1

I was trying to use the Apache Bench (ab) on my local server which is running Apache HTTP Server, with the ssl module enabled, using the TLS1.3 as a protocol to use in communication but anytime I try to use it I have an SSL handshake failure message appearing on my command line terminal.

What I have done is simply installing apache2 on my local PC (running Zorin OS 15.2) and made some changes in the ssl.conf file, which I specified the SSL Protocols to use:

SSLProtocol -all +TLSv1.2 +TLSv1.3

and in the site configuration file to activate the SSL Engine, specify all the certificate files, assigning the Server Name etc.

After all of this is done I simply run the command ab for testing and if I run the command like this:

ab -n 100 -c 10 https://myhostname/

Everything works fine but if I try to specify the protocol TLS1.3, using one ciphers that is used for TLS1.3, it gives the following error message:

ab -n 1000 -c 50 -Z TLS_AES_256_GCM_SHA384 https://myhostname:443/
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking hostname (be patient)
SSL handshake failed (1).
139632751683456:error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:../ssl/statem/statem_clnt.c:3786:No ciphers enabled for max supported SSL/TLS version

What is strange to me is if I run the same command using some ciphers supported by TLS1.2 everything works fine but if I use any ciphers supported by TLS1.3 I get that error.

I even tried to do a simple connect using openssl s_client with the option -tls1_3 for connecting to my server using TLS1.3 as a protocol and the connection works fine.

Here is a list of software I'm using:

  • Apache HTTP Server (version 2.4.29)
  • ApacheBench (version 2.3)
  • OpenSSL (version 1.1.1)

What I want is simply running the same command but with the use of ciphers supported by the protocol TLS1.3.

Simone
  • 11
  • 1
  • 2

1 Answers1

1

The documentation for ab - Apache HTTP server benchmarking tool has:

-f protocol

Specify SSL/TLS protocol (SSL2, SSL3, TLS1, TLS1.1, TLS1.2, or ALL). TLS1.1 and TLS1.2 support available in 2.4.4 and later.

That's also mentioned in the changelog:

Changes with Apache 2.4.4

  • ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output to more accurately report the negotiated protocol. PR 53916. [Nicolás Pernas Maradei , Kaspar Brand]

As there's no similar mention on TLS 1.3, one could assume ab doesn't support it yet (despite Apache 2.4 supports TLS 1.3).

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Hi @EsaJokinen. Thanks for the reply. It doesn't matter the -f option because using -Z it tells to ab which protocol must use. Of course someone can use the -f option with -Z, like is suggested, and at the end the result is the same. The fact that ab doesn't support TLS 1.3 it could be true that's why I have searched online another tool called [JMeter](https://jmeter.apache.org/) which is a more complex tool compared to ab but in the end it could give the same result. – Simone Jul 15 '20 at 22:48