[CentOS] CentOS 6 - httpd 2.2.29

Thu Dec 18 14:17:13 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

On Thu, December 18, 2014 00:31, Jake Shipton wrote:
>
> Hi Alex,
>
> In this situation 2.2.29 actually does offer an advantage over CentOS
> version 2.2.15.
>
> The version provided by CentOS does not support Forward Secrecy for SSL
> or TLS 1.2.
>
> Version 2.2.24+ of upstream Apache includes patches which enable both
> Forward Secrecy and TLS 1.2.
>
> Now that C6's OpenSSL can also support both TLS 1.2, and Forward
> Secrecy, upgrading Apache slightly to be able to use both of those is a
> very viable option.
>
> Although, in my case I cheat, I compile my own 2.2.29 RPM and then apply
> any missing patches and new security patches from RHEL sources myself to
> get the best of both worlds.
>

CentOS-6.6
<---
rpm -qi httpd
Name        : httpd                        Relocations: (not relocatable)
Version     : 2.2.15                            Vendor: CentOS
Release     : 39.el6.centos                 Build Date: Thu 16 Oct 2014
10:49:26  EDT
Install Date: Tue 21 Oct 2014 03:14:55  EDT      Build Host:
c6b9.bsys.dev.centos.org
Group       : System Environment/Daemons    Source RPM:
httpd-2.2.15-39.el6.centos.src.rpm
Size        : 3085394                          License: ASL 2.0
Signature   : RSA/SHA1, Fri 17 Oct 2014 04:02:19  EDT, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
--->

This server supports both TLS-1.2 and PFS.  The httpd configuration file for
the server host above includes this line:

SSLProtocol -all  +TLSv1.1  +TLSv1.2  +TLSv1

And this produces no errors.

I am writing this message over an https link to the aforementioned server
running Squirrelmail.  The Calomel Firefox plugin reports
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the cipher suite in use and that PFS
is enabled on this link.

I also have configured security.tls.version.min to 3 in Firefox's about:config
to check and the link is not affected. This indicates that tls-1.2 is in fact
supported.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3