Tried adding to ssl.conf, but didn’t work.
SSLProtocol -all +TLSv1.2 +TLSv1.3
Is there something else that needs to be installed / upgraded before enabling?
From some further googling, it seems like CentOS 7 might not support TLSv1.3 because of openSSL. Not sure if there is a way to just run and upgraded version of Open SSL on a 7 server or just recommend to only use 1.2 until you upgrade to CentOS 8
Hi Justec
I hope your well and keeping safe. I see on the news USA is suffering so our prays goes out to you all
You are correct, tls1.3 requires minimum OpenSSL 1.1.1 and cenots 8 from what I understand already uses this version (or higher now)
You should be able to install OpenSSL 1.1.1 on centos 7 but it may break other services which were not built for OpenSSL 1.1.1 - https://www.osradar.com/how-to-install-the-latest-version-of-openssl-on-centos-7/
You could also put Nginx infront of apache and have nginx use tls1.3 but perhpas better to do a new install using centos 8.
The issue with centos 8 for me, is they no longer support older hardware (which may still have plenty of life in them, and not be too old but cost wise were expensive). However, centos 8 does have the older hardware support if you purchase RHEL licence…
TLS1.2 is still very much in all browsers though, and should be for a number of years yet I hope
Stay safe
John
Thanks for your thoughts John, so far NYC seems to be bad, but will probably start getting worse in other states / cities soon. Hope you are staying safe as well.
Yeah, I think I’ll just wait till next year and update to a new server with CentOS 8. TLSv1.3 is supposed to be faster, more efficient and better all around, but 1.2 is still considered safe and will work fine for my needs for the foreseeable future.