How to enable TLSv1.3 in Apache2?
Clash Royale CLAN TAG#URR8PPP
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited Feb 24 at 6:32
Vlastimil
8,3061465145
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
add a comment |
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited Feb 24 at 6:32
Vlastimil
8,3061465145
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
add a comment |
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
edited Feb 24 at 6:32
Vlastimil
8,3061465145
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
I am running Apache2 version:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24
I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:
# apachectl configtest
AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.
Is it not possible to enable TLSv1.3 in Apache2 (yet)?
I know Nginx can do it, but this question aims at Apache2.
apache-httpd ssl
apache-httpd ssl
edited Feb 24 at 6:32
Vlastimil
8,3061465145
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
edited Feb 24 at 6:32
Vlastimil
8,3061465145
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
edited Feb 24 at 6:32
Vlastimil
8,3061465145
edited Feb 24 at 6:32
Vlastimil
8,3061465145
edited Feb 24 at 6:32
Vlastimil
8,3061465145
8,3061465145
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
asked May 12 '18 at 2:54
James KowalskiJames Kowalski
23114
23114
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited Feb 24 at 5:36
Vlastimil
8,3061465145
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited Feb 24 at 5:37
Vlastimil
8,3061465145
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited Feb 24 at 5:49
Vlastimil
8,3061465145
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited Feb 24 at 5:36
Vlastimil
8,3061465145
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited Feb 24 at 5:36
Vlastimil
8,3061465145
answered May 12 '18 at 5:33
BoraBora
1595
add a comment |
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited Feb 24 at 5:36
Vlastimil
8,3061465145
answered May 12 '18 at 5:33
BoraBora
1595
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.
edited Feb 24 at 5:36
Vlastimil
8,3061465145
answered May 12 '18 at 5:33
BoraBora
1595
edited Feb 24 at 5:36
Vlastimil
8,3061465145
edited Feb 24 at 5:36
Vlastimil
8,3061465145
edited Feb 24 at 5:36
Vlastimil
8,3061465145
8,3061465145
answered May 12 '18 at 5:33
BoraBora
1595
answered May 12 '18 at 5:33
BoraBora
1595
answered May 12 '18 at 5:33
BoraBora
1595
1595
add a comment |
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited Feb 24 at 5:37
Vlastimil
8,3061465145
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited Feb 24 at 5:37
Vlastimil
8,3061465145
answered Oct 13 '18 at 17:05
obencsobencs
6913
add a comment |
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited Feb 24 at 5:37
Vlastimil
8,3061465145
answered Oct 13 '18 at 17:05
obencsobencs
6913
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
edited Feb 24 at 5:37
Vlastimil
8,3061465145
answered Oct 13 '18 at 17:05
obencsobencs
6913
edited Feb 24 at 5:37
Vlastimil
8,3061465145
edited Feb 24 at 5:37
Vlastimil
8,3061465145
edited Feb 24 at 5:37
Vlastimil
8,3061465145
8,3061465145
answered Oct 13 '18 at 17:05
obencsobencs
6913
answered Oct 13 '18 at 17:05
obencsobencs
6913
answered Oct 13 '18 at 17:05
obencsobencs
6913
6913
add a comment |
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited Feb 24 at 5:49
Vlastimil
8,3061465145
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited Feb 24 at 5:49
Vlastimil
8,3061465145
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
add a comment |
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited Feb 24 at 5:49
Vlastimil
8,3061465145
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
Editor's Note
Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.
If you are ready to take the risk...
You may use this PPA, this command adds it to your system without any hassle:
sudo add-apt-repository ppa:ondrej/apache2
At the time of this writing, the current version was:
$ apache2 -v
Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:27:08
TLSv1.3 is supported in that version.
To enable it globally for all VirtualHosts, locate your ssl.conf and set:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Then restart Apache2 and it should be ready for a test, notably it on these sites:
https://www.ssllabs.com/ssltest/
https://www.htbridge.com/ssl/
My example result = TLSv1.3 enabled
edited Feb 24 at 5:49
Vlastimil
8,3061465145
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
edited Feb 24 at 5:49
Vlastimil
8,3061465145
edited Feb 24 at 5:49
Vlastimil
8,3061465145
edited Feb 24 at 5:49
Vlastimil
8,3061465145
8,3061465145
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
answered Oct 29 '18 at 2:54
Aryeh BeitzAryeh Beitz
1092
1092
add a comment |
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
add a comment |
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
edited Mar 18 at 11:58
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
answered Feb 24 at 6:26
VlastimilVlastimil
8,3061465145
8,3061465145
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
