How to enable TLSv1.3 in Apache2?












3















I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.










share|improve this question

























  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38
















3















I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.










share|improve this question

























  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38














3












3








3


1






I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.










share|improve this question
















I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.







apache-httpd ssl






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 30 mins ago









Vlastimil

8,1011464139




8,1011464139










asked May 12 '18 at 2:54









James KowalskiJames Kowalski

18114




18114













  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38



















  • @WarrenYoung check my edit

    – James Kowalski
    May 12 '18 at 3:05











  • @bora, so basically I have no choice other than go to nginx or wait?

    – James Kowalski
    May 12 '18 at 5:16











  • @JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

    – Bora
    May 12 '18 at 5:42











  • Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

    – Ayesh K
    Oct 22 '18 at 8:38

















@WarrenYoung check my edit

– James Kowalski
May 12 '18 at 3:05





@WarrenYoung check my edit

– James Kowalski
May 12 '18 at 3:05













@bora, so basically I have no choice other than go to nginx or wait?

– James Kowalski
May 12 '18 at 5:16





@bora, so basically I have no choice other than go to nginx or wait?

– James Kowalski
May 12 '18 at 5:16













@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

– Bora
May 12 '18 at 5:42





@JamesKowalski, yes, pretty much. IETF recently approved it as a standard. I would wait instead of jumping into a brand new implementation by another HTTP server, but I guess your requirements for TLS 1.3 should dictate the decision. According to istlsfastyet.com there are currently three server software supporting it including NGINX.

– Bora
May 12 '18 at 5:42













Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

– Ayesh K
Oct 22 '18 at 8:38





Current Apache version in GA is 2.4.35, and it does not contain TLS 1.3 support. 2.4.37 will have it. I have written a post how to compile Apache yourself so you can have TLS 1.3 today: ayesh.me/TLSv1.3-Apache-Nginx

– Ayesh K
Oct 22 '18 at 8:38










4 Answers
4






active

oldest

votes


















2














TLSv1.3 is not yet supported by Apache 2.4.



When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






share|improve this answer

































    4














    TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






    share|improve this answer

































      0














      Editor's Note



      Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.





      If you are ready to take the risk...



      You may use this PPA, this command adds it to your system without any hassle:



      sudo add-apt-repository ppa:ondrej/apache2


      At the time of this writing, the current version was:



      $ apache2 -v

      Server version: Apache/2.4.37 (Ubuntu)
      Server built: 2018-10-28T15:27:08


      TLSv1.3 is supported in that version.



      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



      SSLProtocol -all +TLSv1.2 +TLSv1.3


      Then restart Apache2 and it should be ready for a test, notably it on these sites:



      https://www.ssllabs.com/ssltest/



      https://www.htbridge.com/ssl/



      My example result = TLSv1.3 enabled



      My example result = TLSv1.3 enabled






      share|improve this answer


























      • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

        – LinuxBabe
        Nov 13 '18 at 7:07











      • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

        – LinuxBabe
        Nov 13 '18 at 12:11











      • @Vlastimil That never happened to me.

        – LinuxBabe
        Nov 13 '18 at 13:22



















      0














      Debian Buster = TLSv1.3 supported



      In Debian Buster (currently in testing), the TLSv1.3 is supported already.



      The following information is dated to:



      # date -I


      2019-02-24





      Apache2 version:



      # apache2 -v


      Server version: Apache/2.4.38 (Debian)

      Server built: 2019-01-31T20:54:05





      Where to enable



      Globally in:



      /etc/apache2/mods-enabled/ssl.conf


      Locally in:



      Your VirtualHost(s) located in:



      /etc/apache2/sites-enabled/




      How to enable



      To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



      To do that, put this line in the above-mentioned file:



      SSLProtocol -all +TLSv1.3 +TLSv1.2




      Cipher suites



      The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



      SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
      SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


      Curves



      One important note to the end:



      There is one new curve you could / should enable: X25519.



      You can do this for instance like this, again only example:



      SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519




      Example domain test on SSLLabs




      Experimental: This server supports TLS 1.3 (RFC 8446).




      TLSv1.3 enabled






      share|improve this answer























        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "106"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        4 Answers
        4






        active

        oldest

        votes








        4 Answers
        4






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        2














        TLSv1.3 is not yet supported by Apache 2.4.



        When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






        share|improve this answer






























          2














          TLSv1.3 is not yet supported by Apache 2.4.



          When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






          share|improve this answer




























            2












            2








            2







            TLSv1.3 is not yet supported by Apache 2.4.



            When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






            share|improve this answer















            TLSv1.3 is not yet supported by Apache 2.4.



            When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 1 hour ago









            Vlastimil

            8,1011464139




            8,1011464139










            answered May 12 '18 at 5:33









            BoraBora

            1595




            1595

























                4














                TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                share|improve this answer






























                  4














                  TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                  share|improve this answer




























                    4












                    4








                    4







                    TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                    share|improve this answer















                    TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited 1 hour ago









                    Vlastimil

                    8,1011464139




                    8,1011464139










                    answered Oct 13 '18 at 17:05









                    obencsobencs

                    6913




                    6913























                        0














                        Editor's Note



                        Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.





                        If you are ready to take the risk...



                        You may use this PPA, this command adds it to your system without any hassle:



                        sudo add-apt-repository ppa:ondrej/apache2


                        At the time of this writing, the current version was:



                        $ apache2 -v

                        Server version: Apache/2.4.37 (Ubuntu)
                        Server built: 2018-10-28T15:27:08


                        TLSv1.3 is supported in that version.



                        To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                        SSLProtocol -all +TLSv1.2 +TLSv1.3


                        Then restart Apache2 and it should be ready for a test, notably it on these sites:



                        https://www.ssllabs.com/ssltest/



                        https://www.htbridge.com/ssl/



                        My example result = TLSv1.3 enabled



                        My example result = TLSv1.3 enabled






                        share|improve this answer


























                        • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                          – LinuxBabe
                          Nov 13 '18 at 7:07











                        • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                          – LinuxBabe
                          Nov 13 '18 at 12:11











                        • @Vlastimil That never happened to me.

                          – LinuxBabe
                          Nov 13 '18 at 13:22
















                        0














                        Editor's Note



                        Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.





                        If you are ready to take the risk...



                        You may use this PPA, this command adds it to your system without any hassle:



                        sudo add-apt-repository ppa:ondrej/apache2


                        At the time of this writing, the current version was:



                        $ apache2 -v

                        Server version: Apache/2.4.37 (Ubuntu)
                        Server built: 2018-10-28T15:27:08


                        TLSv1.3 is supported in that version.



                        To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                        SSLProtocol -all +TLSv1.2 +TLSv1.3


                        Then restart Apache2 and it should be ready for a test, notably it on these sites:



                        https://www.ssllabs.com/ssltest/



                        https://www.htbridge.com/ssl/



                        My example result = TLSv1.3 enabled



                        My example result = TLSv1.3 enabled






                        share|improve this answer


























                        • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                          – LinuxBabe
                          Nov 13 '18 at 7:07











                        • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                          – LinuxBabe
                          Nov 13 '18 at 12:11











                        • @Vlastimil That never happened to me.

                          – LinuxBabe
                          Nov 13 '18 at 13:22














                        0












                        0








                        0







                        Editor's Note



                        Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.





                        If you are ready to take the risk...



                        You may use this PPA, this command adds it to your system without any hassle:



                        sudo add-apt-repository ppa:ondrej/apache2


                        At the time of this writing, the current version was:



                        $ apache2 -v

                        Server version: Apache/2.4.37 (Ubuntu)
                        Server built: 2018-10-28T15:27:08


                        TLSv1.3 is supported in that version.



                        To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                        SSLProtocol -all +TLSv1.2 +TLSv1.3


                        Then restart Apache2 and it should be ready for a test, notably it on these sites:



                        https://www.ssllabs.com/ssltest/



                        https://www.htbridge.com/ssl/



                        My example result = TLSv1.3 enabled



                        My example result = TLSv1.3 enabled






                        share|improve this answer















                        Editor's Note



                        Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.





                        If you are ready to take the risk...



                        You may use this PPA, this command adds it to your system without any hassle:



                        sudo add-apt-repository ppa:ondrej/apache2


                        At the time of this writing, the current version was:



                        $ apache2 -v

                        Server version: Apache/2.4.37 (Ubuntu)
                        Server built: 2018-10-28T15:27:08


                        TLSv1.3 is supported in that version.



                        To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                        SSLProtocol -all +TLSv1.2 +TLSv1.3


                        Then restart Apache2 and it should be ready for a test, notably it on these sites:



                        https://www.ssllabs.com/ssltest/



                        https://www.htbridge.com/ssl/



                        My example result = TLSv1.3 enabled



                        My example result = TLSv1.3 enabled







                        share|improve this answer














                        share|improve this answer



                        share|improve this answer








                        edited 1 hour ago









                        Vlastimil

                        8,1011464139




                        8,1011464139










                        answered Oct 29 '18 at 2:54









                        Aryeh BeitzAryeh Beitz

                        1092




                        1092













                        • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                          – LinuxBabe
                          Nov 13 '18 at 7:07











                        • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                          – LinuxBabe
                          Nov 13 '18 at 12:11











                        • @Vlastimil That never happened to me.

                          – LinuxBabe
                          Nov 13 '18 at 13:22



















                        • @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                          – LinuxBabe
                          Nov 13 '18 at 7:07











                        • @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                          – LinuxBabe
                          Nov 13 '18 at 12:11











                        • @Vlastimil That never happened to me.

                          – LinuxBabe
                          Nov 13 '18 at 13:22

















                        @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                        – LinuxBabe
                        Nov 13 '18 at 7:07





                        @Vlastimil Do you trust the official certbot PPA? (ppa:certbot/certbot)

                        – LinuxBabe
                        Nov 13 '18 at 7:07













                        @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                        – LinuxBabe
                        Nov 13 '18 at 12:11





                        @Vlastimil Simply disable PPA in /etc/apt/source.list.d/ before doing distribution upgrade.

                        – LinuxBabe
                        Nov 13 '18 at 12:11













                        @Vlastimil That never happened to me.

                        – LinuxBabe
                        Nov 13 '18 at 13:22





                        @Vlastimil That never happened to me.

                        – LinuxBabe
                        Nov 13 '18 at 13:22











                        0














                        Debian Buster = TLSv1.3 supported



                        In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                        The following information is dated to:



                        # date -I


                        2019-02-24





                        Apache2 version:



                        # apache2 -v


                        Server version: Apache/2.4.38 (Debian)

                        Server built: 2019-01-31T20:54:05





                        Where to enable



                        Globally in:



                        /etc/apache2/mods-enabled/ssl.conf


                        Locally in:



                        Your VirtualHost(s) located in:



                        /etc/apache2/sites-enabled/




                        How to enable



                        To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                        To do that, put this line in the above-mentioned file:



                        SSLProtocol -all +TLSv1.3 +TLSv1.2




                        Cipher suites



                        The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                        SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                        SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                        Curves



                        One important note to the end:



                        There is one new curve you could / should enable: X25519.



                        You can do this for instance like this, again only example:



                        SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519




                        Example domain test on SSLLabs




                        Experimental: This server supports TLS 1.3 (RFC 8446).




                        TLSv1.3 enabled






                        share|improve this answer




























                          0














                          Debian Buster = TLSv1.3 supported



                          In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                          The following information is dated to:



                          # date -I


                          2019-02-24





                          Apache2 version:



                          # apache2 -v


                          Server version: Apache/2.4.38 (Debian)

                          Server built: 2019-01-31T20:54:05





                          Where to enable



                          Globally in:



                          /etc/apache2/mods-enabled/ssl.conf


                          Locally in:



                          Your VirtualHost(s) located in:



                          /etc/apache2/sites-enabled/




                          How to enable



                          To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                          To do that, put this line in the above-mentioned file:



                          SSLProtocol -all +TLSv1.3 +TLSv1.2




                          Cipher suites



                          The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                          SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                          SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                          Curves



                          One important note to the end:



                          There is one new curve you could / should enable: X25519.



                          You can do this for instance like this, again only example:



                          SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519




                          Example domain test on SSLLabs




                          Experimental: This server supports TLS 1.3 (RFC 8446).




                          TLSv1.3 enabled






                          share|improve this answer


























                            0












                            0








                            0







                            Debian Buster = TLSv1.3 supported



                            In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                            The following information is dated to:



                            # date -I


                            2019-02-24





                            Apache2 version:



                            # apache2 -v


                            Server version: Apache/2.4.38 (Debian)

                            Server built: 2019-01-31T20:54:05





                            Where to enable



                            Globally in:



                            /etc/apache2/mods-enabled/ssl.conf


                            Locally in:



                            Your VirtualHost(s) located in:



                            /etc/apache2/sites-enabled/




                            How to enable



                            To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                            To do that, put this line in the above-mentioned file:



                            SSLProtocol -all +TLSv1.3 +TLSv1.2




                            Cipher suites



                            The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                            SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                            SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                            Curves



                            One important note to the end:



                            There is one new curve you could / should enable: X25519.



                            You can do this for instance like this, again only example:



                            SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519




                            Example domain test on SSLLabs




                            Experimental: This server supports TLS 1.3 (RFC 8446).




                            TLSv1.3 enabled






                            share|improve this answer













                            Debian Buster = TLSv1.3 supported



                            In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                            The following information is dated to:



                            # date -I


                            2019-02-24





                            Apache2 version:



                            # apache2 -v


                            Server version: Apache/2.4.38 (Debian)

                            Server built: 2019-01-31T20:54:05





                            Where to enable



                            Globally in:



                            /etc/apache2/mods-enabled/ssl.conf


                            Locally in:



                            Your VirtualHost(s) located in:



                            /etc/apache2/sites-enabled/




                            How to enable



                            To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                            To do that, put this line in the above-mentioned file:



                            SSLProtocol -all +TLSv1.3 +TLSv1.2




                            Cipher suites



                            The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                            SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                            SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA


                            Curves



                            One important note to the end:



                            There is one new curve you could / should enable: X25519.



                            You can do this for instance like this, again only example:



                            SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:X25519




                            Example domain test on SSLLabs




                            Experimental: This server supports TLS 1.3 (RFC 8446).




                            TLSv1.3 enabled







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 36 mins ago









                            VlastimilVlastimil

                            8,1011464139




                            8,1011464139






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                Loup dans la culture

                                How to solve the problem of ntp “Unable to contact time server” from KDE?

                                ASUS Zenbook UX433/UX333 — Configure Touchpad-embedded numpad on Linux