How to enable TLSv1.3 in Apache2?

Debian Buster = TLSv1.3 supported

In Debian Buster (currently in testing), the TLSv1.3 is supported already.

The following information is dated to:

# date -I

2019-02-24


Apache2 version:

# apache2 -v

Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05


Where to enable

Globally in:

/etc/apache2/mods-enabled/ssl.conf

Locally in:

Your VirtualHost(s) located in:

/etc/apache2/sites-enabled/

How to enable

To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.

To do that, put this line in the above-mentioned file:

SSLProtocol -all +TLSv1.3 +TLSv1.2

Cipher suites

The cipher suites are now divided into 2 categories, that being SSL (below TLSv1.3) and TLSv1.3, you may want to use your own set of ciphers, take this only as an example:

SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite    SSL       ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

Curves

One important note to the end:

There is one new curve you could / should enable: X25519.

You can do this for instance like this, again only example:

SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1

Example domain test on SSLLabs

Experimental: This server supports TLS 1.3 (RFC 8446).

TLSv1.3 enabled


TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.


TLSv1.3 is not yet supported by Apache 2.4.

When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.