SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
TLS 1.2 on latest CentOS
-
- Posts: 252
- Joined: 2009/07/10 09:43:13
- Contact:
Re: TLS 1.2 on latest CentOS
solved with this in ssl.conf.
- eugene.ievlev
- Posts: 19
- Joined: 2014/02/07 10:41:03
- Location: Ukraine
- Contact:
Re: TLS 1.2 on latest CentOS
Hi,
I have question about support of the preferred modern ciphers like ECDH and ECDSA! That ciphers supported only in apache 2.4.
Do we have some solution for CentOS (which use apache 2.2. default)? Except install httpd from sources, i would like to use software from stable repositories.
I would like use that ciphers for Configuring Forward Secrecy (https://community.qualys.com/blogs/secu ... rd-secrecy)
I have question about support of the preferred modern ciphers like ECDH and ECDSA! That ciphers supported only in apache 2.4.
Do we have some solution for CentOS (which use apache 2.2. default)? Except install httpd from sources, i would like to use software from stable repositories.
I would like use that ciphers for Configuring Forward Secrecy (https://community.qualys.com/blogs/secu ... rd-secrecy)
Re: TLS 1.2 on latest CentOS
I too would like the ability to do this At the moment I get an A- on SSLLabs site because there is no forward secrecy due to the ciphers not being available in the apache version installed. Is there a workaround or do we just have to wait?I would like use that ciphers for Configuring Forward Secrecy (https://community.qualys.com/blogs/secu ... rd-secrecy)
OpenSSL 1.0.1e-fips 11 Feb 2013 installed and working OK
SSLCipherSuite ALL:+ECDH:!3DES:!DES:!EXP:!aNULL:!MD5:-SSLv2 Gives the A-
But this is the version of apache and it does not support the required ciphers.
Server version: Apache/2.2.15 (Unix)
Server built: Aug 13 2013 17:29:28
Before I get flamed for posting here, this IS the CentOS forum so I feel justified in asking this question here.
Re: TLS 1.2 on latest CentOS
No flames but if CentOS does not provide what you require then there is nothing that CentOS can do about that if it requires packages that Redhat do not provide. The stated aim and goal of CentOS is to provide a distribution that's binary compatible with RHEL. If you want features added that cannot be obtained using the current packages in CentOS (e.g. httpd 2.4.x provides it but 2.2.x does not) then the place to ask for the new features is upstream on the Redhat site.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: TLS 1.2 on latest CentOS
What is the path to ssl.conf under Centos 6.4?sblantipodi wrote:solved with this in ssl.conf.
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
Re: TLS 1.2 on latest CentOS
Your first step is to update to 6.6 as 6.4 will not do TLS 1.2 due to the openssl version included. Run yum update and get your system up to date and running a recent openssl version (and fix the last 2 years worth of security bugs) first. Then you need to look in /etc/httpd/conf.d/ssl.conf.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 135
- Joined: 2014/06/17 21:50:37
Re: TLS 1.2 on latest CentOS
1. Make sure you are up to date with Apache and OpenSSL. This is vital.
2. In httpd.conf, add/edit
3. in ssl.conf add/edit
4. in each SSL host including <VirtualHost _default_:443> add:
5. Restart httpd
If it is important to you and the rest of your configuration is pretty standard, the above will get you an A score from Qualys. If your entire certificate chain is sha2 or better you may get an A+.
Some older browsers (*cough* Internet Explorer *cough*) will not be able to connect.
2. In httpd.conf, add/edit
Code: Select all
ServerTokens Prod
ServerSignature Off
TraceEnable off
Code: Select all
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!MEDIUM:!LOW:!MD5
SSLHonorCipherOrder on
SSLCompression Off
Code: Select all
# Strict Transport Security (HSTS) for at least 180 days
Header add Strict-Transport-Security "max-age=15552000;includeSubDomains"
If it is important to you and the rest of your configuration is pretty standard, the above will get you an A score from Qualys. If your entire certificate chain is sha2 or better you may get an A+.
Some older browsers (*cough* Internet Explorer *cough*) will not be able to connect.