How To Enable TLS 1.2 and TLS 1.3 in Apache Web Server

How To Enable TLS 1.2 and TLS 1.3 in Apache Web Server

It provides the steps to enable either TLS 1.2 only or TLS 1.3 only or both on the Apache Web Server.

July 04, 2020

This tutorial provides the steps to configure Apache Web Server to allow only TLS 1.2 or TLS 1.3 or both to increase the security of the web applications served by it. This is required since there are several known vulnerabilities including POODLE for SSL or TLS versions older than TLS 1.2. We must either enable TLS 1.2 only or TLS 1.3 only or both depending on the Web Server and OpenSSL versions. This tutorial provides all the steps for Ubuntu 20.04 LTS. The steps should be similar on other versions of Ubuntu and Linux systems.

Prerequisites

This tutorial assumes that Apache is already installed on the system. You may follow How To Install Apache 2 On Ubuntu 20.04 LTS. It also assumes that the minimum version of OpenSSL is 1.0.1.

TLSv1.2 - The minimum version of the Apache Web Server must be - Apache 2.2.24 and OpenSSL version must be OpenSSL 1.0.1

TLSv1.3 - The minimum version of the Apache Web Server must be - Apache 2.4.37 and OpenSSL version must be OpenSSL 1.1.1

Notes: The current version of Apache 2 on Ubuntu 18.04 LTS repositories is 2.4.29 and Ubuntu 20.04 LTS repositories is 2.4.41. You may also install the Apache Web Server by building it from the source.

We can check the Apache and OpenSSL version as shown below.

# Apache Version
apache2 -version

# Output
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-04-13T17:19:17

# OpenSSL Version
openssl version

# Output
OpenSSL 1.1.1f 31 Mar 2020

Install Apache Modules

Install the additional modules if not installed yet.

# Install security
sudo apt-get install libapache2-mod-security2

# Enable additional modules
sudo a2enmod rewrite ssl security2

# Restart Apache 2
sudo systemctl restart apache2

Update SSL Protocol

This section provides the steps to update the SSL Protocol and SSL Cipher Suite on the Apache Web Server to enable SSL 1.2 or SSL 1.3 or both and also update the Cipher Suite to enable higher versions. The steps in this section enable these protocols for all the virtual hosts. Now update the Apache configurations as shown below.

# Update SSL Configuration
sudo nano /etc/apache2/mods-available/ssl.conf

# Updates
-----
-----
SSLCipherSuite HIGH:!aNULL
-----
SSLHonorCipherOrder on
-----
SSLProtocol -all +TLSv1.2
-----
-----

# Save and exit the editor -> Ctrl + o -> Enter -> Ctrl + x

The above configuration changes allow only TLS 1.2 by configuring the SSLProtocol to -all +TLSv1.2. This ensures that all the secure communication between the web server and client takes place using the TLS 1.2 SSL protocol.

Similarly, we can allow only TLS 1.3 as shown below.

# Update SSL Configuration
sudo nano /etc/apache2/mods-available/ssl.conf

# Updates
-----
SSLCipherSuite HIGH:!aNULL
-----
SSLHonorCipherOrder on
-----
SSLProtocol -all +TLSv1.3
-----

We can also allow both TLS 1.2 and TLS 1.3 as shown below.

# Update SSL Configuration
sudo nano /etc/apache2/mods-available/ssl.conf

# Updates
-----
SSLCipherSuite HIGH:!aNULL
-----
SSLHonorCipherOrder on
-----
SSLProtocol -all +TLSv1.2 +TLSv1.3
-----

This is all about enabling TLS 1.2 or TLS 1.3 or both on the Apache Web Server. We can further tighten the security by specifying the SSL Cipher Suites as shown below.

# Update SSL Configuration
sudo nano /etc/apache2/mods-available/ssl.conf

# Updates
-----
# Refer - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
-----
SSLHonorCipherOrder on
-----

Also restart Apache Web Server after updating the SSL configuration.

# Restart Apache Web Server
sudo systemctl restart apache2
# OR
sudo service apache2 restart

This ensures that the Apache Web Server is only using strong encryption algorithms. You must also redirect the HTTP requests to HTTPS to use the protocols TLS 1.2 and TLS 1.3. You can follow Configure Virtual Host On Apache, How To Install Let's Encrypt For Apache On Ubuntu, and Redirect HTTP to HTTPS on Apache to enable HTTPS only.

Update Virtual Host

Instead of enabling the TLS 1.2 or TLS 1.3 or both for all the virtual hosts as shown in the previous section, we can also enable these protocols for the selective virtual hosts by updating the virtual host as shown below.

# Virtual Host - HTTPS - Example -Let's Encrypt
sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf

# Content
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com

DocumentRoot /var/www/example.com/html
<Directory /var/www/example.com/html>
Options -Indexes +FollowSymLinks
DirectoryIndex index.php
AllowOverride All
Require all granted
</Directory>

SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

# Save and exit the editor - Press Ctrl + o -> Press Enter -> Ctrl + x

Similar to the previous section, we can also update the virtual host to enable either TLS 1.2 only or TLS 1.3 only or both. Also, reload Apache Web Server after updating the virtual host.

# Reload Apache Web Server
sudo systemctl reload apache2
# OR
sudo service apache2 reload

Test Apache

We can also test Apache for the TLS protocols supported by it as shown below.

# Test Apache for TLS 1
curl -I -v --tlsv1 --tls-max 1.0 https://www.example.com/

# Test Apache for TLS 1.1
curl -I -v --tlsv1.1 --tls-max 1.1 https://www.example.com/

# Test Apache for TLS 1.2
curl -I -v --tlsv1.2 --tls-max 1.2 https://www.example.com/

# Test Apache for TLS 1.3
curl -I -v --tlsv1.3 --tls-max 1.3 https://www.example.com/

The test should pass in case the TLS version is enabled else it should fail. The success message should be similar as shown below for TLS 1.2.

# Test Apache for TLS 1.2
curl -I -v --tlsv1.2 --tls-max 1.2 https://www.example.com/

# Output
* Trying 34.151.201.52:443...
* TCP_NODELAY set
* Connected to www.example.com (34.151.201.52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=example.com
* start date: Jul 4 02:11:26 2020 GMT
* expire date: Oct 2 02:11:26 2020 GMT
* subjectAltName: host "www.example.com" matched cert's "www.example.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: www.example.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Sat, 04 Jul 2020 16:02:44 GMT
Date: Sat, 04 Jul 2020 16:02:44 GMT
< Server: Apache
Server: Apache
< Last-Modified: Sat, 04 Jul 2020 02:13:38 GMT
Last-Modified: Sat, 04 Jul 2020 02:13:38 GMT
< ETag: "b9-5a9943095395f"
ETag: "b9-5a9943095395f"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 185
Content-Length: 185
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html

<
* Connection #0 to host www.example.com left intact

Summary

This tutorial provided the steps to configure the Apache Web Server to allow only TLS 1.2 or TLS 1.3 or both depending on the version of Apache Web Server.

Write a Comment
Click the captcha image to get new code.
Discussion Forum by DISQUS