[CentOS] Centos 5 & tls v1.2, v1.1
Eero Volotinen
eero.volotinen at iki.fi
Fri Apr 17 11:20:34 UTC 2015
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2
and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest"
solution.
--
Eero
2015-04-17 14:15 GMT+03:00 Johnny Hughes <johnny at centos.org>:
> On 04/16/2015 05:00 PM, Eero Volotinen wrote:
> > in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
> >
> > --
> > Eero
> >
>
> If you do that, then you are at the mercy of Mr. Bergmann to provide
> updates for all security issues for openssl. Has he updated his RPMs
> since 2014-11-19 23:57:58? Does his patch work on the latest
> RHEL/CentOS EL5 openssl-0.9.8 package?
>
> The answer right now for him providing newer packages is, I have no
> idea. His repo
> (
> http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__centos_5/index.html
> )
> does not seem to be available:
> ====================================================================
> Attempted reposync:
>
> Error setting up repositories: failure: repodata/repomd.xml from tuxad:
> [Errno 256] No more mirrors to try.
> http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14]
> HTTP Error 404 - Not Found
> ====================================================================
>
> Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his
> patches) .. doing so is not at all certified as safe, nor has it been
> tested by anyone that I can see (other than in that blog entry). It
> might be fine .. it might not be.
>
> People can make any choice that they want, but I would be looking to
> upgrade to at least CentOS-6 at this point if I wanted newer TLS support
> and not depending on one person to provide packages (or patches) of this
> importance for all my EL5 machines. But, that is just me.
>
> Please note, I have no idea who Mr. Bergmann is and I am not in any way
> being negative about those packages and patches .. they are extremely
> nice and seem to work. However, I can not see the rest of his repo
> right now and I would not trust MY production machines to a one person
> operation with something as important as openssl.
>
> Thanks,
> Johnny Hughes
>
>
>
> > 2015-04-16 21:02 GMT+03:00 Eero Volotinen <eero.volotinen at iki.fi>:
> >
> >> well. this hack solution might work:
> >>
> http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for_rhel__centos_5/index.html
> >>
> >> --
> >> Eero
> >>
> >> 2015-04-16 17:30 GMT+03:00 Leon Fauster <leonfauster at googlemail.com>:
> >>
> >>> Am 16.04.2015 um 11:46 schrieb Leon Fauster <
> leonfauster at googlemail.com>:
> >>>> Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen at iki.fi
> >:
> >>>>> Is there any nice way to get tlsv1.2 support to centos 5?
> >>>>> upgrading os to 6 is not option available.
> >>>>
> >>>>
> >>>> Unfortunately not.
> >>>
> >>>
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1066914
> >>>
> >>> --
> >>> LF
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
More information about the CentOS
mailing list