How to enable TLS 1.3 in Apache service of CentOS Cloud Servers (with Cipher Suites included)

Transportation Layer Security (TLS) is a cryptographic protocol and it provides the security for the delivery of data over the internet. TLS 1.3 is faster than TLS 1.2 because the handshake for TLS 1.3 is reduced to just one round-trip.

This can easily be enabled in a Linux-based server. This guide outlines the basic steps involved in the CentOS server (provided Apache service is already installed in the server).

Requirements:

1. Server running on CentOS 8.

2. A valid domain name and properly configured A/AAAA/CNAME DNS records.

3. A valid TLS certificate. Here using from Let’s encrypt.

4. Apache version 2.4.36 or greater.

5. OpenSSL version 1.1.1 or greater.

Before the beginning,

1. Check the CentOS version by using the below command.

   # cat /etc/centos-release
   

   

2. By using the below command ensure that the server is up to date.

   # dnf update
   

   

3. Install the needed packages by using the below command.

   # dnf install socat git
   

   

Step A. Install the acme.sh client and obtain a TLS certificate from Let's Encrypt.

acme.sh is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

1. Install acme.sh with the below commands.

   # git clone https://github.com/acmesh-official/acme.sh
   
   # cd acme.sh
   
   # ./acme.sh --install –accountemail [email protected]
   
   # cd ~
   
   # source ~/.bashrc
   

   

   

   NOTE: Replace the mail account with your mail account name.

2. Check the version of acme.sh.

   # acme.sh --version
   

   

3. Obtain RSA and ECDSA certificates for the domain.

   # RSA
   acme.sh --issue --standalone -d example.com --keylength 2048
   
   # ECC/ECDSA
   acme.sh --issue --standalone -d example.com --keylength ec-256
   

   

   

4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

   # mkdir -p /etc/letsencrypt/testlayerstack.com
   
   # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc
   

   

   
   

   # acme.sh --install-cert -d testlayerstack.com --cert-file /etc/letsencrypt/testlayerstack.com/cert.pem --key-file /etc/letsencrypt/testlayerstack.com/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com/fullchain.pem
   
   # acme.sh --install-cert -d testlayerstack.com --ecc --cert-file etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem
   

   

   

5. After running the above commands, your certificates and keys will be in the below-mentioned locations:

   RSA: /etc/letsencrypt/testlayerstack.com
   
   ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc
   

Step B. Configure Apache for TLS 1.3

1. Download and install the latest version of Apache and its SSL module.

   # dnf install httpd mod_ssl
   

   

2. Check the Apache version then, start and enable using the below commands.

   # httpd -v
   
   # systemctl start httpd.service
   
   # systemctl enable httpd.service
   

   

3. Run the below command and add the following basic configurations in that file.

   # vim /etc/httpd/conf.d/testlayerstack.com.conf
   

   

   
   

   <virtualhost *:80="">
   RewriteEngine On
   RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
   
   </virtualhost>
   <virtualhost *:443="">
   ServerName testlayerstack.com
   SSLEngine on
   
   # RSA
   SSLCertificateFile "/etc/letsencrypt/testlayerstack.com/fullchain.pem"
   SSLCertificateKeyFile "/etc/letsencrypt/ testlayerstack.com/private.key"
   
   # ECC
   SSLCertificateFile "/etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem"
   SSLCertificateKeyFile "/etc/letsencrypt/testlayerstack.com_ecc/private.key"
   
   ssl_protocols TLSv1.2 TLSv1.3
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   
   # enable HTTP/2, if available
   Protocols h2 http/1.1
   
   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
   SSLHonorCipherOrder off
   SSLSessionTickets off
   
   </virtualhost>
   

4. Save the file and exit.

   NOTE: Replace testlayerstack.com in commands with your valid domain name.

5. Reload Apache to activate in the new configuration.

6. Now you can verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

   https://www.ssllabs.com/ssltest/
   

Related Tutorial

• How to enable TLS 1.3 in Apache service of Ubuntu & Debian Cloud Servers (with Cipher Suites included)

• How to enable TLS 1.3 in Apache service of Linux Cloud Servers (without Cipher Suites included)

• Installing Apache web server on Linux Cloud Servers

• How to check Apache Error Logs on Linux Cloud Servers