Sorry, I forgot to write this line in the first mail : But before, my TLS configuration is activated in Apache with this line in /etc/apache2/httpd2.conf :
IncludeOptional /etc/apache2/modules.d/*.conf ________________________________ De : C. G. <[email protected]> Envoyé : mercredi 23 juin 2021 20:10 À : [email protected] <[email protected]> Objet : Apache (built from the ports) is not woking with TLS 1.3 and LibreSSL 3.3.2 Hi, I'm running 6.9 GENERIC#464 amd64 on a VirtualBox 6.1 VM, and I can't get Apache to work with TLS 1.3. It's the release install. I've installed Apache from the ports with the FLAVOR=ldap, Apache version is (output from apachectl -v) : Server version: Apache/2.4.46 (Unix) uname -a : OpenBSD openbsd.domain_name 6.9 GENERIC#464 amd64 The Apache web server only works with TLS 1.2 for me, and I know that it uses the LibreSSL library that comes bundled with OpenBSD. The version of LibreSSL should support TLS 1.3, because when I type this command, I get : # openssl ciphers TLSv1.3 AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256:AEAD-AES128-GCM-SHA256 # openssl version LibreSSL 3.3.2 If I use those settings in my Apache TLS configuration (which is in /etc/apache2/modules.d/020_mod_ssl.conf), I get Apache starting with rcctl start apache2 : But before, my TLS configuration is activated in Apache with this line in /etc/apache2/httpd2.conf : Listen 443 SSLProtocol -all +TLSv1.2 # SSLCipherSuite HIGH:!aNULL SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300 This configuration also works : Listen 443 SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300 But if I put this configuration in my /etc/apache2/modules.d/020_mod_ssl.conf, apache2 service fails to start : Listen 443 SSLProtocol -all +TLSv1.3 # SSLCipherSuite HIGH:!aNULL SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300 And this configuration will fail to start, too : Listen 443 SSLProtocol -all +TLSv1.2 +TLSv1.3 # SSLCipherSuite HIGH:!aNULL SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300 I don't know if the problem comes from the apache2 port, or from the LibreSSL version bundled in OpenBSD (I've checked that LibreSSL 3.3.2 supports TLS 1.3, and it does). Here is my dmesg output : OpenBSD 6.9 (GENERIC) #464: Mon Apr 19 10:28:56 MDT 2021 [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2130640896 (2031MB) avail mem = 2050850816 (1955MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries) bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006 bios0: innotek GmbH VirtualBox acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD FX(tm)-6300 Six-Core Processor, 3493.08 MHz, 15-02-00 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,NXE,MMXX,FFXSR,RDTSCP,LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,3DNOWP,ITSC cpu0: 64KB 64b/line 2-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 16-way L2 cache cpu0: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: CPU supports MTRRs but not enabled by BIOS cpu0: apic clock running at 997MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins, remapped acpiprt0 at acpi0: bus 0 (PCI0) acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001 acpiac0 at acpi0: AC unit online acpicpu0 at acpi0: C1(@1 halt!) acpivideo0 at acpi0: GFX0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: <VBOX HARDDISK> wd0: 128-sector PIO, LBA, 25600MB, 52428800 sectors wd1 at pciide0 channel 0 drive 1: <VBOX HARDDISK> wd1: 128-sector PIO, LBA, 10240MB, 20971520 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> removable wd2 at pciide0 channel 1 drive 1: <VBOX HARDDISK> wd2: 128-sector PIO, LBA, 10240MB, 20971520 sectors cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 wd2(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 4 int 19, address 08:00:27:71:36:c0 "InnoTek Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 4 int 21, ICH ac97: codec id 0x83847600 (SigmaTel STAC9700) audio0 at auich0 ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 4 int 22, version 1.0 piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 4 int 23 iic0 at piixpm0 em1 at pci0 dev 8 function 0 "Intel 82543GC" rev 0x02: apic 4 int 16, address 08:00:27:ed:2b:07 ehci0 at pci0 dev 11 function 0 "Intel 82801FB USB" rev 0x00: apic 4 int 19 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 mpi0 at pci0 dev 20 function 0 "Symbios Logic 53c1030" rev 0x00: apic 4 int 20 mpi0: VBox MPT Fusion, firmware 0.0.0.0 scsibus2 at mpi0: 16 targets, initiator 7 sd0 at scsibus2 targ 0 lun 0: <VBOX, HARDDISK, 1.0> sd0: 10240MB, 512 bytes/sector, 20971520 sectors sd1 at scsibus2 targ 1 lun 0: <VBOX, HARDDISK, 1.0> sd1: 10240MB, 512 bytes/sector, 20971520 sectors sd2 at scsibus2 targ 2 lun 0: <VBOX, HARDDISK, 1.0> sd2: 10240MB, 512 bytes/sector, 20971520 sectors sd3 at scsibus2 targ 3 lun 0: <VBOX, HARDDISK, 1.0> sd3: 10240MB, 512 bytes/sector, 20971520 sectors mpi0: target 0 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 mpi0: target 1 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 mpi0: target 2 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 mpi0: target 3 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "Apple OHCI root hub" rev 1.00/1.00 addr 1 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets sd4 at scsibus4 targ 1 lun 0: <OPENBSD, SR RAID 5, 006> sd4: 20472MB, 512 bytes/sector, 41928448 sectors sd5 at scsibus4 targ 2 lun 0: <OPENBSD, SR RAID 0, 006> sd5: 30709MB, 512 bytes/sector, 62892672 sectors root on wd0a (ad33bce6618a3afb.a) swap on wd0b dump on wd0b
