Can't enable TLS 1.3 (should I?)

Hi.

My domain is:

https://www2.osiosloukasmonastery.gr/

And

I ran this command:

sudo certbot --staple-ocsp --must-staple certonly --manual --preferred-challenges=dns -d 'osiosloukasmonastery.gr' -d '*.osiosloukasmonastery.gr' --manual-auth-hook '/root/bin/certbot_stuff/auth-hook_4All.tcsh add CERTBOT_VALIDATION' --manual-cleanup-hook '/root/bin/certbot_stuff/auth-hook_4All.tcsh remove CERTBOT_VALIDATION'

It produced this output:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/osiosloukasmonastery.gr/fullchain.pem
Key is saved at: /etc/letsencrypt/live/osiosloukasmonastery.gr/privkey.pem
This certificate expires on 2024-10-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

My web server is (include version):

apache 2.4.56

The operating system my web server runs on is (include version):

apple mac mini m1 (2020)
sonoma 14.1.1

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.22.0

SSLlabs reports that TLS v1.3 in not enabled.

https://www.ssllabs.com/ssltest/analyze.html?d=www2.osiosloukasmonastery.gr&hideResults=on

Any idea? Do I really need it?

The command "openssl ciphers" gives:

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA

And "openssl version"

OpenSSL 1.1.1k FIPS 25 Mar 2021

And in httpd-ssl.conf I used:

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLProtocol all -SSLv3

Thanks in advance

2 Likes

If I read mod_ssl - Apache HTTP Server Version 2.4 correctly, the all 'protocol' does not include TLSv1.3. One would think it would for OpenSSL 1.1.1, but apparently it doesn't?

Can you try adding it manually?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.