OpenSSL and TLS 1.1 and TLS 1.2 - should i update?

apache-2.2 ssl openssl tls
6,242

Yes, you should update.
Specifically, you should update to Debian 7 (Wheezy) like Zoredache told you to.
There are LOTS of dependencies underlying Apache, and a full OS upgrade IS the "easiest way" to do this upgrade. It also gets you a lot of other security and functionality enhancements that have been made since Debian 6.

If you don't want to upgrade to Debian 7, you should probably stick with the old OpenSSL and Apache (bearing in mind all of the implications of doing so). Any upgrade done on Debian 6 would have to be done "the hard way".

If you insist on doing this the hard way you will need to download Apache, OpenSSL, and any other ancillary components (PHP, Passenger, mod_perl, etc.) that you use in your web server, and basically build a local OpenSSL, compile a custom Apache building against that SSL library, and then add all the ancillary components to your custom Apache environment.

You will of course then be responsible for tracking security updates to all of those components on your own, and rebuilding/reinstalling them as necessary.
It also leaves your core system running a different OpenSSL than your web server (which may or may not be a huge problem for you -- but it is something you need to be aware of when you're troubleshooting in the future.

This is all certainly do-able, but a step-by-step guide is out of scope for Server Fault (and frankly if you need such a guide you've no business doing this to begin with -- it's moderately advanced system administration like back in the bad-old-days before package management and if you're not up to that level of skill you need to play in a sandbox environment before attempting this in production).

Share:
6,242

Related videos on Youtube

user2693017
Author by

user2693017

Updated on September 18, 2022

Comments

  • user2693017
    user2693017 almost 2 years

    Debian 6s openssl from apt-get is still on 0.9.8 (2010) and doesnt support TLS 1.1 and TLS 1.2. Is there anything why i should not update to the latest stable 1.0.1e ? Or, which build would u recommend with TLS 1.1/2 support.

    • Zoredache
      Zoredache almost 11 years
      You might as well update to wheezy (Debian 7). Updating just Apache won't really be possible. OpenSSL is compiled into many packages, which means you can't update it without rebuilding/upgrading all those packages.
    • user2693017
      user2693017 almost 11 years
      mhh, what would be the easiest way without updating to debian 7 ?
    • Michael Hampton
      Michael Hampton almost 11 years
      Getting rid of whoever is preventing you from updating.
  • user2693017
    user2693017 almost 11 years
    ok, so I have to update to debian 7. Is an update possible or do I have reinstall it. The point about this is, that I dont want to import the big forum mysql. This took hours the last time and I did it directly via shell.
  • voretaq7
    voretaq7 almost 11 years
    I believe there is a Debian 6->7 upgrade process that does not require a full reinstall. That's something you'd have to check the Debian documentation about though.
  • Zoredache
    Zoredache almost 11 years
    You shouldn't need to re-install with Debian, provided you stick with official repositories, and have done all your management the Debian way. I have systems that started off their life running etch, but have been upgraded through lenny, squeeze to wheezy. Just take the time to read the install/upgrade guide and follow the directions.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to disable TLS 1.1 & 1.2 in Apache?
How force that all connections to my Apache use TLSv1.1 or TLSv1.2?
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version /home/mohan/mesg
Ubuntu 16.04 openssl s_client write:errno=104
When I try to CURL a website I get SSL error
openssl/curl error: SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
Disable SSLv3 In cURL?
OpenSSL: socket: Connection refused connect:errno=111 Cent OS
Apache fails to start, ssl issue
Setting up SSL: Recompiling Apache with mod_ssl