Enabling TLS 1.3 in Apache >=2.4.38

TLSv1.3 is now available on 85% of web clients, according to caniuse.com. Since I don’t have to support either Internet Explorer or the six microscopic mobile web browsers that don’t support it at all, I have gone ahead and migrated my servers straight over to TLSv1.3.

Below is a sample configuration that will enable TLSv1.3 and the currently recommended ciphers in a reasonable order. You must enable TLSv1.3 globally on the entire server. I made my adjustments in the /etc/apache2/mods-enabled/ssl.conf file. I gave Chacha preference to AES due to the number of mobile devices running modern browsers that don’t have AES hardware acceleration.

        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that puts
        # insecure ciphers first.
        # Default: Off
        SSLHonorCipherOrder on

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol -all +TLSv1.3

One response to “Enabling TLS 1.3 in Apache >=2.4.38”

  1. […] I moved this site to TLS 1.3 a few weeks ago. So far, it has been working great if I use a web browser. Unfortunately, no one has updated Curl to work with TLS 1.3. The second issue is that Curl is the HTTP client library du jour for C or languages that use C’s Foreign Function Interface. Unfortunately, TLS 1.3 only breaks nearly all applications that use a web callback or WordPress’ APIs. […]

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.