OpenSSL 1.1.x & TLS 1.3

Looking under the hood, it looks like OpenSSL 1.1.1a is the default install on FreeBSD 12.0-RELEASE base. We use Squid 4.4 & Apache 2.4.37 both of which had to be recompiled.

Just a few notes if you share a similar configuration:

  • build /usr/ports/security/openssl111/ or use pkg
## modify /etc/make.conf to reflect

DEFAULT_VERSIONS+=ssl=openssl111

## modify httpd.conf to reflect something similar to these:

SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3 
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA

Once all modifications are finalized, restart Apache and fire up https://www.ssllabs.com/ssltest/ to verify.

To verify with Squid, use

$ squid -v
Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.1.1a 20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

Please note the above configuration purposely disables SSLv3 & TLSv1.0-1.1 – only TLSv1.2 and 1.3 are enabled with corresponding ciphersuites. All other connections will fail.