JP's picture

Good morning,

I've followed various how-to's on enabling TLS 1.3, however apache is stating that the cipher suites can only be a comma delimited list. I've inserted these:

     SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

Is this because of the apache2 version running?

root@lamp .../apache2/mods-available# apache2 -v

Server version: Apache/2.4.25 (Debian)

Server built:   2019-08-19T19:25:31

Jeremy Davis's picture

According to the Apache2 changelog, TLS 1.3 support wasn't added until 2.4.36. And it also requires OpenSSL 1.1 (the first version to support TLS 1.3; Debian 9/Stretch - the basis of TurnKey v15.x; only has 1.0).

So from my brief reading (beyond not worrying about it), you have a couple of obvious options.

You can install a newer version of Apache (and OpenSSL) from Ondřej Surý's repo. On that page, it only notes his PHP packages, but he actually has an Apache2 repo too (appears to currently contain 2.4.41). Whilst adding third party repos is generally not advised, Ondřej is a well known Debian and Ubuntu developer who is involved in the official maintenance of these packages within both Debian and Ubuntu. Although TBH, I'm not totally clear of the other implications of updating Apache (and OpenSSL). It is possible that there may be other unintended consequence!? If you want to check this option out, I would strongly recommend that you do some testing with a throw-away VM first.

The other option would be to do a Debian "in place" upgrade. I.e. upgrade from a Debian 9/Stretch base, to a Debian 10/Buster base (Buster has 2.4.38). We're currently working on a v16.x base appliance (hopefully at least an RC will be ready to really soon). So there aren't yet any Buster TurnKey packages (so you'll need to leave the TurnKey sources.list entries on Stretch), but they should all continue to work ok with Buster (although I can't 100% guarantee as I haven't tested it myself). If you go that path, I would highly recommend that you take a snapshot, or similar full backup of the system (i.e. not just a TKLBAM backup) before you proceed. Then you can roll back if it all goes pear shaped...

JP's picture

No worries! I appreciate your insight. I am in no rush to get 1.3 up and running. Gotta love VMware snapshots ;-)

Looking forward to the new TurnKey build!

Add new comment