Home / server / Questions / 314858
Accepted
John
Asked: 2011-09-24 06:46:35 +0800 CST

How to enable TLS 1.1 and 1.2 with OpenSSL and Apache

  • 772

In light of a growing number of security issues, such as the newly announced Browser Exploit Against SSL/TLS (BEAST), I was curious how we could go about enabling TLS 1.1 and 1.2 with OpenSSL and Apache to ensure that we will not be vulnerable to such threat vectors.

apache-2.2 security mod-ssl openssl

6 Answers

  1. Best Answer

    TLS1.2 is now available for apache, to add TLSs1.2 you just need to add in your https virtual host configuration:

    SSLProtocol -all +TLSv1.2

    -all is removing other ssl protocol (SSL 1,2,3 TLS1)

    +TLSv1.2 is adding TLS 1.2

    for more browser compatibility you can use

    SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

    by the way you can increase the Cipher suite too using:

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$

    You can test your https website security with an online scanner like: https://www.ssllabs.com/ssltest/index.html

    • 30

  2. Compile apache with the latest version of OpenSSL to enable TLSv1.1 and TLSv1.2

    http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

    SSLProtocol +TLSv1.1 +TLSv1.2
    • 11

  3. According to the OpenSSL changelog, support for TLS 1.2 was added to the development branch of OpenSSL 1.0.1, but this version is not yet released. Probably some changes will also be needed in the mod_ssl code to actually enable TLS 1.2 for Apache.

    Another commonly used SSL/TLS library is NSS; it is used by a less well known Apache module mod_nss; unfortunately, current NSS releases also do not support TLS 1.2.

    Yet another SSL/TLS library is GnuTLS, and it pretends to support TLS 1.2 already in its current release. There is an Apache module using GnuTLS: mod_gnutls, which also claims to support TLS 1.2. However, this module seems to be rather new, and might be not very stable; I never tried to use it.

    • 10

  4. You cannot, OpenSSL does not offer a release for TLS 1.1 yet.

    One pertinent comment on /. for this issue:

    Will you kindly explain to the unwashed masses how you would implement TLS 1.1 and 1.2 support in a world where the dominant library OpenSSL does not yet support either of the protocols in its stable releases? Sure, you can use GnuTLS and mod_gnutls, and I have tried it, but there was no point, as no browser apart from Opera supported it and there were some weird glitches in the module. IE 8/9 were supposed to support them under Vista and 7, but failed to access the site served by mod_gnutls when 1.1 and 1.2 were enabled on the client side. I tried it anew yesterday just out of curiosity, and now even Opera 11.51 chokes on TLS 1.1 and 1.2. So there. Nothing really supports the protocols. Must wait for OpenSSL 1.0.1 for TLS 1.1 and nobody knows when that will hit the repos.

    http://it.slashdot.org/comments.pl?sid=2439924&cid=37477890

    • 6

  5. Adam Langley, a Google Chrome engineer, points out that TLS 1.1 would not have solved this problem due to an implementation issue with SSLv3 that everyone has to work around: browsers have to downgrade to SSLv3 to support buggy servers, and an attacker can initiate this downgrade.

    http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

    • 4

  6. Gnu_tls works like a charm and it also implements SNI (Server Name Identification), that's very userful in virtual hosting....

    No problem also to find bin packages for mod_gnutls in linux distros, i use it since 2 years and no problems, it is also more performant than openssl imho.

    But the problem is also that most browsers doesn't not support tls 1.1 or 1.2 so please start to diffuse the idea of upgrading browsers regulary to people.

    • 3