Author Topic: CWP support for TLSv1.3  (Read 32163 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Re: CWP support for TLSv1.3
« Reply #15 on: January 14, 2021, 11:23:22 PM »
Hello

I tried almost all of the tutorials to not have TLSv1, have TLSv1.2 or v1.3, have A+ mark and solve the errors and warnings I see in the https://www.ssllabs.com test, but had no success at all, I always get same errors, I do not understand what I should do...

 Here below are the main mangles sotted by the test

1) Server sent invalid HSTS policy. See below for further information.

2) This server supports TLS 1.0 and TLS 1.1. Grade capped to B. MORE INFO »

3) This site works only in browsers with SNI support.

I am mostly concerned about the point 1 and 2

Why is the server sending an invalid HSTS policy? How can be fixed?
 I could not find info about this issue

For the second issue I tried to follow the tutorial in this same post, after launching the make -j4 command it fails to compile nginx 1.18.0

I also tried this tutorial: https://www.mysterydata.com/get-a-score-rating-with-ssllabs-qualys-in-cwp-control-web-panel/
did not work either for me

For what is concerning the SNI I think to have understood that cannot be avoided as ols OS browsers, eg XP and such cannot coop with it, so it is not taken in account in the evaluation

Does anyone have hints about how to fix it?

Thank you

Offline
*
Re: CWP support for TLSv1.3
« Reply #16 on: February 11, 2021, 12:01:09 PM »
DNA your explanation about the compilation of nginx and tls 1.3 does not work, I tested it as you explained and simply nginx breaks


please can someone help with cwp-pro centos 7 nginx and tls1.3?
« Last Edit: February 11, 2021, 12:03:41 PM by dinho »


Offline
*
Re: CWP support for TLSv1.3
« Reply #18 on: April 01, 2021, 12:46:01 PM »
Hi,
will this be incorporated in future CWP updates, or this has to be done manually?
Thanks


Offline
*
Re: CWP support for TLSv1.3
« Reply #20 on: September 15, 2022, 07:49:32 AM »
1. Upgrad openssl version
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1q.tar.gz
tar xvf openssl-1.1.1q.tar.gz
mv openssl-1.1.1q openssl
cd openssl
./config --prefix=/usr --openssldir=/usr/lib64 shared
make -j4
make test
make install



2. Now let's test it all. The following command

# openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3

3. Rebuild Apahe ( Webserver Setting > Apache Re-Build )
CWP7 Pro on CentOS 7  is Support TLS v1.3

My Server is running

1. php + php-fpm 7.3.19
2. openssl 1.1.1g
3. apache 2.4.41





Hello brother,
How did you manage to get TLS 1.3 working?
I actually want to disable TLS v1.0 and 1.1 ?

if it's not possible v1.3 then atleast disabling the 1.0 and 1.1 and keep only TLS v1.2 active. I'm afraid to do anything because i have no test server, I'll do it on my running server and I don't want anything bad happen to it. So I'm looking for some help from the experienced men like you.

if you have time will you please share us how to do it.

Note: I'm using Nginx, proxy and apache.

Thanks
Rebuild Apahe
« Last Edit: September 15, 2022, 07:53:07 AM by nattapon_c »