Can't seem to enable TLS1.3

Restarted but it doesn't seem to have changed anything.

Your problem is really nothing to do with LE.
You need to learn how to configure your web server so that it does what you want it to do.

And you can stop issuing more certs - one is enough.
[they are all the same]
[unless you need to add or remove a name on it]

In /etc/apache2/mods-enabled/ssl.conf it says:

SSLCipherSuite HIGH:!aNULL

Would this be where the issue is?

If you have SSLCipherSuite twice - yes that is an issue.

So if the cipher suit matters only the apache2 side, the cipher suit in the letsencrypt will cause problems?

There should only be one.
Each conflicts with the other.

So do I just comment out the one in letsencrypt options?

This is not a forum for - "how to configure my web server".
I can't say which is better.
That is up to you.

All I can say is, from my personal experience, you can't tell it to do two different things.

Sorry, I will clarify.

Does commenting out the certbot/letsencrypt options cause any problems when it auto renews or anything?

You have renewed 5 times - do you really think that is stopping you?
It only sets with ciphers should be used.

That's not correct. You can set the SSLCipherSuite multple times. Its allowed contexts are: "server config, virtual host, directory, .htaccess".

With aid of SNI you can set a SSLCipherSuite directive per <VirtualHost> block if you'd like. That won't "conflict" with each other.

"Allowed" and "actually do what you ask it" are two different things.
I speak form my personal experiences.

I speak from personal experience too. If you have multiple SSLCipherSuite directives in VirtualHost blocks, Apache will choose the cipher suites from the SSLCipherSuite directive from that VirtualHost.

Of course it will ignore "generic" SSLCipherSuite directives from outside the VirtualHost block.

@Osiris, If you have a wildcard, make four vhosts.
one for ssl
one for tlsv1
one for tlsv1.1
one for tlsv1.2

Tell me if it can do that.

That one isn't going to work due to my OpenSSL not supporting SSL any longer.

OK, what about the other three?

@rg305 Setting SSLProtocol -all TLSv1.2 and SSLProtocol -all TLSv1.3 with my other default TLS settings elsewhere it works nicely. Setting -tls1_1 or -tls1_3 on the OpenSSL s_client command line results in a failure when connecting to the Apache TLSv1.2 VirtualHost (as expected), but not with -tls1_2. Same goes for the TLSv1.3 VirtualHost, but obviously failures with -tls1_1 and -tls1_2 but not with -tls1_3.

It seems TLSv1 and TLSv1.1 don't play very well with my other TLS settings. Added the "Old" Mozilla SSL Generator SSLCipherSuite directive to those two specific VirtualHost blocks and gee, what'll you know, it works now. TLS1.0 and TLS1.1 only VirtualHost, working like a charm. Not effecting any other VirtualHosts at all.

2 Likes

@Osiris How did you enable TLS1.3? I can't for the life of me figure out how to turn on 1.3

1 Like

have a look at this series

Exactly the same discussion

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.