1

I am trying to figure out how to enable TLS 1.2, but finding out exactly what is required is not easy. Looking at This Question shows a required config but is marked out of date, and the 2nd answer implies the only other requirement was an OpenSSL of at least version 1.0.1 which at the time of the answer posting (almost 4.5 years ago) was not released at the time according to the answer. Other results mention the need for a specific Apache version as well, but while most agree on a specific version or so, some others point to significantly older versions, or only the newer versions.

Now, years later in early 2016, TLS 1.2 is becoming a requirement if one wishes to use some web services, but the only information on the requirements for updating is years old and scattered at best, with the top google results including things like that question which are marked as out of date. So, what are the actual requirements then for enabling TLS 1.2 on an Apache server? What versions of what are required, and is that config the only other requirement?

Community
  • 1
Ryan
  • 111
  • 1
  • 6
  • You really should use the latest stable version of Apache because older versions contain known bugs (some of which are vulnerabilities). Thus it doesn't really make much sense to try to figure out whether, say, 2.4.3 would be sufficient. – András Korn Jan 22 '16 at 20:32
  • While people should use the most recent versions, Some will not or can not do so, Besides the fact that TLS 1.2 can be used with certain 2.2 versions according to everyone, but there is little agreement on which version that is with people claiming to have it earlier than others say is possible. Thus, the question does not ask if the Current version can, but what is the reasonable line where any version before can not, while versions after can. There is no up to date information it seems, which is why i asked. – Ryan Jan 22 '16 at 20:54
  • I realize it's not always *easy* to use the latest versions, but especially with stuff like OpenSSL, not using the latest and greatest is inviting disaster. I would go as far as recommending that you put a reverse proxy running the latest version of everything in front of your old server. – András Korn Jan 22 '16 at 20:56
  • Maybe one day i will ask a question such things, but this question is not that. This question is about Requirements for TLS 1.2 and is meant to be a baseline. The most recent version is not an acceptable answer. I thank you for your recommendation, just do not turn it into an answer. Security of Apache is not related to the ability to use TLS 1.2. The goal of this question is more than solving the problem for one person, but to be informative to many. – Ryan Jan 22 '16 at 21:18

1 Answers1

1

Openssl 1.0.1 is required. Depending on whether your Apache is statically compiled against Openssl or not it may require a recompile. So there is no specific version of Apache that is needed - though I'd imagine 2.2 is a minimum since nothing before that's supported.

I would concur with Andras that if going to the hassle of installing a later version of openssl, and especially if having to recompile Apache, then might as well upgrade both Apache and Openssl to the latest stable versions (though it should be noted that there are significant changes between Apache 2.2 and 2.4 that make an upgrade not as trivial as just installing the new software but you are likely to have to go through that upgrade at some point anyway). TLS 1.2 is a requirement for other services because of security security issues - not just because they like making your life hard so to say TLS 1.2 has nothing to do with security it just wrong. But that's just my opinion.

Barry Pollard
  • 4,461
  • 14
  • 26
  • If you don't like my answer feel free to downvote it. I think you fail to understand that Stack Exchange is a user community and those who give up our free time to help people, are free to answer however we damn well see fit - including adding advice that we feel helps put an answer into context or might further help yourself or future readers. If my answer is not helpful, the community (including, but not limited to, yourself) can judge it so and if there is a better answer it will rise above this one. That's how it works and you cannot demand answers to suit your taste! – Barry Pollard Jan 25 '16 at 18:51
  • Additionally you have given no limits to your upgrades in your question so "use the current versions" IS valid until you provide those limits. If you are potentially going to the hassle of downloading a version and compiling from source, and stepping outside of a packaged manager controlled version (e.g. because you are on a version of an OS which does not include a packaged later version), then you run the risk of not including security fixes that have been potentially backported to the lower numbered official packaged version and so you SHOULD choose the latest version for that reason alone! – Barry Pollard Jan 25 '16 at 18:55
  • Ah I see my mistake was not making the "if going to the hassle of installing a later version" part of my answer in big enough font so you would not miss that. I apologise for not appreciating your short sightedness. I'm done with this question. – Barry Pollard Jan 25 '16 at 19:38