logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: TLSv1.3 on Windows server 2016
Author
stlord



Joined: 07 Oct 2019
Posts: 3

PostPosted: Mon 07 Oct '19 19:25    Post subject: TLSv1.3 on Windows server 2016 Reply with quote

Hello.
I have weird trouble. Just installed apache 2.4.41 rc2 x64 on brand new 2016 server and got the error "SSLProtocol: Illegal protocol 'TLSv1.3'". But it's working on server 2012R2 without any troubles with same config. Where to dig?
Thanks in advance.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6661
Location: Germany, Next to Hamburg

PostPosted: Tue 08 Oct '19 9:59    Post subject: Reply with quote

Are you sure you are using Apache with the correct OpenSSL version?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2209
Location: Sun Diego, USA

PostPosted: Tue 08 Oct '19 19:11    Post subject: Reply with quote

That was my first thought. OpenSSL must be 1.1.1 or above(in the future) and not 1.1.0 or 1.0.2.
Back to top
DnvrSysEngr



Joined: 15 Apr 2012
Posts: 202
Location: Denver, CO USA

PostPosted: Tue 08 Oct '19 21:20    Post subject: Reply with quote

What version of Apache is the config from (you mentioned you had another version running on Windows 2012)? I am wondering if it something in the HTTPD-SSL.conf file???
Back to top
stlord



Joined: 07 Oct 2019
Posts: 3

PostPosted: Tue 08 Oct '19 22:04    Post subject: Reply with quote

httpd-2.4.41-o102s-x64-vc14-r2.zip - this version with mod_ssl.so included. Downloaded from Lounge.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2209
Location: Sun Diego, USA

PostPosted: Tue 08 Oct '19 22:30    Post subject: Reply with quote

That actually looks like an Apache Haus download by the filename. That o102s in it == OpenSSL 1.0.2. As I had said, TLS 1.3 requires OpenSSL 1.1.1+.

Apache Haus has those too, they are just not the top choice on the download page but the third, till the end of the year when OpenSSL 1.0.2 reaches it's end of life.
Back to top
stlord



Joined: 07 Oct 2019
Posts: 3

PostPosted: Tue 08 Oct '19 23:36    Post subject: Reply with quote

Ok, thanks. I'll replace module then.
But anyway, I wonder then, how it could work on 2012 without any changes, just from the box?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2209
Location: Sun Diego, USA

PostPosted: Wed 09 Oct '19 5:06    Post subject: Reply with quote

The Apache on 2012 has openssl 1.1.1, it's that simple.

If the Apache /bin folder on 2012R2 has libcrypto-1_1-x64.dll & libssl-1_1-x64.dll, it has 1.1.1.

To properly upgrade Apache these files should replaced

bin\apr_crypto_openssl-1.dll
bin\libcrypto-1_1-x64.dll instead of bin\libeay32.dll
bin\libssl-1_1-x64.dll instead of bin\ssleay32.dll
modules\mod_md.so
modules\mod_ssl.so

And if you load php as a module (phpXapache2_4.dll) then it must be php 7.2 or 7.3.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6661
Location: Germany, Next to Hamburg

PostPosted: Thu 10 Oct '19 11:32    Post subject: Reply with quote

Interestingly enough I have the same problem on my windows 10 pro at work, too

Code:

<IfModule mod_headers.c>
#        Header always set Strict-Transport-Security "max-age=15553000;"
#        Header always set Strict-Transport-Security "max-age=1;"
</IfModule>
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
#SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLProtocol -all +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256


As soon as I enable TLSv1.3 Firefox shows "SSL_ERROR_NO_CYPHER_OVERLAP". The exact same config at home with Windows 10 pro, too works. I assume the anti virus is blocking there something.

See the curl debug

https://gist.github.com/JBlond/26da83ef7a5fa9ca0d669c061de0f69a
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6661
Location: Germany, Next to Hamburg

PostPosted: Mon 14 Oct '19 19:17    Post subject: Reply with quote

I figured out that commenting out the following did the trick.

Code:

SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6661
Location: Germany, Next to Hamburg

PostPosted: Tue 15 Oct '19 8:25    Post subject: Reply with quote

What does work is

Code:

SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
Back to top


Reply to topic   Topic: TLSv1.3 on Windows server 2016 View previous topic :: View next topic
Post new topic   Forum Index -> Apache