enable tls1.3

[saeid.hashemzad]

Hi
how to enable tls1.3 in custombuild2
webserver is apache

 

[ikkeben]

Which OS?

While depends on "opensssl" version

 

[zEitEr]

Hello,

If your OS does not have OpenSSL 1.1.1, probably the best option would be to install Nginx+TLSv1.3 in front of Apache. See for this: https://help.poralix.com/articles/nginx-with-tlsv1.3-on-directadmin-server

 

[smtalk]

I'd like to note that LiteSpeed and OpenLiteSpeed come as pre-compiled binaries on Linux distributions, so, it comes with TLSv1.3 without any changes to OpenSSL

 

[Tazmanian79]

I have seen that Apache 2.4.41 now supports TLS 1.3

According to https://httpd.apache.org/
Apache HTTP Server version 2.4.41 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.

I have OpenSSL 1.0.2k-fips 26 Jan 2017

Which steps should I do to enable TLS 1.3 ?
And should TLS 1.1 be disabled?

 

[wattie]

Which steps should I do to enable TLS 1.3 ?

You must upgrade OpenSSL to the next major version. It is not a straightforward operation. You may need to upgrade your OS and recompile all software.

And should TLS 1.1 be disabled?

TLS 1.0 and 1.1 can be safely disabled. TLS 1.2 is supported by all modern browsers.

 

[Tazmanian79]

Is there any guide on how to manage this?

I have Centos 7.6.1810 64-bit.

 

[ikkeben]

Is there any guide on how to manage this?

I have Centos 7.6.1810 64-bit.

I personaly believe better to wait centos 8.

You can however try building apache against openssl 1.1.1c only with some extra' then don't know php 5.x support this way and all other php has to be fpm.

So for having on port 443 tls 1.3,

if you want tls 1.3 on more ( ports ) look at topic WATTIE started on this forum

codeit repo do some with mod-ssl i believe, but that repo isn't in DA !

 

[Tazmanian79]

Hi,

I have only php 7.1 and 7.3 installed. (php-fpm)

 

[wattie]

You can then upgrade OpenSSL to 1.1.1 and recompile all system software that depend on it and "./build all d" in DirectAdmin. It should be OK.

Does it worth it? Not that much at the moment. TLS 1.2 is fine and secure.

 

[zEitEr]

I would not recommend installing OpenSSL 1.1.1 server-wide on CentOS 7.x unless you are 100% you can handle the setup without breaking the services. These forums have already posts with ruined setups of CentOS 7 + OpenSSL 1.1.1.

The safest way would be to build selected services against OpenSSL 1.1.1, or use LiteSpeed and OpenLiteSpeed as already mentioned here.

 

[aljaxus]

Hello,

If your OS does not have OpenSSL 1.1.1, probably the best option would be to install Nginx+TLSv1.3 in front of Apache. See for this: https://help.poralix.com/articles/nginx-with-tlsv1.3-on-directadmin-server

I'm sorry, but nginx-1.17.5.tar.gz doesn't exist on DA's file servers.

Let me explain - I followed the "tutorial" (better said, I looked at what the files that are downloaded do and their content) and the
mainstream NGINX version is 1.17.5, which is, as stated above, non-existant on DA's fileservers

[root@node1 custombuild]# ./build_nginx versions
Latest stable version of Nginx: 1.16.1 
Latest mainline version of Nginx: 1.17.5 (selected)
Installed version of Nginx: 1.17.4

Is there any way I can override the source URL string with "https://nginx.org/download/nginx-1.17.5.tar.gz" ?

 

[zEitEr]

The script mentioned on the Poralix's site can download Nginx of a needed version:

Usage:
   ./build_nginx versions <branch> - to update information of available mainline version
   ./build_nginx download <branch> - to download the latest available mainline version
   ./build_nginx install <branch>  - to download and install the latest mainline version
   ./build_nginx cron <branch>     - to run with cron (no installation is done here)
   ./build_nginx set-cron <branch> - to install a cron-task to run 'cron --mainline' nightly

 

[aljaxus]

Yeah I just notified DA staff and they uploaded it to their file servers