TLS 1.2 on latest CentOS

Support for security such as Firewalls and securing linux
Post Reply
jjscott13
Posts: 26
Joined: 2011/04/16 14:28:38

TLS 1.2 on latest CentOS

Post by jjscott13 » 2017/03/08 15:03:55

I am running CentOS v6.8. This comes with OpenSSL 1.0.1e. Can someone tell me if this supports TLSv1.2? If it does, how can I tell if it's enabled by default?

We have a payment application that uses it for secure connections to the bank for credit card transactions and the bank is requiring TLSv1.2 by June.

Thanks

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: TLS 1.2 on latest CentOS

Post by TrevorH » 2017/03/08 15:21:43

Do you need support for TLS 1.2 from a web browser running on CentOS 6.8 or from a server running on it?

Yes, TLS 1.2 works on CentOS 6.8 if you enable it. If you have a server running that you want to check you can run openssl s_client -connect ip.ad.dr.ess:port and it will tell you what level it negotiated. If you want to force what it uses then you can add -tls1_2/-tls1_1 etc to the command.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jjscott13
Posts: 26
Joined: 2011/04/16 14:28:38

Re: TLS 1.2 on latest CentOS

Post by jjscott13 » 2017/03/08 16:15:22

The bank is the host server and our system is the client connecting to it. I highly doubt they are running CentOS v6.8, however, our client PC that sends the authorizations to the bank is running it.

So, it sounds like I will need to contact our payment application vendor and request they make the appropriate changes to their application to force TLSv1.2 communications.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: TLS 1.2 on latest CentOS

Post by TrevorH » 2017/03/08 17:23:42

You can check if their side supports tls 1.2 easily enough. Just run openssl s_client -connect your.bank.domain.name:443 -tls1_2 and you should get a bunch of output, the last portion of which should look like this:

Code: Select all

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256
    ... some other stuff, not important for this
Hit Ctrl-D to exit or just wait and it will timeout. Likewise if you attempt to connect using that command but replace -tls1_2 with -ssl3 then it really really ought to error out and if it doesn't then change banks! e.g.

Code: Select all

$ openssl s_client -connect x.x.x.x:443 --ssl3
140346105386912:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
...
You can force -ssl2, -ssl3, -tls1, -tls1_1 and -tls1_2.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: TLS 1.2 on latest CentOS

Post by TrevorH » 2017/03/08 17:27:19

I'd also add that apparently TLS 1.3 is on the way and that will require a newer version of openssl than ships with any current CentOS version. I see there are plans to bring openssl 1.0.2 to CentOS 7 with 7.4 when that comes out and that should be ready for tls 1.3 but I think it highly unlikely that that will ever be backported to CentOS 6. And plans change and Redhat are the ones who decide what ships so it may not happen - believe it when it does.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply