36

In light of a growing number of security issues, such as the newly announced Browser Exploit Against SSL/TLS (BEAST), I was curious how we could go about enabling TLS 1.1 and 1.2 with OpenSSL and Apache to ensure that we will not be vulnerable to such threat vectors.

John
  • 2,266
  • 6
  • 44
  • 60

6 Answers6

30

TLS1.2 is now available for apache, to add TLSs1.2 you just need to add in your https virtual host configuration:

SSLProtocol -all +TLSv1.2

-all is removing other ssl protocol (SSL 1,2,3 TLS1)

+TLSv1.2 is adding TLS 1.2

for more browser compatibility you can use

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

by the way you can increase the Cipher suite too using:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$

You can test your https website security with an online scanner like: https://www.ssllabs.com/ssltest/index.html

Froggiz
  • 3,013
  • 1
  • 18
  • 30
  • 3
    I'm not sure why this post is marked as "outdated". I used the recommended solution, and my customer's site went from a "C" rating on the Qualsys SSL Labs to an "A". – Michael Sobczak Apr 29 '16 at 00:51
  • Hi, i removed outdated warning to prevent missunderstanding, it was link to old correct answer. I am happy that your security got increased ;) – Froggiz Sep 10 '16 at 14:24
  • In sites-available/000-default.conf I added to the virtual host 'SSLProtocol -all +TLSv1.2' and got: AH00526: Syntax error on line 31 of /etc/apache2/sites-enabled/000-default.conf: Invalid command 'SSLProtocol', perhaps misspelled or defined by a module not inc luded in the server configuration Action 'configtest' failed. – Elia Weiss Oct 13 '16 at 12:57
  • Did you enabled mod_ssl ? (command : a2enmod ssl) – Froggiz Oct 13 '16 at 13:37
  • "SSLProtocol: Illegal protocol 'TLSv1.2'" (OS X 10.10.5) – Michael Feb 12 '17 at 23:44
  • Also, the ssllabs test says "Ports other than 443 not supported"... really? – Michael Feb 12 '17 at 23:48
  • 1
    Make sure you do the update in ALL the conf files! It will activate if just one has it. Best to grep it: grep -r SSLProtocol conf – eyal_katz Oct 02 '18 at 20:26
  • Is @eyal_katz correct? Is it not possible for virtual hosts to have separately configured TLS levels? – ashnazg Apr 07 '20 at 14:55
11

Compile apache with the latest version of OpenSSL to enable TLSv1.1 and TLSv1.2

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

SSLProtocol +TLSv1.1 +TLSv1.2
Community
  • 1
Bob Fanger
  • 351
  • 3
  • 9
10

According to the OpenSSL changelog, support for TLS 1.2 was added to the development branch of OpenSSL 1.0.1, but this version is not yet released. Probably some changes will also be needed in the mod_ssl code to actually enable TLS 1.2 for Apache.

Another commonly used SSL/TLS library is NSS; it is used by a less well known Apache module mod_nss; unfortunately, current NSS releases also do not support TLS 1.2.

Yet another SSL/TLS library is GnuTLS, and it pretends to support TLS 1.2 already in its current release. There is an Apache module using GnuTLS: mod_gnutls, which also claims to support TLS 1.2. However, this module seems to be rather new, and might be not very stable; I never tried to use it.

Sergey Vlasov
  • 6,088
  • 1
  • 19
  • 30
  • 1
    @ Sergey, thanks for the links and the information. I am still saddened that we are not able to utilize these standards considering their age. It seems odd to me that we need to be defenders of our systems and our networks yet we cannot utilize the tools that would help improve our security postures. Also, it seems like the web browser folks have a ways to go to help enable support for these standards in addition to the server folks like Apache and possibly IIS. – John Sep 23 '11 at 19:47
  • 2
    Is this answer still accurate, a year later? – Ben Walther Oct 09 '12 at 15:44
  • 2
    @BenWalther OpenSSL 1.0.1 was released in March 2012 with TLS 1.2 support. The latest version as of now is 1.0.1c. I'm not sure how much of the rest of the post is still valid. – Burhan Ali Jan 08 '13 at 10:09
6

You cannot, OpenSSL does not offer a release for TLS 1.1 yet.

One pertinent comment on /. for this issue:

Will you kindly explain to the unwashed masses how you would implement TLS 1.1 and 1.2 support in a world where the dominant library OpenSSL does not yet support either of the protocols in its stable releases? Sure, you can use GnuTLS and mod_gnutls, and I have tried it, but there was no point, as no browser apart from Opera supported it and there were some weird glitches in the module. IE 8/9 were supposed to support them under Vista and 7, but failed to access the site served by mod_gnutls when 1.1 and 1.2 were enabled on the client side. I tried it anew yesterday just out of curiosity, and now even Opera 11.51 chokes on TLS 1.1 and 1.2. So there. Nothing really supports the protocols. Must wait for OpenSSL 1.0.1 for TLS 1.1 and nobody knows when that will hit the repos.

http://it.slashdot.org/comments.pl?sid=2439924&cid=37477890

Steve-o
  • 829
  • 6
  • 12
  • 1
    @ Steve-o, thanks for the information. This is kind of disappointing that TLS 1.1 has been out since April 2006 and TLS 1.2 has been out since August 2008 with updates in March 2011 and we still do not have the ability to utilize them. – John Sep 23 '11 at 19:45
4

Adam Langley, a Google Chrome engineer, points out that TLS 1.1 would not have solved this problem due to an implementation issue with SSLv3 that everyone has to work around: browsers have to downgrade to SSLv3 to support buggy servers, and an attacker can initiate this downgrade.

http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

cjc
  • 24,533
  • 2
  • 49
  • 69
3

Gnu_tls works like a charm and it also implements SNI (Server Name Identification), that's very userful in virtual hosting....

No problem also to find bin packages for mod_gnutls in linux distros, i use it since 2 years and no problems, it is also more performant than openssl imho.

But the problem is also that most browsers doesn't not support tls 1.1 or 1.2 so please start to diffuse the idea of upgrading browsers regulary to people.

rastrano
  • 61
  • 2
  • @ Rastrano - do you have any suggestions or links on how to implement this? Thanks for the info and it is too bad that "modern" browsers do not support it yet. – John Sep 29 '11 at 20:16