On Thu, December 18, 2014 00:31, Jake Shipton wrote:
Hi Alex,
In this situation 2.2.29 actually does offer an advantage over CentOS version 2.2.15.
The version provided by CentOS does not support Forward Secrecy for SSL or TLS 1.2.
Version 2.2.24+ of upstream Apache includes patches which enable both Forward Secrecy and TLS 1.2.
Now that C6's OpenSSL can also support both TLS 1.2, and Forward Secrecy, upgrading Apache slightly to be able to use both of those is a very viable option.
Although, in my case I cheat, I compile my own 2.2.29 RPM and then apply any missing patches and new security patches from RHEL sources myself to get the best of both worlds.
CentOS-6.6 <--- rpm -qi httpd Name : httpd Relocations: (not relocatable) Version : 2.2.15 Vendor: CentOS Release : 39.el6.centos Build Date: Thu 16 Oct 2014 10:49:26 EDT Install Date: Tue 21 Oct 2014 03:14:55 EDT Build Host: c6b9.bsys.dev.centos.org Group : System Environment/Daemons Source RPM: httpd-2.2.15-39.el6.centos.src.rpm Size : 3085394 License: ASL 2.0 Signature : RSA/SHA1, Fri 17 Oct 2014 04:02:19 EDT, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem http://bugs.centos.org URL : http://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. --->
This server supports both TLS-1.2 and PFS. The httpd configuration file for the server host above includes this line:
SSLProtocol -all +TLSv1.1 +TLSv1.2 +TLSv1
And this produces no errors.
I am writing this message over an https link to the aforementioned server running Squirrelmail. The Calomel Firefox plugin reports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the cipher suite in use and that PFS is enabled on this link.
I also have configured security.tls.version.min to 3 in Firefox's about:config to check and the link is not affected. This indicates that tls-1.2 is in fact supported.