Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: TLS 1.3 SSLCipherSuite |
|
| Author |
|
tushar.ghodake
Joined: 04 Apr 2017
Posts: 11
Location: India
|
 Posted: Fri 13 Sep '24 15:37 Post subject: TLS 1.3 SSLCipherSuite |
 |
|
Hello Folks,
Can someone provide the Apache SSLCipherSuite for TLS 1.3 Protol. I searched online but it is not working with me.
Below are the one I tried. Am i using a wrong syntax?
SSLCipherSuite TLS-AES-256-GCM-SHA384:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-128-GCM-SHA256
SSLProxyCipherSuite TLS-AES-256-GCM-SHA384:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-128-GCM-SHA256 |
|
| Back to top |
|
axel.kam
Joined: 11 Jul 2023
Posts: 7
|
| Posted: Fri 13 Sep '24 23:44 Post subject: Re: TLS 1.3 SSLCipherSuite |
|
|
| tushar.ghodake wrote: | Hello Folks,
Can someone provide the Apache SSLCipherSuite for TLS 1.3 Protol. I searched online but it is not working with me. |
For TLS 1.3 you no need to set SSLCipherSuite.
Sample:
# modern configuration (support TLS 1.3 only)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
# intermediate configuration (support TLS 1.2 and TLS 1.3)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
For ssl apache configuration use this helpful site:
https://ssl-config.mozilla.org/#server=apache&version=2.4.62&config=intermediate&openssl=3.3.2&hsts=false&ocsp=false&guideline=5.7 |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012
Posts: 226
Location: Denver, CO USA
|
| Posted: Mon 16 Sep '24 0:23 Post subject: |
|
|
If you do want to go 'all in' and put in Ciphers for TLS 1.3, here is a sample of what I have on an Apache Server in my testing environment:
SSLCipherSuite SSL AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256:AEAD-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1
As always, your mileage and performance may vary.
--S |
|
| Back to top |
|
|
|
|
|
|
