Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: TLS 1.2 vs 1.3 problem |
|
| Author |
|
sailor
Joined: 17 Apr 2015
Posts: 79
Location: US
|
 Posted: Thu 05 Oct '23 19:31 Post subject: TLS 1.2 vs 1.3 problem |
 |
|
I have updated my SSL certificates from one provider to another for cost reasons. IT's not LE.
I had this in my config:
| Quote: | # from https://cipherli.st/
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#SSLOptions +StrictRequire +StdEnvVars -ExportCertData
#SSLProtocol -all +TLSv1.2 +TLSv1.3
#SSLCompression Off
#SSLHonorCipherOrder On
#SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
#SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 |
Shortly after restarting, my monitoring service began failing. Support said they don't have TLS 1.3 support yet. Initially, I thought it was the CDN that didn't support TLS 1.3 as that was changed (learned it was the prior week). I ran a Qualys test and sure enough 1.2 was not enabled.
Oddly another host on the same server had a slightly different config (which was using the new SSL provider successfully). So, I changed to this one:
| Code: | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256 |
As it's production, I kind of don't want to fuss with it too much. I think it's the SSLCipherSuite TLS1.3 that is causing issues. Maybe I need a TLS1.2 version of that with ciphers? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Mon 09 Oct '23 11:35 Post subject: |
|
|
My current A+ config v 1.2 and v 1.3
| Code: |
Listen 443
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; preload"
</IfModule>
</If>
ProtocolsHonorOrder On
Protocols h2 h2c
H2Upgrade on
H2Direct On
H2Push on
TraceEnable Off
SSLUseStapling On
SSLSessionCache shmcb:logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd DHParameters "conf/8192.key"
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
|
|
|
| Back to top |
|
|
|
|
|
|
