This guide explains how to enable TLS 1.3 on Apache when using CWP (Control Web Panel) with a standalone Apache web server. By following this tutorial, you will optimize your server for improved HTTPS performance and security, ensuring faster website loading times for users.

Overview of TLS 1.3

TLS 1.3 offers significant improvements in privacy and speed compared to previous versions of the TLS protocol. It reduces latency, making websites load faster, especially on mobile networks where high latency is common. Enabling TLS 1.3 also improves user experience and is a critical step in modernizing your server’s security.

If you are using Nginx as a proxy or with PHP-FPM, you may refer to Enabling TLS 1.3 in NGINX on CWP/CentOS 7/8/EL7/EL8 for a similar setup.

Step 1: Install Dependencies for Apache Build

Install Autoconf

Autoconf is required for building software from source. Run the following commands:

cd /usr/local/src
rm -rf autoconf-*
wget https://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz
tar zxvf autoconf-latest.tar.gz
cd autoconf-*/
./configure --prefix=/usr
make && make install

Install OpenSSL

Install the latest version of OpenSSL to support TLS 1.3:

cd /usr/local/src
rm -rf openssl*
yum install libtool zlib-devel -y
wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz
tar zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l
./config --prefix=/usr/local/opensslso --openssldir=/usr/local/opensslso zlib shared
make && make install

Note: Building OpenSSL may take some time.

Install Nghttp2

Nghttp2 is required to enable HTTP/2 support:

cd /usr/local/src
rm -rf Python-*
wget https://www.python.org/ftp/python/3.8.8/Python-3.8.8.tgz
tar xvf Python-3.8.8.tgz
cd Python-3.8*/
./configure --enable-optimizations
make altinstall

cd /usr/local/src
rm -rf nghttp2-*
yum install libtool -y
wget https://github.com/nghttp2/nghttp2/releases/download/v1.43.0/nghttp2-1.43.0.tar.gz
tar zxvf nghttp2-1.43.0.tar.gz
cd nghttp2-*/
./configure --prefix=/usr PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig
make && make install

Step 2: Build the Latest Version of Apache

For CentOS 7/EL7

1. Remove the existing Apache source files:

cd /usr/local/src
rm -rf /usr/local/src/apache*

2. Download and execute the rebuild script:

wget --no-cache apache-rebuild-new7.sh
yum install uuid uuid-devel -y
chmod 755 apache-rebuild-new7.sh
sh apache-rebuild-new7.sh

3. Prevent CWP updates from overwriting your configuration:

cat /etc/yum.conf | grep "^exclude=" | grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf
cat /etc/yum.conf | grep "^exclude=" | grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf

For CentOS 8/EL8

1. Follow the same process as for CentOS 7, but use the appropriate rebuild script:

cd /usr/local/src
rm -rf /usr/local/src/apache*
wget --no-cache apache-rebuild-new8.sh
dnf install uuid uuid-devel -y
chmod 755 apache-rebuild-new8.sh
sh apache-rebuild-new8.sh

2. Prevent updates from affecting your Apache configuration:

dnf module disable httpd
cat /etc/yum.conf | grep "^exclude=" | grep httpd 1> /dev/null 2> /dev/null || echo 'exclude=httpd*' >> /etc/yum.conf
cat /etc/yum.conf | grep "^exclude=" | grep cwp-httpd 1> /dev/null 2> /dev/null || echo 'exclude=cwp-httpd' >> /etc/yum.conf

Note: The rebuild script will enable both HTTP/2 and TLS 1.3 automatically.

Troubleshooting

If TLS 1.3 stops working after rebuilding Apache, run the following commands to restore it:

sed -i 's/All -SSLv2 -SSLv3/-All +TLSv1.2 +TLSv1.3 /g' /usr/local/apache/conf.d/ssl.conf
systemctl restart httpd

Verifying TLS 1.3 and HTTP/2

To confirm that TLS 1.3 is active, use these online tools:

Check TLS 1.3: https://www.cdn77.com/tls-test
Check HTTP/2: https://tools.keycdn.com/http2-test

Ensure that SSL is properly configured for the domain being tested. Once verified, you can enjoy the improved speed and security of your website with TLS 1.3 and HTTP/2 enabled!