How to enable TLSv1.3 in Apache2?
Debian Buster = TLSv1.3 supported
In Debian Buster (currently in testing), the TLSv1.3 is supported already.
The following information is dated to:
# date -I
2019-02-24
Apache2 version:
# apache2 -v
Server version: Apache/2.4.38 (Debian)
Server built: 2019-01-31T20:54:05
Where to enable
Globally in:
/etc/apache2/mods-enabled/ssl.conf
Locally in:
Your VirtualHost(s) located in:
/etc/apache2/sites-enabled/
How to enable
To this date, the TLSv1.1 has been deprecated finally. So, you want only TLSv1.2 and TLSv1.3.
To do that, put this line in the above-mentioned file:
SSLProtocol -all +TLSv1.3 +TLSv1.2
Cipher suites
The cipher suites are now divided into 2 categories, that being SSL
(below TLSv1.3) and TLSv1.3
, you may want to use your own set of ciphers, take this only as an example:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Curves
One important note to the end:
There is one new curve you could / should enable: X25519.
You can do this for instance like this, again only example:
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
Example domain test on SSLLabs
Experimental: This server supports TLS 1.3 (RFC 8446).
TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1 Source.
TLSv1.3 is not yet supported by Apache 2.4.
When it is supported by OpenSSL (see info here), Apache 2.4 should have it too.