Page 1 of 1

TLS 1.2 on latest CentOS

Posted: 2017/03/08 15:03:55
by jjscott13
I am running CentOS v6.8. This comes with OpenSSL 1.0.1e. Can someone tell me if this supports TLSv1.2? If it does, how can I tell if it's enabled by default?

We have a payment application that uses it for secure connections to the bank for credit card transactions and the bank is requiring TLSv1.2 by June.

Thanks

Re: TLS 1.2 on latest CentOS

Posted: 2017/03/08 15:21:43
by TrevorH
Do you need support for TLS 1.2 from a web browser running on CentOS 6.8 or from a server running on it?

Yes, TLS 1.2 works on CentOS 6.8 if you enable it. If you have a server running that you want to check you can run openssl s_client -connect ip.ad.dr.ess:port and it will tell you what level it negotiated. If you want to force what it uses then you can add -tls1_2/-tls1_1 etc to the command.

Re: TLS 1.2 on latest CentOS

Posted: 2017/03/08 16:15:22
by jjscott13
The bank is the host server and our system is the client connecting to it. I highly doubt they are running CentOS v6.8, however, our client PC that sends the authorizations to the bank is running it.

So, it sounds like I will need to contact our payment application vendor and request they make the appropriate changes to their application to force TLSv1.2 communications.

Re: TLS 1.2 on latest CentOS

Posted: 2017/03/08 17:23:42
by TrevorH
You can check if their side supports tls 1.2 easily enough. Just run openssl s_client -connect your.bank.domain.name:443 -tls1_2 and you should get a bunch of output, the last portion of which should look like this:

Code: Select all

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256
    ... some other stuff, not important for this
Hit Ctrl-D to exit or just wait and it will timeout. Likewise if you attempt to connect using that command but replace -tls1_2 with -ssl3 then it really really ought to error out and if it doesn't then change banks! e.g.

Code: Select all

$ openssl s_client -connect x.x.x.x:443 --ssl3
140346105386912:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
...
You can force -ssl2, -ssl3, -tls1, -tls1_1 and -tls1_2.

Re: TLS 1.2 on latest CentOS

Posted: 2017/03/08 17:27:19
by TrevorH
I'd also add that apparently TLS 1.3 is on the way and that will require a newer version of openssl than ships with any current CentOS version. I see there are plans to bring openssl 1.0.2 to CentOS 7 with 7.4 when that comes out and that should be ready for tls 1.3 but I think it highly unlikely that that will ever be backported to CentOS 6. And plans change and Redhat are the ones who decide what ships so it may not happen - believe it when it does.