Hi,
Is there any nice way to get tlsv1.2 support to centos 5?
upgrading os to 6 is not option available.
-- Eero
Am 16.04.2015 um 11:43 schrieb Eero Volotinen eero.volotinen@iki.fi:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
-- LF
How about using gnutls?
Eero 16.4.2015 12.46 ip. "Leon Fauster" leonfauster@googlemail.com kirjoitti:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen eero.volotinen@iki.fi:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
-- LF
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 04/16/2015 04:49 AM, Eero Volotinen wrote:
How about using gnutls?
Not in the version included with EL5 as I recall.
You might want to give some serious thought to an upgrade plan. El5 goes EOL in 2017, so you've got a little over a year. Additionally, EL5 is already missing security updates because they weren't deemed important enough -> http://lists.centos.org/pipermail/centos/2014-November/148008.html
Eero 16.4.2015 12.46 ip. "Leon Fauster" leonfauster@googlemail.com kirjoitti:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen eero.volotinen@iki.fi:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
Am 16.04.2015 um 11:46 schrieb Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen eero.volotinen@iki.fi:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
https://bugzilla.redhat.com/show_bug.cgi?id=1066914
-- LF
well. this hack solution might work: http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for...
-- Eero
2015-04-16 17:30 GMT+03:00 Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:46 schrieb Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen eero.volotinen@iki.fi:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
https://bugzilla.redhat.com/show_bug.cgi?id=1066914
-- LF
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
-- Eero
2015-04-16 21:02 GMT+03:00 Eero Volotinen eero.volotinen@iki.fi:
well. this hack solution might work: http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for...
-- Eero
2015-04-16 17:30 GMT+03:00 Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:46 schrieb Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen eero.volotinen@iki.fi:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
https://bugzilla.redhat.com/show_bug.cgi?id=1066914
-- LF
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 04/16/2015 05:00 PM, Eero Volotinen wrote:
in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
-- Eero
If you do that, then you are at the mercy of Mr. Bergmann to provide updates for all security issues for openssl. Has he updated his RPMs since 2014-11-19 23:57:58? Does his patch work on the latest RHEL/CentOS EL5 openssl-0.9.8 package?
The answer right now for him providing newer packages is, I have no idea. His repo (http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__centos...) does not seem to be available: ==================================================================== Attempted reposync:
Error setting up repositories: failure: repodata/repomd.xml from tuxad: [Errno 256] No more mirrors to try. http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found ====================================================================
Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his patches) .. doing so is not at all certified as safe, nor has it been tested by anyone that I can see (other than in that blog entry). It might be fine .. it might not be.
People can make any choice that they want, but I would be looking to upgrade to at least CentOS-6 at this point if I wanted newer TLS support and not depending on one person to provide packages (or patches) of this importance for all my EL5 machines. But, that is just me.
Please note, I have no idea who Mr. Bergmann is and I am not in any way being negative about those packages and patches .. they are extremely nice and seem to work. However, I can not see the rest of his repo right now and I would not trust MY production machines to a one person operation with something as important as openssl.
Thanks, Johnny Hughes
2015-04-16 21:02 GMT+03:00 Eero Volotinen eero.volotinen@iki.fi:
well. this hack solution might work: http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for...
-- Eero
2015-04-16 17:30 GMT+03:00 Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:46 schrieb Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen eero.volotinen@iki.fi:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
https://bugzilla.redhat.com/show_bug.cgi?id=1066914
-- LF
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" solution.
-- Eero
2015-04-17 14:15 GMT+03:00 Johnny Hughes johnny@centos.org:
On 04/16/2015 05:00 PM, Eero Volotinen wrote:
in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
-- Eero
If you do that, then you are at the mercy of Mr. Bergmann to provide updates for all security issues for openssl. Has he updated his RPMs since 2014-11-19 23:57:58? Does his patch work on the latest RHEL/CentOS EL5 openssl-0.9.8 package?
The answer right now for him providing newer packages is, I have no idea. His repo ( http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__centos... ) does not seem to be available: ==================================================================== Attempted reposync:
Error setting up repositories: failure: repodata/repomd.xml from tuxad: [Errno 256] No more mirrors to try. http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found ====================================================================
Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his patches) .. doing so is not at all certified as safe, nor has it been tested by anyone that I can see (other than in that blog entry). It might be fine .. it might not be.
People can make any choice that they want, but I would be looking to upgrade to at least CentOS-6 at this point if I wanted newer TLS support and not depending on one person to provide packages (or patches) of this importance for all my EL5 machines. But, that is just me.
Please note, I have no idea who Mr. Bergmann is and I am not in any way being negative about those packages and patches .. they are extremely nice and seem to work. However, I can not see the rest of his repo right now and I would not trust MY production machines to a one person operation with something as important as openssl.
Thanks, Johnny Hughes
2015-04-16 21:02 GMT+03:00 Eero Volotinen eero.volotinen@iki.fi:
well. this hack solution might work:
http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for...
-- Eero
2015-04-16 17:30 GMT+03:00 Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:46 schrieb Leon Fauster <
leonfauster@googlemail.com>:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen@iki.fi
:
Is there any nice way to get tlsv1.2 support to centos 5? upgrading os to 6 is not option available.
Unfortunately not.
https://bugzilla.redhat.com/show_bug.cgi?id=1066914
-- LF
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The cheapest sollution is probably compiling a private openssl somewhere on the system and then compiling apache using that private openssl version instead of the default system-wide one.
Regards, Dennis
On 17.04.2015 13:20, Eero Volotinen wrote:
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" solution.
-- Eero
2015-04-17 14:15 GMT+03:00 Johnny Hughes johnny@centos.org:
On 04/16/2015 05:00 PM, Eero Volotinen wrote:
in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
-- Eero
If you do that, then you are at the mercy of Mr. Bergmann to provide updates for all security issues for openssl. Has he updated his RPMs since 2014-11-19 23:57:58? Does his patch work on the latest RHEL/CentOS EL5 openssl-0.9.8 package?
The answer right now for him providing newer packages is, I have no idea. His repo ( http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__centos... ) does not seem to be available: ==================================================================== Attempted reposync:
Error setting up repositories: failure: repodata/repomd.xml from tuxad: [Errno 256] No more mirrors to try. http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found ====================================================================
Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his patches) .. doing so is not at all certified as safe, nor has it been tested by anyone that I can see (other than in that blog entry). It might be fine .. it might not be.
People can make any choice that they want, but I would be looking to upgrade to at least CentOS-6 at this point if I wanted newer TLS support and not depending on one person to provide packages (or patches) of this importance for all my EL5 machines. But, that is just me.
Please note, I have no idea who Mr. Bergmann is and I am not in any way being negative about those packages and patches .. they are extremely nice and seem to work. However, I can not see the rest of his repo right now and I would not trust MY production machines to a one person operation with something as important as openssl.
Thanks, Johnny Hughes
2015-04-16 21:02 GMT+03:00 Eero Volotinen eero.volotinen@iki.fi:
well. this hack solution might work:
http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for...
-- Eero
2015-04-16 17:30 GMT+03:00 Leon Fauster leonfauster@googlemail.com:
Am 16.04.2015 um 11:46 schrieb Leon Fauster <
leonfauster@googlemail.com>:
Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen@iki.fi
:
> Is there any nice way to get tlsv1.2 support to centos 5? > upgrading os to 6 is not option available.
Unfortunately not.
https://bugzilla.redhat.com/show_bug.cgi?id=1066914
-- LF
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
2015-04-17 14:26 GMT+03:00 Dennis Jacobfeuerborn dennisml@conversis.de:
The cheapest sollution is probably compiling a private openssl somewhere on the system and then compiling apache using that private openssl version instead of the default system-wide one.===================
Well, not really. cheapest and working solution is to use apache on centos 6/7 with sslproxy engine to first decrypt traffic and then encrypt using tlsv1.0
-- Eero
On 04/17/2015 11:20 PM, Eero Volotinen wrote:
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" solution.
Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The only attack against 1.0 that I'm aware of is BEAST and that has been largely mitigated by browser-side fixes to the point where TLS 1.0 is now considered to be safe. No doubt there will in time be other attacks that necessitate an upgrade, but for now I would just stick with the version of openssl and apache that comes with CentOS 5 and focus on moving to CentOS 6 or 7 as a medium (not long) term goal. At the end of the day I think it's better to just go this route than have to deal with the hacky solutions for getting 1.1 and 1.2 out of CentOS 5.
Peter
2015-04-17 14:40 GMT+03:00 Peter peter@pajamian.dhs.org:
On 04/17/2015 11:20 PM, Eero Volotinen wrote:
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" solution.
Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The only attack against 1.0 that I'm aware of is BEAST and that has been largely mitigated by browser-side fixes to the point where TLS 1.0 is now considered to be safe. No doubt there will in time be other attacks that necessitate an upgrade, but for now I would just stick with the
Well, PCI DSS 3.1 standard soon denies use of sslv3 and early version of tls(v1.0)
Also noted that is possible to do ssl termination and encryption again with mod_ssl sslproxyengine.
-- Eero
-
Dennis Jacobfeuerborn -
Eero Volotinen -
Jim Perrin -
Johnny Hughes -
Leon Fauster -
Peter