On Thu, December 18, 2014 00:31, Jake Shipton wrote: > > Hi Alex, > > In this situation 2.2.29 actually does offer an advantage over CentOS > version 2.2.15. > > The version provided by CentOS does not support Forward Secrecy for SSL > or TLS 1.2. > > Version 2.2.24+ of upstream Apache includes patches which enable both > Forward Secrecy and TLS 1.2. > > Now that C6's OpenSSL can also support both TLS 1.2, and Forward > Secrecy, upgrading Apache slightly to be able to use both of those is a > very viable option. > > Although, in my case I cheat, I compile my own 2.2.29 RPM and then apply > any missing patches and new security patches from RHEL sources myself to > get the best of both worlds. > CentOS-6.6 <--- rpm -qi httpd Name : httpd Relocations: (not relocatable) Version : 2.2.15 Vendor: CentOS Release : 39.el6.centos Build Date: Thu 16 Oct 2014 10:49:26 EDT Install Date: Tue 21 Oct 2014 03:14:55 EDT Build Host: c6b9.bsys.dev.centos.org Group : System Environment/Daemons Source RPM: httpd-2.2.15-39.el6.centos.src.rpm Size : 3085394 License: ASL 2.0 Signature : RSA/SHA1, Fri 17 Oct 2014 04:02:19 EDT, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem <http://bugs.centos.org> URL : http://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. ---> This server supports both TLS-1.2 and PFS. The httpd configuration file for the server host above includes this line: SSLProtocol -all +TLSv1.1 +TLSv1.2 +TLSv1 And this produces no errors. I am writing this message over an https link to the aforementioned server running Squirrelmail. The Calomel Firefox plugin reports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the cipher suite in use and that PFS is enabled on this link. I also have configured security.tls.version.min to 3 in Firefox's about:config to check and the link is not affected. This indicates that tls-1.2 is in fact supported. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3