enable tls1.3

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,335
Location
LT, EU
I'd like to note that LiteSpeed and OpenLiteSpeed come as pre-compiled binaries on Linux distributions, so, it comes with TLSv1.3 without any changes to OpenSSL :)
 

Tazmanian79

Verified User
Joined
Jul 24, 2010
Messages
82
I have seen that Apache 2.4.41 now supports TLS 1.3

According to https://httpd.apache.org/
Apache HTTP Server version 2.4.41 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.

I have OpenSSL 1.0.2k-fips 26 Jan 2017

Which steps should I do to enable TLS 1.3 ?
And should TLS 1.1 be disabled?
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
638
Location
Netherlands Germany
Is there any guide on how to manage this?

I have Centos 7.6.1810 64-bit.
I personaly believe better to wait centos 8.

You can however try building apache against openssl 1.1.1c only with some extra' then don't know php 5.x support this way and all other php has to be fpm.

So for having on port 443 tls 1.3,

if you want tls 1.3 on more ( ports ) look at topic WATTIE started on this forum

codeit repo do some with mod-ssl i believe, but that repo isn't in DA !
 
Last edited:

wattie

Verified User
Joined
May 31, 2008
Messages
992
Location
Bulgaria
You can then upgrade OpenSSL to 1.1.1 and recompile all system software that depend on it and "./build all d" in DirectAdmin. It should be OK.

Does it worth it? Not that much at the moment. TLS 1.2 is fine and secure.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
I would not recommend installing OpenSSL 1.1.1 server-wide on CentOS 7.x unless you are 100% you can handle the setup without breaking the services. These forums have already posts with ruined setups of CentOS 7 + OpenSSL 1.1.1.

The safest way would be to build selected services against OpenSSL 1.1.1, or use LiteSpeed and OpenLiteSpeed as already mentioned here.
 

aljaxus

New member
Joined
Feb 6, 2019
Messages
2
Hello,

If your OS does not have OpenSSL 1.1.1, probably the best option would be to install Nginx+TLSv1.3 in front of Apache. See for this: https://help.poralix.com/articles/nginx-with-tlsv1.3-on-directadmin-server
I'm sorry, but nginx-1.17.5.tar.gz doesn't exist on DA's file servers.

Let me explain - I followed the "tutorial" (better said, I looked at what the files that are downloaded do and their content) and the
mainstream NGINX version is 1.17.5, which is, as stated above, non-existant on DA's fileservers
Code:
[root@node1 custombuild]# ./build_nginx versions
Latest stable version of Nginx: 1.16.1 
Latest mainline version of Nginx: 1.17.5 (selected)
Installed version of Nginx: 1.17.4
Is there any way I can override the source URL string with "https://nginx.org/download/nginx-1.17.5.tar.gz" ?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
The script mentioned on the Poralix's site can download Nginx of a needed version:

Code:
Usage:
   ./build_nginx versions <branch> - to update information of available mainline version
   ./build_nginx download <branch> - to download the latest available mainline version
   ./build_nginx install <branch>  - to download and install the latest mainline version
   ./build_nginx cron <branch>     - to run with cron (no installation is done here)
   ./build_nginx set-cron <branch> - to install a cron-task to run 'cron --mainline' nightly
 
Top