https://bz.apache.org/bugzilla/show_bug.cgi?id=55707
--- Comment #20 from Jani <[email protected]> --- I can confirm this bug too. In my case, Apache does not honour the "SSLCipherSuite TLSv1.3" directive for non-default virtual hosts. Instead it inherits the setting from the default virtual host. Please not that ONLY the TLSv1.3 cipher suite list is ignored; for all other protocols, the cipher suite list is respected (SSLCipherSuite directive). Example: Configure default virtual host (mydomain.com) with the following TLS settings. We put AES-256-GCM at the top for corporate compliance as it is the strongest current cipher: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 Configure another virtual host (myotherdomain.net) with the following TLS settings/ We want AES-128-GCM at the top for this virtual host because we do not need compliance, AES-128-GCM is much faster than AES-256-GCM and the extra speed is more important to us than the additional security: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 Results: mydomain.com: cipher suites are in correct order for both TLS 1.2 and TLS 1.3 myotherdomain.net: cipher suites are in correct order for TLS 1.2, but the order has been ignored for TLS 1.3, and has inherited the order from the configuration of mydomain.com. So AES-128-GCM is first for TLS 1.2 clients, but AES-256-GCM is first (should be last!) for TLS 1.3 clients. If we make myotherdomain.net the default virtual host, the cipher suite order is honoured for both TLS 1.2 and 1.3, but then the TLS 1.3 cipher order is broken for mydomain.com. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
