How to Enable TLS 1.3 in Apache on CWP- Control Web Panel Centos 7 Centos 8 EL7 El8

In this tutorial I’ll guide you how you can enable TLSv1.3 in CWP-httpd/Apache (when only Apache webserver installed) I’ve tested this and it seems to be working fine. HTTPS performance has been made faster and safer for every user and every device after you enable the tls 1.3 you’ll notice faster website loading.

Transportation Layer Security (TLS) 1.3 protocol provides unparalleled privacy and performance compared to previous versions of TLS and non-secure HTTP. Performance has a major impact on user experience. TLS 1.3 represents a pivotal turning point for HTTPS performance. Modern mobile networks will routinely add over 100ms of latency to each request. TLS 1.3 makes page load times significantly faster for mobile devices, improving the user experience for your visitors.

This tutorial will enable HTTP/2 and TLSv1.3 automatically if you’re using nginx as proxy or nginx + php-fpm follow this tutorial too :

How to Enable TLS 1.3 in Nginx with Openssl 3.0 – CWP/Centos 7/Centos 8/EL7/El8

Step 1

Installing few Dependencies needed for the Apache build :

Installing Autoconf :

cd /usr/local/src
rm -rf autoconf-*
wget https://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz
tar zxvf autoconf-latest.tar.gz
cd autoconf-*/
./configure --prefix=/usr
make && make install

Installing Openssl :

cd /usr/local/src
rm -rf openssl*
wget https://www.openssl.org/source/openssl-3.0.8.tar.gz -O openssl.tar.gz
tar -xf openssl.tar.gz
rm -rf openssl.tar.gz
mv openssl-* openssl
cd openssl
./config --prefix=/usr/local/opensslso --openssldir=/usr/local/opensslso zlib shared
make && make install

*Building openssl will take some time

Installing Nghttp2 :

cd /usr/local/src
rm -rf Python-*
wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tgz
tar xvf Python-3.8.12.tgz
cd Python-3.8*/
./configure --enable-optimizations
make altinstall
cd /usr/local/src
rm -rf nghttp2-*
yum install libtool -y
wget https://github.com/nghttp2/nghttp2/releases/download/v1.47.0/nghttp2-1.47.0.tar.gz
tar zxvf nghttp2-1.47.0.tar.gz
cd nghttp2-*/
./configure --prefix=/usr PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig
make && make install

Step 2 :

Building Apache (latest) el7/Centos7 :

cd /usr/local/src
rm -rf /usr/local/src/apache*
wget --no-cache https://blog.alphagnu.com/upload/apache-rebuild-new7.sh
yum install uuid uuid-devel libuuid-devel pcre-devel -y
chmod 755 apache-rebuild-new7.sh
sh apache-rebuild-new7.sh

Run this commands to disable cwp-httpd update so your config shouldn’t get lost when there is an update :

cat /etc/yum.conf |grep "^exclude="|grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf
cat /etc/yum.conf |grep "^exclude="|grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf

Building Apache (latest) el8/Centos8 :

cd /usr/local/src
rm -rf /usr/local/src/apache*
wget --no-cache https://blog.alphagnu.com/upload/apache-rebuild-new8.sh
dnf install uuid uuid-devel libuuid-devel pcre-devel -y
chmod 755 apache-rebuild-new8.sh
sh apache-rebuild-new8.sh

Run this commands to disable cwp-httpd update so your config shouldn’t get lost when there is an update :

dnf module disable httpd
cat /etc/yum.conf |grep "^exclude="|grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf
cat /etc/yum.conf |grep "^exclude="|grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf

**This Apache script will enable HTTP/2 and TLSv1.3 automatically and installs latest version of apache.

Troubleshoot :

if you rebuilded webserver and TLS 1.3 is stopped working run this two commands to get the TLS 1.3 back again (when using apache only webserver)

sed -i 's/All -SSLv2 -SSLv3/-All +TLSv1.2 +TLSv1.3 /g' /usr/local/apache/conf.d/ssl.conf
systemctl restart httpd

Checking TLSv1.3 and http2:

Thsts it you’re done to check TLSv1.3 is working or not check this via the online checker, ensure you’ve ssl installed for the domain you’re checking :

GO to this link and enter the url to check TSL 1.3 protocol : https://www.cdn77.com/tls-test

GO to this link and enter the url to check the http2 : https://tools.keycdn.com/http2-test

You’ll se below like result :

for TLS 1.3 check :

For http2 test :

How to Enable TLS 1.3 in Apache on CWP- Control Web Panel Centos 7 Centos 8 EL7 El8

Install mod_evasive in CWP Apache and prevent from DDOS attacks

How to copy all Immutable files attribute from one server to another server

How to check SMTP port 25 is open for email sending out

How to Enable Query Cache in MariaDB for Performance in CWP/hestiacp/Centos/Ubuntu

Install Nodejs 18 on Centos Stream 8/9 Almalinux 8/9 Rockylinux 8/9

How to find Big files in Linux – CWP/Centos/Ubuntu/Debian

12 Systemctl commands list for System Admins

Handy CSF firewall Commands for System Admins