How to Enable TLS 1.3 in Apache on CWP- Control Web Panel Centos 7 Centos 8 EL7 El8
In this tutorial I’ll guide you how you can enable TLSv1.3 in CWP-httpd/Apache (when only Apache webserver installed) I’ve tested this and it seems to be working fine. HTTPS performance has been made faster and safer for every user and every device after you enable the tls 1.3 you’ll notice faster website loading.
Transportation Layer Security (TLS) 1.3 protocol provides unparalleled privacy and performance compared to previous versions of TLS and non-secure HTTP. Performance has a major impact on user experience. TLS 1.3 represents a pivotal turning point for HTTPS performance. Modern mobile networks will routinely add over 100ms of latency to each request. TLS 1.3 makes page load times significantly faster for mobile devices, improving the user experience for your visitors.
This tutorial will enable HTTP/2 and TLSv1.3 automatically if you’re using nginx as proxy or nginx + php-fpm follow this tutorial too :
Step 1
Installing few Dependencies needed for the Apache build :
Installing Autoconf :
cd /usr/local/src rm -rf autoconf-* wget https://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz tar zxvf autoconf-latest.tar.gz cd autoconf-*/ ./configure --prefix=/usr make && make install
Installing Openssl :
cd /usr/local/src rm -rf openssl* wget https://www.openssl.org/source/openssl-3.0.5.tar.gz -O openssl.tar.gz tar -xf openssl.tar.gz rm -rf openssl.tar.gz mv openssl-* openssl cd openssl ./config --prefix=/usr/local/opensslso --openssldir=/usr/local/opensslso zlib shared make && make install
*Building openssl will take some time
Installing Nghttp2 :
cd /usr/local/src rm -rf Python-* wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tgz tar xvf Python-3.8.12.tgz cd Python-3.8*/ ./configure --enable-optimizations make altinstall cd /usr/local/src rm -rf nghttp2-* yum install libtool -y wget https://github.com/nghttp2/nghttp2/releases/download/v1.47.0/nghttp2-1.47.0.tar.gz tar zxvf nghttp2-1.47.0.tar.gz cd nghttp2-*/ ./configure --prefix=/usr PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig make && make install
Step 2 :
Building Apache (latest) el7/Centos7 :
cd /usr/local/src rm -rf /usr/local/src/apache* wget --no-cache https://www.uxlinux.com/upload/apache-rebuild-new7.sh yum install uuid uuid-devel libuuid-devel pcre-devel -y chmod 755 apache-rebuild-new7.sh sh apache-rebuild-new7.sh
Run this commands to disable cwp-httpd update so your config shouldn’t get lost when there is an update :
cat /etc/yum.conf |grep "^exclude="|grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf cat /etc/yum.conf |grep "^exclude="|grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf
Building Apache (latest) el8/Centos8 :
cd /usr/local/src rm -rf /usr/local/src/apache* wget --no-cache https://www.uxlinux.com/upload/apache-rebuild-new8.sh dnf install uuid uuid-devel libuuid-devel pcre-devel -y chmod 755 apache-rebuild-new8.sh sh apache-rebuild-new8.sh
Run this commands to disable cwp-httpd update so your config shouldn’t get lost when there is an update :
dnf module disable httpd cat /etc/yum.conf |grep "^exclude="|grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf cat /etc/yum.conf |grep "^exclude="|grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf
**This Apache script will enable HTTP/2 and TLSv1.3 automatically and installs latest version of apache.
Troubleshoot :
if you rebuilded webserver and TLS 1.3 is stopped working run this two commands to get the TLS 1.3 back again (when using apache only webserver)
sed -i 's/All -SSLv2 -SSLv3/-All +TLSv1.2 +TLSv1.3 /g' /usr/local/apache/conf.d/ssl.conf systemctl restart httpd
Checking TLSv1.3 and http2:
Thsts it you’re done to check TLSv1.3 is working or not check this via the online checker, ensure you’ve ssl installed for the domain you’re checking :
GO to this link and enter the url to check TSL 1.3 protocol : https://www.cdn77.com/tls-test
GO to this link and enter the url to check the http2 : https://tools.keycdn.com/http2-test
You’ll se below like result :
for TLS 1.3 check :
For http2 test :
This is nice BUT doing this PHP-FPM updates stops working on CWP. The build fails because the alternative openssl version. It keeps trying to use the old one. How can this issue be solved? There is any way to fix the PHP version switcher to get it working? The PHP build always fails for me because it complains about openssl conflicts
Thanks a lot, works great.
Some additions on my CloudServer with latest centos7/CWP
I had to:
## Installing Openssl :
yum install zlib-devel -y
yum install perl-IPC-Cmd -y
bevore
./config –prefix=/usr/local/opensslso –openssldir=/usr/local/opensslso zlib shared
### Error on apache start
cant find libcrypto.so.3 and libssl.so.3
apache expects these lib’s in /usr/lib64/
on my system these libs are in /usr/local/opensslso/lib64/
> so symlink or simply copy…
Works great – so I can stax with my favorite system!
Thanks a lot!
Any thoughts on using OpenSSL 3.x series with Apache on CWP, any known issues?
no there is no issue
Any difference in installation steps?
I have noticed, OpenSSL version is still not reported to be the new one.
openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
Can any one shed a light on this issue?
if you following this tutorial it will not replaced the OS openssl version. it will be installed as alternative version
So this version will be utilised only for webserver or for mail, ftp etc too? If only for webserver, how can we deploy it for mail, ftp and all over?
this will not work with other pre packaged programs for now
Excellent post, thank you, httpd 2.4.54 works perfectly with ALPN and HTTP2.
However, I tried to install mod_geoip with
“yum install mod_geoip GeoIP GeoIP-devel GeoIP-data zlib-devel”, but didn’t go through with it as it appears the installation would be for httpd 2.4.6-97.el7.centos.5.
Will this affect httpd 2.4.54? I would appreciate your advice, thank you.
I thought it would not be too much trouble to go through with the geoip installation as the worst that could happen would be a CWP rebuild.
“php -m | grep geoip” worked after I enabled “extension=geoip.so” in php.ini.
Even so, will this affect httpd 2.4.54?
And how to enable HSTS for a particular domain on the server?
you can add the hsts header in .htaccess
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPSAs I revisited this page for updating components involved here, just had this thought.
Installing Openssl, should we not use the latest version
wget https://www.openssl.org/source/openssl-1.1.1q.tar.gz
inplace of
wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
Similarly for Python, Nghttp2, new version are out.
Indeed. I set up the whole routine with openssl-1.1.1q, python-3.9.9 and nghttp2-1.48. Everything works fine.
is there some code that will reverse the ‘cwp-httpd update disable’ so i can update the cwp-httpd in the future?
“Run this commands to disable cwp-httpd update so your config shouldn’t get lost when there is an update :”
Thanks for this in-depth and useful article
hello yes just edit
/etc/yum.confand remove this line :
exclude=cwp-httpdThis too is needed on el8/Centos8/AlmaLinux etc.
dnf module enable httpd
Unfortunately, after the process, the site was http2 indeed, but it would not load. Had to undo. I still need to run it using apache, not nginx. Maybe that’s the issue.
you can join in forum and provide some technical information like logs or configs so i can check where is the issue