this answer






























        2














        TLSv1.3 is not yet supported by Apache 2.4.



        When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






        share|improve this answer




























          2












          2








          2







          TLSv1.3 is not yet supported by Apache 2.4.



          When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






          share|improve this answer















          TLSv1.3 is not yet supported by Apache 2.4.



          When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 8 mins ago









          Vlastimil

          8,1011464139




          8,1011464139










          answered May 12 '18 at 5:33









          BoraBora

          1595




          1595

























              4














              TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






              share|improve this answer






























                4














                TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                share|improve this answer




























                  4












                  4








                  4







                  TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                  share|improve this answer















                  TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 7 mins ago









                  Vlastimil

                  8,1011464139




                  8,1011464139










                  answered Oct 13 '18 at 17:05









                  obencsobencs

                  6913




                  6913























                      0














                      You might use this PPA:



                      sudo add-apt-repository ppa:ondrej/apache2


                      Current version is:



                      $ apache2 -v

                      Server version: Apache/2.4.37 (Ubuntu)
                      Server built: 2018-10-28T15:27:08


                      TLS 1.3 is supported.



                      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                      SSLProtocol -all +TLSv1.2 +TLSv1.3


                      Then restart Apache2 and it should be ready for a test, notably it on these sites:



                      https://www.ssllabs.com/ssltest/



                      https://www.htbridge.com/ssl/



                      My example result:



                      TLS 1.3 enabled!






                      share|improve this answer


























                      • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                        – LinuxBabe
                        Nov 13 '18 at 7:07











                      • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                        – LinuxBabe
                        Nov 13 '18 at 12:11











                      • @Vlastimil That never happened to me.

                        – LinuxBabe
                        Nov 13 '18 at 13:22
















                      0














                      You might use this PPA:



                      sudo add-apt-repository ppa:ondrej/apache2


                      Current version is:



                      $ apache2 -v

                      Server version: Apache/2.4.37 (Ubuntu)
                      Server built: 2018-10-28T15:27:08


                      TLS 1.3 is supported.



                      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                      SSLProtocol -all +TLSv1.2 +TLSv1.3


                      Then restart Apache2 and it should be ready for a test, notably it on these sites:



                      https://www.ssllabs.com/ssltest/



                      https://www.htbridge.com/ssl/



                      My example result:



                      TLS 1.3 enabled!






                      share|improve this answer


























                      • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                        – LinuxBabe
                        Nov 13 '18 at 7:07











                      • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                        – LinuxBabe
                        Nov 13 '18 at 12:11











                      • @Vlastimil That never happened to me.

                        – LinuxBabe
                        Nov 13 '18 at 13:22














                      0












                      0








                      0







                      You might use this PPA:



                      sudo add-apt-repository ppa:ondrej/apache2


                      Current version is:



                      $ apache2 -v

                      Server version: Apache/2.4.37 (Ubuntu)
                      Server built: 2018-10-28T15:27:08


                      TLS 1.3 is supported.



                      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                      SSLProtocol -all +TLSv1.2 +TLSv1.3


                      Then restart Apache2 and it should be ready for a test, notably it on these sites:



                      https://www.ssllabs.com/ssltest/



                      https://www.htbridge.com/ssl/



                      My example result:



                      TLS 1.3 enabled!






                      share|improve this answer















                      You might use this PPA:



                      sudo add-apt-repository ppa:ondrej/apache2


                      Current version is:



                      $ apache2 -v

                      Server version: Apache/2.4.37 (Ubuntu)
                      Server built: 2018-10-28T15:27:08


                      TLS 1.3 is supported.



                      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                      SSLProtocol -all +TLSv1.2 +TLSv1.3


                      Then restart Apache2 and it should be ready for a test, notably it on these sites:



                      https://www.ssllabs.com/ssltest/



                      https://www.htbridge.com/ssl/



                      My example result:



                      TLS 1.3 enabled!







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Oct 29 '18 at 4:00









                      Vlastimil

                      8,1011464139




                      8,1011464139










                      answered Oct 29 '18 at 2:54









                      Aryeh BeitzAryeh Beitz

                      1092




                      1092













                      • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                        – LinuxBabe
                        Nov 13 '18 at 7:07











                      • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                        – LinuxBabe
                        Nov 13 '18 at 12:11











                      • @Vlastimil That never happened to me.

                        – LinuxBabe
                        Nov 13 '18 at 13:22



















                      • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                        – LinuxBabe
                        Nov 13 '18 at 7:07











                      • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                        – LinuxBabe
                        Nov 13 '18 at 12:11











                      • @Vlastimil That never happened to me.

                        – LinuxBabe
                        Nov 13 '18 at 13:22

















                      @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                      – LinuxBabe
                      Nov 13 '18 at 7:07





                      @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                      – LinuxBabe
                      Nov 13 '18 at 7:07













                      @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                      – LinuxBabe
                      Nov 13 '18 at 12:11





                      @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                      – LinuxBabe
                      Nov 13 '18 at 12:11













                      @Vlastimil That never happened to me.

                      – LinuxBabe
                      Nov 13 '18 at 13:22





                      @Vlastimil That never happened to me.

                      – LinuxBabe
                      Nov 13 '18 at 13:22











                      0














                      As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.



                      As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.





                      Notes, too long for a comment:






                      • HTTP SITE DOES NOT REDIRECT




                        The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.



                        You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.




                      • Your ciphers are wrong.



                        Please use (excerpt from my answer on Webmasters):



                        ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                        in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.



                      • You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.



                      TLS 1.1 is no longer mandatory.






                      • You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.







                      share|improve this answer


























                      • What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)

                        – Michael Fever
                        Oct 6 '18 at 23:03











                      • Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.

                        – Michael Fever
                        Oct 25 '18 at 23:28
















                      0














                      As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.



                      As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.





                      Notes, too long for a comment:






                      • HTTP SITE DOES NOT REDIRECT




                        The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.



                        You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.




                      • Your ciphers are wrong.



                        Please use (excerpt from my answer on Webmasters):



                        ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                        in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.



                      • You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.



                      TLS 1.1 is no longer mandatory.






                      • You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.







                      share|improve this answer


























                      • What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)

                        – Michael Fever
                        Oct 6 '18 at 23:03











                      • Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.

                        – Michael Fever
                        Oct 25 '18 at 23:28














                      0












                      0








                      0







                      As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.



                      As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.





                      Notes, too long for a comment:






                      • HTTP SITE DOES NOT REDIRECT




                        The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.



                        You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.




                      • Your ciphers are wrong.



                        Please use (excerpt from my answer on Webmasters):



                        ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                        in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.



                      • You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.



                      TLS 1.1 is no longer mandatory.






                      • You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.







                      share|improve this answer















                      As for TLS 1.3, as was pointed out in this answer, it is still a work in progress, not yet in production in Apache2.



                      As TLS 1.3 has been finally accepted IETF, it is probably going to production very soon. See their blog for some basic information.





                      Notes, too long for a comment:






                      • HTTP SITE DOES NOT REDIRECT




                        The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection.



                        You can follow this answer on Webmasters. It includes tips for the HSTS Preload list, which after some modifications, you should add the site into.




                      • Your ciphers are wrong.



                        Please use (excerpt from my answer on Webmasters):



                        ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                        in order to get 95 or 100 % on SSL Labs - Ciper strength score, more info in my answer on Webmasters.



                      • You should enable P-384 + P-256, and optionally P-521 curves, as stated in my answer on Webmasters.



                      TLS 1.1 is no longer mandatory.






                      • You have omitted TLS 1.1 protocol. It is still mandatory to HIPAA guidance AFAIK, you should consider enabling it for the time being.








                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Oct 29 '18 at 4:05

























                      answered May 12 '18 at 6:26









                      VlastimilVlastimil

                      8,1011464139




                      8,1011464139













                      • What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)

                        – Michael Fever
                        Oct 6 '18 at 23:03











                      • Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.

                        – Michael Fever
                        Oct 25 '18 at 23:28



















                      • What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)

                        – Michael Fever
                        Oct 6 '18 at 23:03











                      • Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.

                        – Michael Fever
                        Oct 25 '18 at 23:28

















                      What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)

                      – Michael Fever
                      Oct 6 '18 at 23:03





                      What about now? :) I'm gonna see if ondrej will do a Tls1.3 build for us :)

                      – Michael Fever
                      Oct 6 '18 at 23:03













                      Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.

                      – Michael Fever
                      Oct 25 '18 at 23:28





                      Not yet. But if you follow the apache-developers mailing list version 1.36 was just recently committed so we should see that trickle down to the repos soon. I will post here when it happens.

                      – Michael Fever
                      Oct 25 '18 at 23:28


















                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Unix & Linux Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-on-apache2%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Accessing regular linux commands in Huawei's Dopra Linux

                      Can't connect RFCOMM socket: Host is down

                      Kernel panic - not syncing: Fatal Exception in Interrupt