Configuring/Enabling TLS v1.1 on Apache

sph1nx · 2014-10-24T06:48:59.000Z

Hello guys,

I have Apache installed as a webserver on my CentOS system. How do I enable or configure TLS v1.1 on it?

The SSL certificate I recently purchased requires that the SSL protocol be TLSv.1 and not SSLv2 or 3.

How do I enable or configure this please?

I did the following to set up my SSL initially;

yum install mod_ssl
mkdir /etc/httpd/ssl
openssl genrsa -des3 -out /etc/ssl/server.key 4096
openssl req -new -key /etc/ssl/server.key -out /etc/ssl/server.csr
openssl x509 -req -days 3650 -in /etc/ssl/server.csr -signkey /etc/ssl/server.key -out /etc/ssl/server.crt
openssl rsa -in /etc/ssl/server.key -out /etc/ssl/server.key.insecure
mv /etc/ssl/server.key /etc/ssl/server.key.secure
mv /etc/ssl/server.key.insecure /etc/ssl/server.key
cp /etc/ssl/server.key /etc/httpd/ssl
cp /etc/ssl/server.crt /etc/httpd/ssl
nano /etc/httpd/conf.d/ssl.conf
 
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key

service httpd restart

jeffreylee · 2014-10-24T11:18:55.000Z

You would add the following to /etc/httpd/conf.d/ssl.conf if you just wanted TLSv1.1.

SSLProtocol TLSv1.1

You could also enable ALL protocols with the “all” flag. However, to safeguard against recent security vulnerabilities, I recommend that you remove SSLv2 and SSLv3.

SSLProtocol all -SSLv2 -SSLv3

jeffreylee · 2014-10-24T11:20:45.000Z

Also, TLS v1.1 is only available in OpenSSL 1.0.1 and later.

sph1nx · 2014-10-24T12:57:26.000Z

Thanks Jeffrey,

I modified etc/httpd/conf.d/ssl.conf using

SSLProtocol TLSv1.1

But, I got this error

# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: Syntax error on line 93 of /etc/httpd/conf.d/ssl.conf:

SSLProtocol: Illegal protocol 'TLSv1.1'

                                                          [FAILED]

sph1nx · 2014-10-24T12:58:34.000Z

Also, my openssl version is

OpenSSL 1.0.1e-fips 11 Feb 2013

jeffreylee · 2014-10-24T14:30:24.000Z

What version of Apache is installed? I believe you will need httpd version 2.2.23 and later for TLSv1.1 or TLSv1.2:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CCgQFjAB&url=https%3A%2F%2Fsecurityblog.redhat.com%2F2013%2F12%2F11%2Ftlsv1-1-and-tlsv1-2-now-available-in-rhel%2F&ei=vn1KVMCiOIqt8gGI2YCgCg&usg=AFQjCNEAhSWAaYno-f4s3vHyhbrDf5Idag&sig2=cK7ZeY86x1xq_PN2LbHH7A&bvm=bv.77880786,d.b2U

Also, see the comments here: mod_ssl - Apache HTTP Server Version 2.2

In order to use TLSv1.1 and TLSv1.2 for SSLProtocol, you need at least version 2.2.23 (in addition to OpenSSL 1.0.1 or higher).

Ubuntu 12.04 has OpenSSL 1.0.1, but Apache 2.2.22.

Therefore it only knows about TLSv1.

Specifying TLSv1.1 or TLSv1.2 results in a syntax error:

SSLProtocol: Illegal protocol 'TLSv1.2'

sph1nx · 2014-10-25T09:52:43.000Z

The Apache version is 2.2.15 I guess I should attempt to upgrade it since the certificate requires TLS v1.1