https://bz.apache.org/bugzilla/show_bug.cgi?id=62417
--- Comment #12 from Dennis Clarke <[email protected]> --- OKay .. server is running and seems to support TLS v1.3 with a test from the openssl s_client thus : tls13 $ /usr/local/bin/openssl s_client -connect beta.tls13.net:443 -debug -state -tls1_3 CONNECTED(00000003) SSL_connect:before SSL initialization write to 0x100851c00 [0x1008530b0] (238 bytes => 238 (0xEE)) 0000 - 16 03 01 00 e9 01 00 00-e5 03 03 6f 37 f3 07 e9 ...........o7... 0010 - 32 c8 7f 52 65 dd 36 de-e7 ad 12 9d 9c 8f 1f b5 2..Re.6......... . . . etc etc . . . SSL_connect:TLSv1.3 read encrypted extensions depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate read from 0x100851c00 [0x1008aab63] (5 bytes => 5 (0x5)) 0000 - 17 03 03 01 19 ..... read from 0x100851c00 [0x1008aab68] (281 bytes => 281 (0x119)) . . . SSL_connect:TLSv1.3 read server certificate verify . . . -----END CERTIFICATE----- subject=CN = *.tls13.net issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3281 bytes and written 318 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: Session-ID-ctx: Master-Key: C1EA188089C8453F4C8D0C7EA5A43A48E70645B541F165D79A2D5FDB0DAB73057CF7D06344B5E864E456D71957867922 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1527832235 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: no --- read from 0x100851c00 [0x1008aab63] (5 bytes => 0 (0x0)) read:errno=0 write to 0x100851c00 [0x1008aecc3] (24 bytes => 24 (0x18)) 0000 - 17 03 03 00 13 21 31 4f-bf e6 5c 3a f9 97 80 9d .....!1O..\:.... 0010 - cd 9f f7 4f 18 d8 6b d4- ...O..k. SSL3 alert write:warning:close notify read from 0x100851c00 [0x100845940] (8192 bytes => 0 (0x0)) tls13 $ That all looks correct except for the "unable to get local issuer certificate" The Apache 2.5.1 server ssl logs claim : beta # grep "\.201" ssl_error_log [Fri Jun 01 05:50:35.464787 2018] [ssl:info] [pid 29510:tid 27] [client 68.179.116.201:40912] AH01964: Connection to child 88 established (server beta.tls13.net:443) [Fri Jun 01 05:50:35.465720 2018] [ssl:debug] [pid 29510:tid 27] ssl_engine_kernel.c(2297): [client 68.179.116.201:40912] AH02043: SSL virtual host for servername beta.tls13.net found [Fri Jun 01 05:50:35.501553 2018] [ssl:debug] [pid 29510:tid 27] ssl_engine_kernel.c(2222): [client 68.179.116.201:40912] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) [Fri Jun 01 05:50:35.501610 2018] [ssl:error] [pid 29510:tid 27] [client 68.179.116.201:40912] AH02042: rejecting client initiated renegotiation [Fri Jun 01 05:50:35.502045 2018] [ssl:debug] [pid 29510:tid 27] ssl_engine_io.c(1400): (130)Software caused connection abort: [client 68.179.116.201:40912] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Jun 01 05:50:35.502320 2018] [ssl:info] [pid 29510:tid 27] [client 68.179.116.201:40912] AH01998: Connection closed to child 88 with abortive shutdown (server beta.tls13.net:443) beta # beta # /usr/local/bin/openssl ciphers -V -s -tls1_3 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD beta # That looks correct .. however I have yet to get a beta/nightly Mozilla browser to connect. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
