logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: TLS 1.2 vs 1.3 problem
Author
sailor



Joined: 17 Apr 2015
Posts: 82
Location: US

PostPosted: Thu 05 Oct '23 19:31    Post subject: TLS 1.2 vs 1.3 problem Reply with quote

I have updated my SSL certificates from one provider to another for cost reasons. IT's not LE.

I had this in my config:

Quote:
# from https://cipherli.st/
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#SSLOptions +StrictRequire +StdEnvVars -ExportCertData
#SSLProtocol -all +TLSv1.2 +TLSv1.3
#SSLCompression Off
#SSLHonorCipherOrder On
#SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
#SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384


Shortly after restarting, my monitoring service began failing. Support said they don't have TLS 1.3 support yet. Initially, I thought it was the CDN that didn't support TLS 1.3 as that was changed (learned it was the prior week). I ran a Qualys test and sure enough 1.2 was not enabled.

Oddly another host on the same server had a slightly different config (which was using the new SSL provider successfully). So, I changed to this one:

Code:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
   SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   SSLHonorCipherOrder On


   SSLOpenSSLConfCmd ECDHParameters secp521r1
   SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

   SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
   SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256   


As it's production, I kind of don't want to fuss with it too much. I think it's the SSLCipherSuite TLS1.3 that is causing issues. Maybe I need a TLS1.2 version of that with ciphers?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 09 Oct '23 11:35    Post subject: Reply with quote

My current A+ config v 1.2 and v 1.3

Code:

Listen 443
<If "%{SERVER_PORT} == '443'">
        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=31536000; preload"
        </IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2 h2c
H2Upgrade on
H2Direct On
H2Push on

TraceEnable Off

SSLUseStapling On
SSLSessionCache shmcb:logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd DHParameters "conf/8192.key"
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
Back to top


Reply to topic   Topic: TLS 1.2 vs 1.3 problem View previous topic :: View next topic
Post new topic   Forum Index -> Apache