[CentOS] Centos 5 & tls v1.2, v1.1
Dennis Jacobfeuerborn
dennisml at conversis.de
Fri Apr 17 11:26:27 UTC 2015
The cheapest sollution is probably compiling a private openssl somewhere
on the system and then compiling apache using that private openssl
version instead of the default system-wide one.
Regards,
Dennis
On 17.04.2015 13:20, Eero Volotinen wrote:
> Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2
> and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest"
> solution.
>
> --
> Eero
>
> 2015-04-17 14:15 GMT+03:00 Johnny Hughes <johnny at centos.org>:
>
>> On 04/16/2015 05:00 PM, Eero Volotinen wrote:
>>> in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
>>>
>>> --
>>> Eero
>>>
>>
>> If you do that, then you are at the mercy of Mr. Bergmann to provide
>> updates for all security issues for openssl. Has he updated his RPMs
>> since 2014-11-19 23:57:58? Does his patch work on the latest
>> RHEL/CentOS EL5 openssl-0.9.8 package?
>>
>> The answer right now for him providing newer packages is, I have no
>> idea. His repo
>> (
>> http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__centos_5/index.html
>> )
>> does not seem to be available:
>> ====================================================================
>> Attempted reposync:
>>
>> Error setting up repositories: failure: repodata/repomd.xml from tuxad:
>> [Errno 256] No more mirrors to try.
>> http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14]
>> HTTP Error 404 - Not Found
>> ====================================================================
>>
>> Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his
>> patches) .. doing so is not at all certified as safe, nor has it been
>> tested by anyone that I can see (other than in that blog entry). It
>> might be fine .. it might not be.
>>
>> People can make any choice that they want, but I would be looking to
>> upgrade to at least CentOS-6 at this point if I wanted newer TLS support
>> and not depending on one person to provide packages (or patches) of this
>> importance for all my EL5 machines. But, that is just me.
>>
>> Please note, I have no idea who Mr. Bergmann is and I am not in any way
>> being negative about those packages and patches .. they are extremely
>> nice and seem to work. However, I can not see the rest of his repo
>> right now and I would not trust MY production machines to a one person
>> operation with something as important as openssl.
>>
>> Thanks,
>> Johnny Hughes
>>
>>
>>
>>> 2015-04-16 21:02 GMT+03:00 Eero Volotinen <eero.volotinen at iki.fi>:
>>>
>>>> well. this hack solution might work:
>>>>
>> http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for_rhel__centos_5/index.html
>>>>
>>>> --
>>>> Eero
>>>>
>>>> 2015-04-16 17:30 GMT+03:00 Leon Fauster <leonfauster at googlemail.com>:
>>>>
>>>>> Am 16.04.2015 um 11:46 schrieb Leon Fauster <
>> leonfauster at googlemail.com>:
>>>>>> Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen at iki.fi
>>> :
>>>>>>> Is there any nice way to get tlsv1.2 support to centos 5?
>>>>>>> upgrading os to 6 is not option available.
>>>>>>
>>>>>>
>>>>>> Unfortunately not.
>>>>>
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1066914
>>>>>
>>>>> --
>>>>> LF
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list