stackoom
  简体   繁体   中英

Enabling TLS1.3 in Apache

 原文  2018-09-13 08:41:16       ssl/ openssl/ apache2

Question

Since TLS1.3 support in OpenSSL 1.1.1 which was released on September 11th 2018, I wonder if I can get my Apache2 server to support it so my visitors can benefit from improved security and speed.

I understand that there are several ways to make this happen:

  1. A backport of Apache which has it, but isn't it potentially insecure to run this kind of unoffical frankenware? I also cannot seem to find it.

  2. Wait until an Apache2 version comes out that supports it and then compile it from source and install it. Unfortunately I cannot find information on when this comes out or if it already exists, and which version I should be downloading.

  3. Adjust Apache2's config to use other openssl libraries (separately installed and compiled from source). Here, again, I cannot seem to find instructions on how to get this done.

I anticipate this question coming up pretty often in the near future so I hope to solicit an exhaustive answer for everyone who intends to support TLS1.3.

PS I'm also not sure if Apache2 uses the installed OpenSSL library or if it has its own module compiled (much the way it does with PHP)?

1 answers

solution1
 1 ACCPTED  2018-11-12 10:27:17

Starting with Apache version 2.4.36 (current one right now is 2.4.37) support for TLS1.3 has been added. In combination with OpenSSL 1.1.1 you can enable support for it at any time after updating both. In your SSL.conf you should make a few minor adjustments.

SSLProtocol -all +TLSv1.2 +TLSv1.3 #You don't have to explicitly enable it, but this can be considered secure SSLCipherSuite EECDH+AES256-GCM:EDH+AES256-GCM:AES256+EECDH:AES256+EDH:!AES128 #these secure suites are used up to TLS1.2 SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 #these suites are used for TLS1.3 only

If you don't want to specify the suites for TLS1.3 the default 3 ones

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256

are used (in that order). I changed that for my config since I wanted to get rid of all AES128 suites. If you are ok with the default setting, then basically upgrading Apache and OpenSSL is enough to get you started. Qualys SSL Test should confirm whether TLS1.3 is enabled etc.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question TLS1.3 version mismatch How TLS1.3 Decryption Works? What is the equivalent of SSLSessionID for TLS1.3 sessions Does .net5.0 already support tls1.3? How to ensure TLS1.3 in gRPC in c++ Issue with network packet read on TLS1.3 | Openssl C program TLS1.3 error 'Wrong version number' on non-TLS 1.3 Azure repository Select (TLS 1.3) Curves in Apache C# tls1.3 Exception: Cannot determine the frame size or a corrupted frame was received Sending `Encrypted Extension` and `Server Finished` in one handshake message. Is it mandatory in TLS1.3?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM