Hi,
I'm running 6.9 GENERIC#464 amd64 on a VirtualBox 6.1 VM, and I can't get
Apache to work with TLS 1.3.
It's the release install.
I've installed Apache from the ports with the FLAVOR=ldap, Apache version is
(output from apachectl -v) :
Server version: Apache/2.4.46 (Unix)
uname -a :
OpenBSD openbsd.domain_name 6.9 GENERIC#464 amd64
The Apache web server only works with TLS 1.2 for me, and I know that it uses
the LibreSSL library that comes bundled with OpenBSD. The version of LibreSSL
should support TLS 1.3, because when I type this command, I get :
# openssl ciphers TLSv1.3
AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256:AEAD-AES128-GCM-SHA256
# openssl version
LibreSSL 3.3.2
If I use those settings in my Apache TLS configuration (which is in
/etc/apache2/modules.d/020_mod_ssl.conf), I get Apache starting with rcctl
start apache2 :
But before, my TLS configuration is activated in Apache with this line in
/etc/apache2/httpd2.conf :
Listen 443
SSLProtocol -all +TLSv1.2
# SSLCipherSuite HIGH:!aNULL
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
This configuration also works :
Listen 443
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
But if I put this configuration in my /etc/apache2/modules.d/020_mod_ssl.conf,
apache2 service fails to start :
Listen 443
SSLProtocol -all +TLSv1.3
# SSLCipherSuite HIGH:!aNULL
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
And this configuration will fail to start, too :
Listen 443
SSLProtocol -all +TLSv1.2 +TLSv1.3
# SSLCipherSuite HIGH:!aNULL
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
I don't know if the problem comes from the apache2 port, or from the LibreSSL
version bundled in OpenBSD (I've checked that LibreSSL 3.3.2 supports TLS 1.3,
and it does).
Here is my dmesg output :
OpenBSD 6.9 (GENERIC) #464: Mon Apr 19 10:28:56 MDT 2021
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2130640896 (2031MB)
avail mem = 2050850816 (1955MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD FX(tm)-6300 Six-Core Processor, 3493.08 MHz, 15-02-00
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,NXE,MMXX,FFXSR,RDTSCP,LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,3DNOWP,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line
16-way L2 cache
cpu0: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative
cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 997MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins, remapped
acpiprt0 at acpi0: bus 0 (PCI0)
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpiac0 at acpi0: AC unit online
acpicpu0 at acpi0: C1(@1 halt!)
acpivideo0 at acpi0: GFX0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <VBOX HARDDISK>
wd0: 128-sector PIO, LBA, 25600MB, 52428800 sectors
wd1 at pciide0 channel 0 drive 1: <VBOX HARDDISK>
wd1: 128-sector PIO, LBA, 10240MB, 20971520 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> removable
wd2 at pciide0 channel 1 drive 1: <VBOX HARDDISK>
wd2: 128-sector PIO, LBA, 10240MB, 20971520 sectors
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
wd2(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 4 int 19, address
08:00:27:71:36:c0
"InnoTek Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured
auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 4 int 21,
ICH
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 4 int 22,
version 1.0
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 4 int 23
iic0 at piixpm0
em1 at pci0 dev 8 function 0 "Intel 82543GC" rev 0x02: apic 4 int 16, address
08:00:27:ed:2b:07
ehci0 at pci0 dev 11 function 0 "Intel 82801FB USB" rev 0x00: apic 4 int 19
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
mpi0 at pci0 dev 20 function 0 "Symbios Logic 53c1030" rev 0x00: apic 4 int 20
mpi0: VBox MPT Fusion, firmware 0.0.0.0
scsibus2 at mpi0: 16 targets, initiator 7
sd0 at scsibus2 targ 0 lun 0: <VBOX, HARDDISK, 1.0>
sd0: 10240MB, 512 bytes/sector, 20971520 sectors
sd1 at scsibus2 targ 1 lun 0: <VBOX, HARDDISK, 1.0>
sd1: 10240MB, 512 bytes/sector, 20971520 sectors
sd2 at scsibus2 targ 2 lun 0: <VBOX, HARDDISK, 1.0>
sd2: 10240MB, 512 bytes/sector, 20971520 sectors
sd3 at scsibus2 targ 3 lun 0: <VBOX, HARDDISK, 1.0>
sd3: 10240MB, 512 bytes/sector, 20971520 sectors
mpi0: target 0 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
mpi0: target 1 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
mpi0: target 2 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
mpi0: target 3 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Apple OHCI root hub" rev 1.00/1.00
addr 1
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
sd4 at scsibus4 targ 1 lun 0: <OPENBSD, SR RAID 5, 006>
sd4: 20472MB, 512 bytes/sector, 41928448 sectors
sd5 at scsibus4 targ 2 lun 0: <OPENBSD, SR RAID 0, 006>
sd5: 30709MB, 512 bytes/sector, 62892672 sectors
root on wd0a (ad33bce6618a3afb.a) swap on wd0b dump on wd0b
