The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: TLS/1.3 Support  (Read 1007 times)

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 839
TLS/1.3 Support
« on: October 22, 2018, 08:08:37 PM »

If your new to Apache no problem as our OpenSSL 1.1.1 downloads are pre-configured to run Apache capable of handling TLS/1.3 connections.

For those upgrading and will be wanting to keep their current configuration files here's some things you need to know.

1. Apache will run without touching your config but will not connect in TLS/1.3.
2. At minimum you will have to add +TLSv1.3 to your SSLProtocol line because at this point, TLS/1.3 is technically experimental.
3. TLS/1.3 ciphers are not compatible with TLS/1.2 and below so we now have two (2) SSLCipherSuite lines to use;

Code: [Select]
    SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
    SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
4. #3 is still optional, if you just leave your SSLCipherSuite, Apache will use OpenSSL's defaults. This however might affect your current cipher order in TLS <= 1.0.2. I forget because I tested this back in August and think I remember this happening. I put chacha ciphers up front and I was seeing ECDHE-RSA-AES256-GCM-SHA384 in the browser.


Compatible Browsers:

Chrome 70
Firefox 63 (due out soon) and  Firefox Nightly.
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 580
Re: TLS/1.3 Support
« Reply #1 on: October 22, 2018, 09:54:21 PM »

I wonder why the TLS 1.3 cipher names are with underscore while the other are not?

Shouldn't it be like SSLCipherSuite TLSv1.3 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 ??
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 580
Re: TLS/1.3 Support
« Reply #2 on: October 22, 2018, 10:18:51 PM »

Indded, it is different.. I wonder why. O_o
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 839
Re: TLS/1.3 Support
« Reply #3 on: October 23, 2018, 02:50:46 AM »

Who knows? However because they're not compatible w/ tls < 1.3 it seems a good guess at least. Funny I never noticed it.
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 580
Re: TLS/1.3 Support
« Reply #4 on: October 23, 2018, 09:00:24 AM »

I did, cause I tried on my test server and is refused to start with the dashed names. Even though httpd -S showed not error.
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13