[CentOS] Centos 5 & tls v1.2, v1.1

Fri Apr 17 19:42:57 UTC 2015
Eero Volotinen <eero.volotinen at iki.fi>

2015-04-17 14:40 GMT+03:00 Peter <peter at pajamian.dhs.org>:

> On 04/17/2015 11:20 PM, Eero Volotinen wrote:
> > Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2
> > and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest"
> > solution.
>
> Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now.  The
> only attack against 1.0 that I'm aware of is BEAST and that has been
> largely mitigated by browser-side fixes to the point where TLS 1.0 is
> now considered to be safe.  No doubt there will in time be other attacks
> that necessitate an upgrade, but for now I would just stick with the
>

Well, PCI DSS 3.1 standard soon denies use of sslv3 and early version of
tls(v1.0)

Also noted that is possible to do ssl termination and encryption again with
mod_ssl sslproxyengine.

--
Eero