[CentOS] CentOS 6 - httpd 2.2.29
James B. Byrne
byrnejb at harte-lyne.ca
Thu Dec 18 14:17:13 UTC 2014
On Thu, December 18, 2014 00:31, Jake Shipton wrote:
>
> Hi Alex,
>
> In this situation 2.2.29 actually does offer an advantage over CentOS
> version 2.2.15.
>
> The version provided by CentOS does not support Forward Secrecy for SSL
> or TLS 1.2.
>
> Version 2.2.24+ of upstream Apache includes patches which enable both
> Forward Secrecy and TLS 1.2.
>
> Now that C6's OpenSSL can also support both TLS 1.2, and Forward
> Secrecy, upgrading Apache slightly to be able to use both of those is a
> very viable option.
>
> Although, in my case I cheat, I compile my own 2.2.29 RPM and then apply
> any missing patches and new security patches from RHEL sources myself to
> get the best of both worlds.
>
CentOS-6.6
<---
rpm -qi httpd
Name : httpd Relocations: (not relocatable)
Version : 2.2.15 Vendor: CentOS
Release : 39.el6.centos Build Date: Thu 16 Oct 2014
10:49:26 EDT
Install Date: Tue 21 Oct 2014 03:14:55 EDT Build Host:
c6b9.bsys.dev.centos.org
Group : System Environment/Daemons Source RPM:
httpd-2.2.15-39.el6.centos.src.rpm
Size : 3085394 License: ASL 2.0
Signature : RSA/SHA1, Fri 17 Oct 2014 04:02:19 EDT, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem <http://bugs.centos.org>
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
--->
This server supports both TLS-1.2 and PFS. The httpd configuration file for
the server host above includes this line:
SSLProtocol -all +TLSv1.1 +TLSv1.2 +TLSv1
And this produces no errors.
I am writing this message over an https link to the aforementioned server
running Squirrelmail. The Calomel Firefox plugin reports
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the cipher suite in use and that PFS
is enabled on this link.
I also have configured security.tls.version.min to 3 in Firefox's about:config
to check and the link is not affected. This indicates that tls-1.2 is in fact
supported.
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the CentOS
mailing list