The Apache Haus Forum

Forum Topics => News & General Discussion => Topic started by: Gregg on October 22, 2018, 08:08:37 PM

Title: TLS/1.3 Support
Post by: Gregg on October 22, 2018, 08:08:37 PM
If your new to Apache no problem as our OpenSSL 1.1.1 downloads are pre-configured to run Apache capable of handling TLS/1.3 connections.

For those upgrading and will be wanting to keep their current configuration files here's some things you need to know.

1. Apache will run without touching your config but will not connect in TLS/1.3.
2. At minimum you will have to add +TLSv1.3 to your SSLProtocol line because at this point, TLS/1.3 is technically experimental.
3. TLS/1.3 ciphers are not compatible with TLS/1.2 and below so we now have two (2) SSLCipherSuite lines to use;

Code: [Select]
    SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
    SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
4. #3 is still optional, if you just leave your SSLCipherSuite, Apache will use OpenSSL's defaults. This however might affect your current cipher order in TLS <= 1.0.2. I forget because I tested this back in August and think I remember this happening. I put chacha ciphers up front and I was seeing ECDHE-RSA-AES256-GCM-SHA384 in the browser.


Compatible Browsers:

Chrome 70
Firefox 63 (due out soon) and  Firefox Nightly.
Title: Re: TLS/1.3 Support
Post by: mario on October 22, 2018, 09:54:21 PM
I wonder why the TLS 1.3 cipher names are with underscore while the other are not?

Shouldn't it be like SSLCipherSuite TLSv1.3 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 ??
Title: Re: TLS/1.3 Support
Post by: mario on October 22, 2018, 10:18:51 PM
Indded, it is different.. I wonder why. O_o
Title: Re: TLS/1.3 Support
Post by: Gregg on October 23, 2018, 02:50:46 AM
Who knows? However because they're not compatible w/ tls < 1.3 it seems a good guess at least. Funny I never noticed it.
Title: Re: TLS/1.3 Support
Post by: mario on October 23, 2018, 09:00:24 AM
I did, cause I tried on my test server and is refused to start with the dashed names. Even though httpd -S showed not error.