SSL Handshake failure when using a TLSv1.3 ciphersuite on ApacheBench (ab)

abapache-2.4Apache2ssl

I was trying to use the Apache Bench (ab) on my local server which is running Apache HTTP Server, with the ssl module enabled, using the TLS1.3 as a protocol to use in communication but anytime I try to use it I have an SSL handshake failure message appearing on my command line terminal.

What I have done is simply installing apache2 on my local PC (running Zorin OS 15.2) and made some changes in the ssl.conf file, which I specified the SSL Protocols to use:

SSLProtocol -all +TLSv1.2 +TLSv1.3

and in the site configuration file to activate the SSL Engine, specify all the certificate files, assigning the Server Name etc.

After all of this is done I simply run the command ab for testing and if I run the command like this:

ab -n 100 -c 10 https://myhostname/

Everything works fine but if I try to specify the protocol TLS1.3, using one ciphers that is used for TLS1.3, it gives the following error message:

ab -n 1000 -c 50 -Z TLS_AES_256_GCM_SHA384 https://myhostname:443/
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking hostname (be patient)
SSL handshake failed (1).
139632751683456:error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:../ssl/statem/statem_clnt.c:3786:No ciphers enabled for max supported SSL/TLS version

What is strange to me is if I run the same command using some ciphers supported by TLS1.2 everything works fine but if I use any ciphers supported by TLS1.3 I get that error.

I even tried to do a simple connect using openssl s_client with the option –tls1_3 for connecting to my server using TLS1.3 as a protocol and the connection works fine.

Here is a list of software I'm using:

  • Apache HTTP Server (version 2.4.29)
  • ApacheBench (version 2.3)
  • OpenSSL (version 1.1.1)

What I want is simply running the same command but with the use of ciphers supported by the protocol TLS1.3.

Best Answer

The documentation for ab - Apache HTTP server benchmarking tool has:

-f protocol

Specify SSL/TLS protocol (SSL2, SSL3, TLS1, TLS1.1, TLS1.2, or ALL). TLS1.1 and TLS1.2 support available in 2.4.4 and later.

That's also mentioned in the changelog:

Changes with Apache 2.4.4

  • ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output to more accurately report the negotiated protocol. PR 53916. [Nicolás Pernas Maradei , Kaspar Brand]

As there's no similar mention on TLS 1.3, one could assume ab doesn't support it yet (despite Apache 2.4 supports TLS 1.3).

Related Topic