To answer your question to the best of my knowledge, 1. Openssl 1.1.1 and above support TLSv1.3. These are the TLSv1.3 ciphers Openssl 3.0 support https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_ciphersuites.html 2. This link says that TLSv1.3 is supported. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite:~:text=If%20the%20SSL%20library%20supports%20TLSv1.3 Can you give us the output of $ openssl ciphers -s -v -tls1_3 One option to test the ciphers on your HTTPD is to change the SSLCipherSuite to allow all ciphers and use a tool like https://testssl.sh/ to list all the ciphers available to help troubleshoot further. On Tue, Nov 21, 2023 at 12:37 PM John <john.iliffe@xxxxxxxxx> wrote: > > Apache won't start when https/TLS is activated although it runs fine with only http. I made the > changes previously suggested but now httpd just doesn't start. The error from systemctl is: > ----- > Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server... > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'. > Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server. > ----- > and a more useful error from the Apache error log is: > ----- > [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled; httpd > running as context system_u:system_r:httpd_t:s0 > [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC mechanism > enabled (wrapper: /usr/sbin/suexec) > [Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure > permitted SSL ciphers > [Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error: > error:0A0000B9:SSL routines::no cipher match > [Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error > initialising mod_ssl, exiting. > AH00016: Configuration Failed > ---- > I **think** this may be due to the fact that the default installation of Rocky has a lot of http > config files and they all get concatenated BUT I haven't been able to figure out the SSLCipherSuite > line. ssl.conf (default install) has this: > #SSLCipherSuite PROFILE=SYSTEM > SSLProxyCipherSuite PROFILE=SYSTEM > but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this > configuratiion file. > Also included in the concatenation is the custom one for this server: > # SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5 > SSLCipherSuite TLSv1.3 > The first line is copied from the old (current production) server and leads to a failure to start > error in the syntax immediately but best practice suggests that the second line is what I want > anyway. Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not available > to delete. > > The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be caused > by it appearing in two different files. > > So, I have two immediate questions: > 1. I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64. Is > this adequate to provide all ciphers that are required by the cipher suite TLSv1.3? > 2. Is there something that someone knows of by way of documentation that I haven't found yet? > > Thanks for any assistance. > > John > ====== > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|