How to enable TLS 1.1 and 1.2 with OpenSSL and Apache

apache-2.2 security openssl mod-ssl

283,578

Solution 1

TLS1.2 is now available for apache, to add TLSs1.2 you just need to add in your https virtual host configuration:

SSLProtocol -all +TLSv1.2

-all is removing other ssl protocol (SSL 1,2,3 TLS1)

+TLSv1.2 is adding TLS 1.2

for more browser compatibility you can use

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

by the way you can increase the Cipher suite too using:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$

You can test your https website security with an online scanner like: https://www.ssllabs.com/ssltest/index.html

Solution 2

Compile apache with the latest version of OpenSSL to enable TLSv1.1 and TLSv1.2

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

SSLProtocol +TLSv1.1 +TLSv1.2

Solution 3

According to the OpenSSL changelog, support for TLS 1.2 was added to the development branch of OpenSSL 1.0.1, but this version is not yet released. Probably some changes will also be needed in the mod_ssl code to actually enable TLS 1.2 for Apache.

Another commonly used SSL/TLS library is NSS; it is used by a less well known Apache module mod_nss; unfortunately, current NSS releases also do not support TLS 1.2.

Yet another SSL/TLS library is GnuTLS, and it pretends to support TLS 1.2 already in its current release. There is an Apache module using GnuTLS: mod_gnutls, which also claims to support TLS 1.2. However, this module seems to be rather new, and might be not very stable; I never tried to use it.

Solution 4

You cannot, OpenSSL does not offer a release for TLS 1.1 yet.

One pertinent comment on /. for this issue:

Will you kindly explain to the unwashed masses how you would implement TLS 1.1 and 1.2 support in a world where the dominant library OpenSSL does not yet support either of the protocols in its stable releases? Sure, you can use GnuTLS and mod_gnutls, and I have tried it, but there was no point, as no browser apart from Opera supported it and there were some weird glitches in the module. IE 8/9 were supposed to support them under Vista and 7, but failed to access the site served by mod_gnutls when 1.1 and 1.2 were enabled on the client side. I tried it anew yesterday just out of curiosity, and now even Opera 11.51 chokes on TLS 1.1 and 1.2. So there. Nothing really supports the protocols. Must wait for OpenSSL 1.0.1 for TLS 1.1 and nobody knows when that will hit the repos.

http://it.slashdot.org/comments.pl?sid=2439924&cid=37477890

Solution 5

Adam Langley, a Google Chrome engineer, points out that TLS 1.1 would not have solved this problem due to an implementation issue with SSLv3 that everyone has to work around: browsers have to downgrade to SSLv3 to support buggy servers, and an attacker can initiate this downgrade.

http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

View more solutions

283,578

Author by

John

Just a random person looking for ways to expand my knowledge and passion for technology.

Updated on September 18, 2022

Comments

John almost 2 years

In light of a growing number of security issues, such as the newly announced Browser Exploit Against SSL/TLS (BEAST), I was curious how we could go about enabling TLS 1.1 and 1.2 with OpenSSL and Apache to ensure that we will not be vulnerable to such threat vectors.
John almost 13 years

@ Steve-o, thanks for the information. This is kind of disappointing that TLS 1.1 has been out since April 2006 and TLS 1.2 has been out since August 2008 with updates in March 2011 and we still do not have the ability to utilize them.
John almost 13 years

@ Sergey, thanks for the links and the information. I am still saddened that we are not able to utilize these standards considering their age. It seems odd to me that we need to be defenders of our systems and our networks yet we cannot utilize the tools that would help improve our security postures. Also, it seems like the web browser folks have a ways to go to help enable support for these standards in addition to the server folks like Apache and possibly IIS.
John over 12 years

@ Rastrano - do you have any suggestions or links on how to implement this? Thanks for the info and it is too bad that "modern" browsers do not support it yet.
Ben Walther over 11 years

Is this answer still accurate, a year later?
Burhan Ali over 11 years

@BenWalther OpenSSL 1.0.1 was released in March 2012 with TLS 1.2 support. The latest version as of now is 1.0.1c. I'm not sure how much of the rest of the post is still valid.
Michael Sobczak about 8 years

I'm not sure why this post is marked as "outdated". I used the recommended solution, and my customer's site went from a "C" rating on the Qualsys SSL Labs to an "A".
Froggiz almost 8 years

Hi, i removed outdated warning to prevent missunderstanding, it was link to old correct answer. I am happy that your security got increased ;)
Elia Weiss over 7 years

In sites-available/000-default.conf I added to the virtual host 'SSLProtocol -all +TLSv1.2' and got: AH00526: Syntax error on line 31 of /etc/apache2/sites-enabled/000-default.conf: Invalid command 'SSLProtocol', perhaps misspelled or defined by a module not inc luded in the server configuration Action 'configtest' failed.
Froggiz over 7 years

Did you enabled mod_ssl ? (command : a2enmod ssl)
Michael over 7 years

"SSLProtocol: Illegal protocol 'TLSv1.2'" (OS X 10.10.5)
Michael over 7 years

Also, the ssllabs test says "Ports other than 443 not supported"... really?
ashnazg about 4 years

Is @eyal_katz correct? Is it not possible for virtual hosts to have separately configured TLS levels?