Bug 11971

Summary: Apache does not use TLS 1.3
Product: IPFire Reporter: Michael Tremer <michael.tremer>
Component: ---Assignee: Peter Müller <peter.mueller>
Status: CLOSED FIXED QA Contact:
Severity: Security    
Priority: - Unknown - CC: matthias.fischer, ummeegge, wolfgang.apolinarski
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 11913    

Description Michael Tremer 2019-01-22 14:22:39 UTC 
So I installed the new nightly build with OpenSSL 1.1.1 and my browser (which supports TLS 1.3) does not use TLS 1.3 to connect to the IPFire web UI.

It uses TLS 1.2 instead. Apache has been built against the same version of OpenSSL so I suppose it is aware of TLS 1.3.

I used Firefox 64.0.2.
Comment 1 Peter Müller 2019-01-22 17:34:17 UTC 
I will have a look at it.
Comment 2 Peter Müller 2019-01-23 13:39:30 UTC 
Apache 2.4.36 is required for this:
https://github.com/apache/httpd/blob/2.4.36/CHANGES

I should have updated the package, too. Hrmpf.

Will do so later on...
Comment 3 Michael Tremer 2019-01-23 18:53:47 UTC 
Yes, please do that. Please coordinate with Wolfgang, too.
Comment 4 Wolfgang Apolinarski 2019-01-25 17:35:31 UTC 
I already read the comment from Peter that he will update the package, just before I wanted to start my "update-cycle".

I'm fine with that, if you run into problems please contact me.

BTW: I already have a configuration for HTTP/2 running, but I was not at all impressed by the speed (I added other HTTP/2 components for speed checking). This is why I gave this a low priority. Nevertheless, the feature will be ready eventually.
Comment 5 Peter Müller 2019-02-06 17:45:52 UTC 
This is on MODIFIED by now: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=57bc05a53de810f2b4dca122f209be4b547f9d5f
Comment 6 Michael Tremer 2019-02-14 11:26:23 UTC 
Can confirm that this is working now. Tested with FF.