Author Topic: TLSv1.3  (Read 8917 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
TLSv1.3
« on: January 09, 2021, 12:39:46 PM »
Does anyone got the TLSv1.3 version on CWP7 with centos 7 working? We dont seem to get it working. I hope someone can help us out as we now only have TLSv1.2. Thanks so much.

Ron Cooper

Offline
*
Re: TLSv1.3
« Reply #1 on: February 11, 2021, 11:57:55 AM »

I have the same problem.
I tried to compile nginx with support for tls1.3 but it doesn't work.
I pay for the pro version but we don't even have an answer on the forum.

Offline
*
Re: TLSv1.3
« Reply #2 on: February 11, 2021, 03:57:44 PM »
here solution:
https://gist.github.com/lesstif/a332456a4a6fecdf50f2ccbfe4a02727


I test with cwp on virtual machine and the nginx of the cwp kept working

Offline
****
Re: TLSv1.3
« Reply #3 on: February 12, 2021, 04:05:15 AM »
Does anyone got the TLSv1.3 version on CWP7 with centos 7 working? We dont seem to get it working. I hope someone can help us out as we now only have TLSv1.2. Thanks so much.

Ron Cooper

I have TLS 1.2 & 1.3 working with CWP on CentOS 8 using Apache. Don't know about Nginx.

Sandeep wrote a nice tutorial at: https://www.mysterydata.com/get-a-score-rating-with-ssllabs-qualys-in-cwp-control-web-panel/

I eddited: /usr/local/apache/conf.d/ssl.conf
with the just following, and then SSLLabs will give you an A+

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder On
SSLCipherSuite    TLSv1.3    TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
SSLCipherSuite    SSL        ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384
SSLCompression Off
SSLSessionTickets Off

Offline
**
Re: TLSv1.3
« Reply #4 on: March 16, 2021, 09:33:54 PM »
Any chance to get official support for TLS1.3 for Centos7 CWP?

Offline
*
Re: TLSv1.3
« Reply #5 on: March 22, 2021, 07:48:46 PM »
Confirmed works perfect with CWP centos 7 and OpenSSL 1.1.1h

here solution:
https://gist.github.com/lesstif/a332456a4a6fecdf50f2ccbfe4a02727


nginx -V
nginx version: nginx/1.19.6
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.1.1h  22 Sep 2020
TLS SNI support enabled


intructions:
download all files from https://gist.github.com/lesstif/a332456a4a6fecdf50f2ccbfe4a02727
up to server and change permission execute: chmod +x openssl-1.1-compile.sh
execute with: ./openssl-1.1-compile.sh

execute: sudo systemctl reload

and all works perfect!
« Last Edit: March 22, 2021, 07:53:29 PM by dinho »


Offline
**
Re: TLSv1.3
« Reply #7 on: April 03, 2021, 11:06:11 AM »
Thanks,

I tried the one for nginx an a test VM CWP, it worked for my main domain accounts but i could not add any new certificates for my addon domains etc. i always get an error popup from acme.sh

is it working for you or do i need to change anything else? I did it exactly like you did it in your tutorial.

as it was just my test VM it is not a big problem but i can't do it on my productive system till i know whats up here.

thanks

Offline
*****
Re: TLSv1.3
« Reply #8 on: April 03, 2021, 01:04:21 PM »
what is the full error? check the /root/.acme.sh/acme.sh.log its not with nginx issue.

Offline
****
Re: TLSv1.3
« Reply #9 on: April 04, 2021, 06:04:57 AM »
what is the full error? check the /root/.acme.sh/acme.sh.log its not with nginx issue.

Sandeep

I tried https://www.mysterydata.com/how-to-enable-tls-1-3-in-apache-on-cwp-control-web-panel-centos-7-centos-8-el7-el8/

Gave an error on Line 551, which is /usr/local/apache/conf.d/

Attempted 2 times. Both failed.
Server is running Apache Only.

Also when the server was rebooted, it seemed like any service tied to openssl failed, SSH, web, etc.

Offline
*****
Re: TLSv1.3
« Reply #10 on: April 04, 2021, 02:43:20 PM »
try this :

Code: [Select]
mv /usr/local/apache/conf.d/mod_security.conf /usr/local/apache/conf.d/mod_security.conf.bak
systemctl restart httpd

this will disable mod security as for some reason modsec is not working.

you can do only nginx config to get tls 1.3 if you want t o use mod security.

Offline
*****
Re: TLSv1.3
« Reply #11 on: April 04, 2021, 03:10:11 PM »
okay i've fixed the apache script rerun the step2

Offline
****
Re: TLSv1.3
« Reply #12 on: April 10, 2021, 10:53:46 PM »
@Sandeep Left a message on your mysterydata forum.

One of the steps fails, due to an update of one of the software from 1.42 to 1.43

Offline
*****
Re: TLSv1.3
« Reply #13 on: April 11, 2021, 02:10:09 AM »
you need to use version 1.42 and don't update it as new version needs newer software

Offline
****
Re: TLSv1.3
« Reply #14 on: April 11, 2021, 07:39:50 PM »
you need to use version 1.42 and don't update it as new version needs newer software

Thanks for updating the script, will give it another try tonight.