TLS 1.2 on latest CentOS

[sblantipodi]

solved with this in ssl.conf.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT

[eugene.ievlev]

Hi,
I have question about support of the preferred modern ciphers like ECDH and ECDSA! That ciphers supported only in apache 2.4.
Do we have some solution for CentOS (which use apache 2.2. default)? Except install httpd from sources, i would like to use software from stable repositories.

I would like use that ciphers for Configuring Forward Secrecy (https://community.qualys.com/blogs/secu ... rd-secrecy)

[RayG]

I would like use that ciphers for Configuring Forward Secrecy (https://community.qualys.com/blogs/secu ... rd-secrecy)

I too would like the ability to do this At the moment I get an A- on SSLLabs site because there is no forward secrecy due to the ciphers not being available in the apache version installed. Is there a workaround or do we just have to wait?

OpenSSL 1.0.1e-fips 11 Feb 2013 installed and working OK

SSLCipherSuite ALL:+ECDH:!3DES:!DES:!EXP:!aNULL:!MD5:-SSLv2 Gives the A-

But this is the version of apache and it does not support the required ciphers.
Server version: Apache/2.2.15 (Unix)
Server built: Aug 13 2013 17:29:28

Before I get flamed for posting here, this IS the CentOS forum so I feel justified in asking this question here.

[TrevorH]

No flames but if CentOS does not provide what you require then there is nothing that CentOS can do about that if it requires packages that Redhat do not provide. The stated aim and goal of CentOS is to provide a distribution that's binary compatible with RHEL. If you want features added that cannot be obtained using the current packages in CentOS (e.g. httpd 2.4.x provides it but 2.2.x does not) then the place to ask for the new features is upstream on the Redhat site.

[tlearyus]

solved with this in ssl.conf.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT

What is the path to ssl.conf under Centos 6.4?

[TrevorH]

Your first step is to update to 6.6 as 6.4 will not do TLS 1.2 due to the openssl version included. Run yum update and get your system up to date and running a recent openssl version (and fix the last 2 years worth of security bugs) first. Then you need to look in /etc/httpd/conf.d/ssl.conf.

[jscarville]

1. Make sure you are up to date with Apache and OpenSSL. This is vital.

2. In httpd.conf, add/edit

Code: Select all

ServerTokens Prod
ServerSignature Off
TraceEnable off

3. in ssl.conf add/edit

Code: Select all

SSLProtocol  -ALL +TLSv1 +TLSv1.1 +TLSv1.2

SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!MEDIUM:!LOW:!MD5
SSLHonorCipherOrder on
SSLCompression Off

4. in each SSL host including <VirtualHost _default_:443> add:

Code: Select all

# Strict Transport Security (HSTS) for at least 180 days
Header add Strict-Transport-Security "max-age=15552000;includeSubDomains"

5. Restart httpd

If it is important to you and the rest of your configuration is pretty standard, the above will get you an A score from Qualys. If your entire certificate chain is sha2 or better you may get an A+.

Some older browsers (*cough* Internet Explorer *cough*) will not be able to connect.