How to enable TLSv1.3 in Apache2?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












4















I am running Apache2 version:



Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24


I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



# apachectl configtest

AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.3'
Action 'configtest' failed.
The Apache error log may have more information.


Is it not possible to enable TLSv1.3 in Apache2 (yet)?



I know Nginx can do it, but this question aims at Apache2.










share|improve this question




























    4















    I am running Apache2 version:



    Server version: Apache/2.4.29 (Ubuntu)
    Server built: 2018-04-25T11:38:24


    I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



    # apachectl configtest

    AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
    SSLProtocol: Illegal protocol 'TLSv1.3'
    Action 'configtest' failed.
    The Apache error log may have more information.


    Is it not possible to enable TLSv1.3 in Apache2 (yet)?



    I know Nginx can do it, but this question aims at Apache2.










    share|improve this question


























      4












      4








      4


      1






      I am running Apache2 version:



      Server version: Apache/2.4.29 (Ubuntu)
      Server built: 2018-04-25T11:38:24


      I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



      # apachectl configtest

      AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
      SSLProtocol: Illegal protocol 'TLSv1.3'
      Action 'configtest' failed.
      The Apache error log may have more information.


      Is it not possible to enable TLSv1.3 in Apache2 (yet)?



      I know Nginx can do it, but this question aims at Apache2.










      share|improve this question
















      I am running Apache2 version:



      Server version: Apache/2.4.29 (Ubuntu)
      Server built: 2018-04-25T11:38:24


      I would like to enable TLSv1.3 but I get an error below in Apache2 if I put SSLProtocol TLSv1.2 TLSv1.3 in the ssl.conf file:



      # apachectl configtest

      AH00526: Syntax error on line 79 of /etc/apache2/mods-enabled/ssl.conf:
      SSLProtocol: Illegal protocol 'TLSv1.3'
      Action 'configtest' failed.
      The Apache error log may have more information.


      Is it not possible to enable TLSv1.3 in Apache2 (yet)?



      I know Nginx can do it, but this question aims at Apache2.







      apache-httpd ssl






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 24 at 6:32









      Vlastimil

      8,3061465145




      8,3061465145










      asked May 12 '18 at 2:54









      James KowalskiJames Kowalski

      23114




      23114




















          4 Answers
          4






          active

          oldest

          votes


















          2














          TLSv1.3 is not yet supported by Apache 2.4.



          When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






          share|improve this answer
































            4














            TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






            share|improve this answer
































              0














              Editor's Note



              Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.




              If you are ready to take the risk...



              You may use this PPA, this command adds it to your system without any hassle:



              sudo add-apt-repository ppa:ondrej/apache2


              At the time of this writing, the current version was:



              $ apache2 -v

              Server version: Apache/2.4.37 (Ubuntu)
              Server built: 2018-10-28T15:27:08


              TLSv1.3 is supported in that version.



              To enable it globally for all VirtualHosts, locate your ssl.conf and set:



              SSLProtocol -all +TLSv1.2 +TLSv1.3


              Then restart Apache2 and it should be ready for a test, notably it on these sites:



              https://www.ssllabs.com/ssltest/



              https://www.htbridge.com/ssl/



              My example result = TLSv1.3 enabled



              My example result = TLSv1.3 enabled






              share|improve this answer
































                0














                Debian Buster = TLSv1.3 supported



                In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                The following information is dated to:



                # date -I


                2019-02-24




                Apache2 version:



                # apache2 -v


                Server version: Apache/2.4.38 (Debian)

                Server built: 2019-01-31T20:54:05




                Where to enable



                Globally in:



                /etc/apache2/mods-enabled/ssl.conf


                Locally in:



                Your VirtualHost(s) located in:



                /etc/apache2/sites-enabled/



                How to enable



                To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                To do that, put this line in the above-mentioned file:



                SSLProtocol -all +TLSv1.3 +TLSv1.2



                Cipher suites



                The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256


                Curves



                One important note to the end:



                There is one new curve you could / should enable: X25519.



                You can do this for instance like this, again only example:



                SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1



                Example domain test on SSLLabs




                Experimental: This server supports TLS 1.3 (RFC 8446).




                TLSv1.3 enabled






                share|improve this answer
























                  Your Answer








                  StackExchange.ready(function()
                  var channelOptions =
                  tags: "".split(" "),
                  id: "106"
                  ;
                  initTagRenderer("".split(" "), "".split(" "), channelOptions);

                  StackExchange.using("externalEditor", function()
                  // Have to fire editor after snippets, if snippets enabled
                  if (StackExchange.settings.snippets.snippetsEnabled)
                  StackExchange.using("snippets", function()
                  createEditor();
                  );

                  else
                  createEditor();

                  );

                  function createEditor()
                  StackExchange.prepareEditor(
                  heartbeatType: 'answer',
                  autoActivateHeartbeat: false,
                  convertImagesToLinks: false,
                  noModals: true,
                  showLowRepImageUploadWarning: true,
                  reputationToPostImages: null,
                  bindNavPrevention: true,
                  postfix: "",
                  imageUploader:
                  brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                  contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                  allowUrls: true
                  ,
                  onDemand: true,
                  discardSelector: ".discard-answer"
                  ,immediatelyShowMarkdownHelp:true
                  );



                  );













                  draft saved

                  draft discarded


















                  StackExchange.ready(
                  function ()
                  StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');

                  );

                  Post as a guest















                  Required, but never shown

























                  4 Answers
                  4






                  active

                  oldest

                  votes








                  4 Answers
                  4






                  active

                  oldest

                  votes









                  active

                  oldest

                  votes






                  active

                  oldest

                  votes









                  2














                  TLSv1.3 is not yet supported by Apache 2.4.



                  When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






                  share|improve this answer





























                    2














                    TLSv1.3 is not yet supported by Apache 2.4.



                    When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






                    share|improve this answer



























                      2












                      2








                      2







                      TLSv1.3 is not yet supported by Apache 2.4.



                      When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.






                      share|improve this answer















                      TLSv1.3 is not yet supported by Apache 2.4.



                      When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Feb 24 at 5:36









                      Vlastimil

                      8,3061465145




                      8,3061465145










                      answered May 12 '18 at 5:33









                      BoraBora

                      1595




                      1595























                          4














                          TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                          share|improve this answer





























                            4














                            TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                            share|improve this answer



























                              4












                              4








                              4







                              TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.






                              share|improve this answer















                              TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.







                              share|improve this answer














                              share|improve this answer



                              share|improve this answer








                              edited Feb 24 at 5:37









                              Vlastimil

                              8,3061465145




                              8,3061465145










                              answered Oct 13 '18 at 17:05









                              obencsobencs

                              6913




                              6913





















                                  0














                                  Editor's Note



                                  Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.




                                  If you are ready to take the risk...



                                  You may use this PPA, this command adds it to your system without any hassle:



                                  sudo add-apt-repository ppa:ondrej/apache2


                                  At the time of this writing, the current version was:



                                  $ apache2 -v

                                  Server version: Apache/2.4.37 (Ubuntu)
                                  Server built: 2018-10-28T15:27:08


                                  TLSv1.3 is supported in that version.



                                  To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                                  SSLProtocol -all +TLSv1.2 +TLSv1.3


                                  Then restart Apache2 and it should be ready for a test, notably it on these sites:



                                  https://www.ssllabs.com/ssltest/



                                  https://www.htbridge.com/ssl/



                                  My example result = TLSv1.3 enabled



                                  My example result = TLSv1.3 enabled






                                  share|improve this answer





























                                    0














                                    Editor's Note



                                    Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.




                                    If you are ready to take the risk...



                                    You may use this PPA, this command adds it to your system without any hassle:



                                    sudo add-apt-repository ppa:ondrej/apache2


                                    At the time of this writing, the current version was:



                                    $ apache2 -v

                                    Server version: Apache/2.4.37 (Ubuntu)
                                    Server built: 2018-10-28T15:27:08


                                    TLSv1.3 is supported in that version.



                                    To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                                    SSLProtocol -all +TLSv1.2 +TLSv1.3


                                    Then restart Apache2 and it should be ready for a test, notably it on these sites:



                                    https://www.ssllabs.com/ssltest/



                                    https://www.htbridge.com/ssl/



                                    My example result = TLSv1.3 enabled



                                    My example result = TLSv1.3 enabled






                                    share|improve this answer



























                                      0












                                      0








                                      0







                                      Editor's Note



                                      Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.




                                      If you are ready to take the risk...



                                      You may use this PPA, this command adds it to your system without any hassle:



                                      sudo add-apt-repository ppa:ondrej/apache2


                                      At the time of this writing, the current version was:



                                      $ apache2 -v

                                      Server version: Apache/2.4.37 (Ubuntu)
                                      Server built: 2018-10-28T15:27:08


                                      TLSv1.3 is supported in that version.



                                      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                                      SSLProtocol -all +TLSv1.2 +TLSv1.3


                                      Then restart Apache2 and it should be ready for a test, notably it on these sites:



                                      https://www.ssllabs.com/ssltest/



                                      https://www.htbridge.com/ssl/



                                      My example result = TLSv1.3 enabled



                                      My example result = TLSv1.3 enabled






                                      share|improve this answer















                                      Editor's Note



                                      Beware, using a PPA might ruin your system, at least the future distribution upgrades, from my experience at least.




                                      If you are ready to take the risk...



                                      You may use this PPA, this command adds it to your system without any hassle:



                                      sudo add-apt-repository ppa:ondrej/apache2


                                      At the time of this writing, the current version was:



                                      $ apache2 -v

                                      Server version: Apache/2.4.37 (Ubuntu)
                                      Server built: 2018-10-28T15:27:08


                                      TLSv1.3 is supported in that version.



                                      To enable it globally for all VirtualHosts, locate your ssl.conf and set:



                                      SSLProtocol -all +TLSv1.2 +TLSv1.3


                                      Then restart Apache2 and it should be ready for a test, notably it on these sites:



                                      https://www.ssllabs.com/ssltest/



                                      https://www.htbridge.com/ssl/



                                      My example result = TLSv1.3 enabled



                                      My example result = TLSv1.3 enabled







                                      share|improve this answer














                                      share|improve this answer



                                      share|improve this answer








                                      edited Feb 24 at 5:49









                                      Vlastimil

                                      8,3061465145




                                      8,3061465145










                                      answered Oct 29 '18 at 2:54









                                      Aryeh BeitzAryeh Beitz

                                      1092




                                      1092





















                                          0














                                          Debian Buster = TLSv1.3 supported



                                          In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                                          The following information is dated to:



                                          # date -I


                                          2019-02-24




                                          Apache2 version:



                                          # apache2 -v


                                          Server version: Apache/2.4.38 (Debian)

                                          Server built: 2019-01-31T20:54:05




                                          Where to enable



                                          Globally in:



                                          /etc/apache2/mods-enabled/ssl.conf


                                          Locally in:



                                          Your VirtualHost(s) located in:



                                          /etc/apache2/sites-enabled/



                                          How to enable



                                          To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                                          To do that, put this line in the above-mentioned file:



                                          SSLProtocol -all +TLSv1.3 +TLSv1.2



                                          Cipher suites



                                          The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                                          SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                                          SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256


                                          Curves



                                          One important note to the end:



                                          There is one new curve you could / should enable: X25519.



                                          You can do this for instance like this, again only example:



                                          SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1



                                          Example domain test on SSLLabs




                                          Experimental: This server supports TLS 1.3 (RFC 8446).




                                          TLSv1.3 enabled






                                          share|improve this answer





























                                            0














                                            Debian Buster = TLSv1.3 supported



                                            In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                                            The following information is dated to:



                                            # date -I


                                            2019-02-24




                                            Apache2 version:



                                            # apache2 -v


                                            Server version: Apache/2.4.38 (Debian)

                                            Server built: 2019-01-31T20:54:05




                                            Where to enable



                                            Globally in:



                                            /etc/apache2/mods-enabled/ssl.conf


                                            Locally in:



                                            Your VirtualHost(s) located in:



                                            /etc/apache2/sites-enabled/



                                            How to enable



                                            To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                                            To do that, put this line in the above-mentioned file:



                                            SSLProtocol -all +TLSv1.3 +TLSv1.2



                                            Cipher suites



                                            The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                                            SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                                            SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256


                                            Curves



                                            One important note to the end:



                                            There is one new curve you could / should enable: X25519.



                                            You can do this for instance like this, again only example:



                                            SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1



                                            Example domain test on SSLLabs




                                            Experimental: This server supports TLS 1.3 (RFC 8446).




                                            TLSv1.3 enabled






                                            share|improve this answer



























                                              0












                                              0








                                              0







                                              Debian Buster = TLSv1.3 supported



                                              In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                                              The following information is dated to:



                                              # date -I


                                              2019-02-24




                                              Apache2 version:



                                              # apache2 -v


                                              Server version: Apache/2.4.38 (Debian)

                                              Server built: 2019-01-31T20:54:05




                                              Where to enable



                                              Globally in:



                                              /etc/apache2/mods-enabled/ssl.conf


                                              Locally in:



                                              Your VirtualHost(s) located in:



                                              /etc/apache2/sites-enabled/



                                              How to enable



                                              To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                                              To do that, put this line in the above-mentioned file:



                                              SSLProtocol -all +TLSv1.3 +TLSv1.2



                                              Cipher suites



                                              The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                                              SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                                              SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256


                                              Curves



                                              One important note to the end:



                                              There is one new curve you could / should enable: X25519.



                                              You can do this for instance like this, again only example:



                                              SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1



                                              Example domain test on SSLLabs




                                              Experimental: This server supports TLS 1.3 (RFC 8446).




                                              TLSv1.3 enabled






                                              share|improve this answer















                                              Debian Buster = TLSv1.3 supported



                                              In Debian Buster (currently in testing), the TLSv1.3 is supported already.



                                              The following information is dated to:



                                              # date -I


                                              2019-02-24




                                              Apache2 version:



                                              # apache2 -v


                                              Server version: Apache/2.4.38 (Debian)

                                              Server built: 2019-01-31T20:54:05




                                              Where to enable



                                              Globally in:



                                              /etc/apache2/mods-enabled/ssl.conf


                                              Locally in:



                                              Your VirtualHost(s) located in:



                                              /etc/apache2/sites-enabled/



                                              How to enable



                                              To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.



                                              To do that, put this line in the above-mentioned file:



                                              SSLProtocol -all +TLSv1.3 +TLSv1.2



                                              Cipher suites



                                              The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:



                                              SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                                              SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256


                                              Curves



                                              One important note to the end:



                                              There is one new curve you could / should enable: X25519.



                                              You can do this for instance like this, again only example:



                                              SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1



                                              Example domain test on SSLLabs




                                              Experimental: This server supports TLS 1.3 (RFC 8446).




                                              TLSv1.3 enabled







                                              share|improve this answer














                                              share|improve this answer



                                              share|improve this answer








                                              edited Mar 18 at 11:58

























                                              answered Feb 24 at 6:26









                                              VlastimilVlastimil

                                              8,3061465145




                                              8,3061465145



























                                                  draft saved

                                                  draft discarded
















































                                                  Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                                  • Please be sure to answer the question. Provide details and share your research!

                                                  But avoid


                                                  • Asking for help, clarification, or responding to other answers.

                                                  • Making statements based on opinion; back them up with references or personal experience.

                                                  To learn more, see our tips on writing great answers.




                                                  draft saved


                                                  draft discarded














                                                  StackExchange.ready(
                                                  function ()
                                                  StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f443341%2fhow-to-enable-tlsv1-3-in-apache2%23new-answer', 'question_page');

                                                  );

                                                  Post as a guest















                                                  Required, but never shown





















































                                                  Required, but never shown














                                                  Required, but never shown












                                                  Required, but never shown







                                                  Required, but never shown

































                                                  Required, but never shown














                                                  Required, but never shown












                                                  Required, but never shown







                                                  Required, but never shown






                                                  Popular posts from this blog

                                                  How to check contact read email or not when send email to Individual?

                                                  Displaying single band from multi-band raster using QGIS

                                                  How many registers does an x86_64 CPU actually have?