I am running CentOS v6.8. This comes with OpenSSL 1.0.1e. Can someone tell me if this supports TLSv1.2? If it does, how can I tell if it's enabled by default?
We have a payment application that uses it for secure connections to the bank for credit card transactions and the bank is requiring TLSv1.2 by June.
Thanks
TLS 1.2 on latest CentOS
Re: TLS 1.2 on latest CentOS
Do you need support for TLS 1.2 from a web browser running on CentOS 6.8 or from a server running on it?
Yes, TLS 1.2 works on CentOS 6.8 if you enable it. If you have a server running that you want to check you can run openssl s_client -connect ip.ad.dr.ess:port and it will tell you what level it negotiated. If you want to force what it uses then you can add -tls1_2/-tls1_1 etc to the command.
Yes, TLS 1.2 works on CentOS 6.8 if you enable it. If you have a server running that you want to check you can run openssl s_client -connect ip.ad.dr.ess:port and it will tell you what level it negotiated. If you want to force what it uses then you can add -tls1_2/-tls1_1 etc to the command.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: TLS 1.2 on latest CentOS
The bank is the host server and our system is the client connecting to it. I highly doubt they are running CentOS v6.8, however, our client PC that sends the authorizations to the bank is running it.
So, it sounds like I will need to contact our payment application vendor and request they make the appropriate changes to their application to force TLSv1.2 communications.
So, it sounds like I will need to contact our payment application vendor and request they make the appropriate changes to their application to force TLSv1.2 communications.
Re: TLS 1.2 on latest CentOS
You can check if their side supports tls 1.2 easily enough. Just run openssl s_client -connect your.bank.domain.name:443 -tls1_2 and you should get a bunch of output, the last portion of which should look like this:
Hit Ctrl-D to exit or just wait and it will timeout. Likewise if you attempt to connect using that command but replace -tls1_2 with -ssl3 then it really really ought to error out and if it doesn't then change banks! e.g.
You can force -ssl2, -ssl3, -tls1, -tls1_1 and -tls1_2.
Code: Select all
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
... some other stuff, not important for this
Code: Select all
$ openssl s_client -connect x.x.x.x:443 --ssl3
140346105386912:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: TLS 1.2 on latest CentOS
I'd also add that apparently TLS 1.3 is on the way and that will require a newer version of openssl than ships with any current CentOS version. I see there are plans to bring openssl 1.0.2 to CentOS 7 with 7.4 when that comes out and that should be ready for tls 1.3 but I think it highly unlikely that that will ever be backported to CentOS 6. And plans change and Redhat are the ones who decide what ships so it may not happen - believe it when it does.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke