logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: SSLProtocol and TLSv1.3
Author
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 21 Nov '18 19:11    Post subject: SSLProtocol and TLSv1.3 Reply with quote

My global settings I have SSLProtocol -all +TLSv1.2 +TLSv1.3
In one vhost I want only TLS 1.3. So in that vhost I added SSLProtocol -all +TLSv1.3 However that setting does not work. On that vhost even a client that can not do TLSv1.3 can connect.
Any idea how I can get that working? Or do I need to configure that in each vhost and remove the setting from the global scope?

Apache: 2.4.37
OpenSSL: 1.1.1a
nghttp2: 1.32.0

Tried with winnt mpm and event mpm
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 21 Nov '18 21:08    Post subject: Reply with quote

Guess you found a bug!

Code:
    SSLProtocol TLSv1.3
    SSLCipherSuite SSL !HIGH:!MEDIUM:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS:!RC4
    SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

This in the vhost seems to work around the problem;

Edge: Can’t connect securely to this page (and won't let me in)
FF63: connects tls/1.3
Pale Moon: SSL_ERROR_NO_CYPHER_OVERLAP
Vivaldi: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 22 Nov '18 11:04    Post subject: Reply with quote

glsmith wrote:

Code:
    SSLProtocol TLSv1.3
    SSLCipherSuite SSL !HIGH:!MEDIUM:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS:!RC4
    SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

This in the vhost seems to work around the problem;



That does not work. For example IE 11 does only not connect because of the not available ciphers and not because of only TLS 1.3

Even FF62 does not connect and chrome not before 70

--- EDIT ---
Added https://bz.apache.org/bugzilla/show_bug.cgi?id=62939
Back to top


Reply to topic   Topic: SSLProtocol and TLSv1.3 View previous topic :: View next topic
Post new topic   Forum Index -> Apache