Unable to Connect Using >TLS1.1 Protocol w/ Apache

[rrioux]

I setup a new Apache server with the following SSLProtocol setting:

SSLProtocol -all TLSv1.2 TLSv1.3

tls-scan returns a network error when attempting to connect. elinks returns an "unable to retrieve" SSL error.

When I revert to the following, both applications connect as expected:

SSLProtocol all

My assumption here is cipher suite support - specifically, tls-scan and elinks might not like ECDHE. Have you had any other reports of this problem? Does my analysis sound sane or is there another issue that I'm completely missing?

As always, thanks for your support and for making a great tool!

Randal

[prbinu]

To support old/insecure cipher scans, we are using an old openssl version that doesn't have support for TLS 1.3. So for TLS 1.3 support, you need to build a new tls-scan binary from source.

Here is the script to build tls-scan from source: https://github.com/prbinu/tls-scan/blob/master/build-x86-64-openssl-1.1.1.sh

The disadvantage with this version is that it doesn't support SSL2, 3 and old cipher scans. But by combining (running) both binaries, you likely get good cipher/version coverage.

BTW, though 1.3 is a minor upgrade, in reality it is a major protocol upgrade from previous version.

Thanks for using tls-scan, and I hope this helps!

[rrioux]

Ah, that makes sense. I wonder if we can edit the code to support both based on response? I can take a look at that and submit a patch if I can make the time :-)

Also, yeah, 1.3 is a bigger change than one would think.

Thanks for the fast response!

[prbinu]

I've added TLS 1.3 support in tls-scan 1.0.1 release. Release link: https://github.com/prbinu/tls-scan/releases/tag/1.0.1

[prbinu]

Please open a new ticket if you find any issue with the 1.0.1 release.