On Mon, Mar 16, 2026 at 02:10:24PM -0700, James H. H. Lampert via users wrote: > I've got an Apache httpd server running on Amazon Linux 2. I've just > updated it to 2.4.66. > > An SSLLabs scan tells me I don't have TLSv1.3 enabled. And a Google > search told me to add "+TLSv1.3" to the SSLProtocol line in ssl.conf. > > When I tried that, the server crashed on takeoff. The same Google result > said I needed openssl 1.1.1 or later. When I did "openssl version," I > got "OpenSSL 1.0.2k-fips 26 Jan 2017," and after I did a yum update > openssl, I still got "OpenSSL 1.0.2k-fips 26 Jan 2017."
"OpenSSL 1.0.2k-fips" does not support TLSv1.3; you'll need OpenSSL 1.1 or newer. I got TLSv1.3 running on apache2-2.4.62 on an ancient version of SLES12. I pulled in a newer OpenSSL RPM (I used OpenSSL 3). My Apache installation was using NSS, so I rebuilt mozilla-nss and apache2-mod_nss, making sure they linked against OpenSSL 3. I don't know if you're using NSS in Apache. That yields a new /usr/lib64/apache2/mod_nss.so that understood TLSv1.3. No reed to rebuild Apache itself. Just take the steps to rebuild whatever Apache module would be using the newer OpenSSL library. Note, if you're distribution allows you to have both OpenSSL 1.0.x and 1.1.x, the libraries will be in different places. > Amazon tells me that if I want openssl 1.1, I need to install it > separately. And when I did a Google search on how to switch httpd over > to a separately installed openssl 1.1, everything I got said "compile > from source." > > How on Earth would I do that, without having any development tools on > the instance? > > Can somebody point me to a path-of-least-resistance? > > -- > James H. H. Lampert > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Brian Reichert <[email protected]> BSD admin/developer at large --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
