Is there any nice way to get tlsv1.2 support to CentOS 5?
upgrading os to 6 is not option available.
12 thoughts on - CentOS 5 & Tls V1.2, V1.1
Am 16.04.2015 um 11:43 schrieb Eero Volotinen :
Unfortunately not.
How about using gnutls?
Eero
16.4.2015 12.46 ip. “Leon Fauster” kirjoitti:
Not in the version included with EL5 as I recall.
You might want to give some serious thought to an upgrade plan. El5 goes EOL in 2017, so you’ve got a little over a year. Additionally, EL5 is already missing security updates because they weren’t deemed important enough -> http://lists.CentOS.org/pipermail/CentOS/2014-November/148008.html
in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
If you do that, then you are at the mercy of Mr. Bergmann to provide updates for all security issues for openssl. Has he updated his RPMs since 2014-11-19 23:57:58? Does his patch work on the latest RHEL/CentOS EL5 openssl-0.9.8 package?
Error setting up repositories: failure: repodata/repomd.xml from tuxad:
[Errno 256] No more mirrors to try. http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14]
HTTP Error 404 – Not Found
====================================================================
Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his patches) .. doing so is not at all certified as safe, nor has it been tested by anyone that I can see (other than in that blog entry). It might be fine .. it might not be.
People can make any choice that they want, but I would be looking to upgrade to at least CentOS-6 at this point if I wanted newer TLS support and not depending on one person to provide packages (or patches) of this importance for all my EL5 machines. But, that is just me.
Please note, I have no idea who Mr. Bergmann is and I am not in any way being negative about those packages and patches .. they are extremely nice and seem to work. However, I can not see the rest of his repo right now and I would not trust MY production machines to a one person operation with something as important as openssl.
Thanks, Johnny Hughes
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2
and tlsv1.2 and then re-encrypts traffic with tls1.0 might be “cheapest”
solution.
The cheapest sollution is probably compiling a private openssl somewhere on the system and then compiling apache using that private openssl version instead of the default system-wide one.
Regards,
Dennis
Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The only attack against 1.0 that I’m aware of is BEAST and that has been largely mitigated by browser-side fixes to the point where TLS 1.0 is now considered to be safe. No doubt there will in time be other attacks that necessitate an upgrade, but for now I would just stick with the version of openssl and apache that comes with CentOS 5 and focus on moving to CentOS 6 or 7 as a medium (not long) term goal. At the end of the day I think it’s better to just go this route than have to deal with the hacky solutions for getting 1.1 and 1.2 out of CentOS 5.
Peter
2015-04-17 14:26 GMT+03:00 Dennis Jacobfeuerborn :
Well, not really. cheapest and working solution is to use apache on CentOS
6/7 with sslproxy engine to first decrypt traffic and then encrypt using tlsv1.0
2015-04-17 14:40 GMT+03:00 Peter :
Well, PCI DSS 3.1 standard soon denies use of sslv3 and early version of tls(v1.0)
Also noted that is possible to do ssl termination and encryption again with mod_ssl sslproxyengine.
12 thoughts on - CentOS 5 & Tls V1.2, V1.1
Am 16.04.2015 um 11:43 schrieb Eero Volotinen:
Unfortunately not.
How about using gnutls?
Eero kirjoitti:
16.4.2015 12.46 ip. “Leon Fauster”
Not in the version included with EL5 as I recall.
You might want to give some serious thought to an upgrade plan. El5 goes EOL in 2017, so you’ve got a little over a year. Additionally, EL5 is already missing security updates because they weren’t deemed important enough -> http://lists.CentOS.org/pipermail/CentOS/2014-November/148008.html
Am 16.04.2015 um 11:46 schrieb Leon Fauster:
https://bugzilla.redhat.com/show_bug.cgi?id66914
well. this hack solution might work:
http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for_rhel__CentOS_5/index.html
in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5
If you do that, then you are at the mercy of Mr. Bergmann to provide updates for all security issues for openssl. Has he updated his RPMs since 2014-11-19 23:57:58? Does his patch work on the latest RHEL/CentOS EL5 openssl-0.9.8 package?
The answer right now for him providing newer packages is, I have no idea. His repo
(http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__CentOS_5/index.html)
does not seem to be available:
====================================================================
Attempted reposync:
Error setting up repositories: failure: repodata/repomd.xml from tuxad:
[Errno 256] No more mirrors to try. http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14]
HTTP Error 404 – Not Found
====================================================================
Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his patches) .. doing so is not at all certified as safe, nor has it been tested by anyone that I can see (other than in that blog entry). It might be fine .. it might not be.
People can make any choice that they want, but I would be looking to upgrade to at least CentOS-6 at this point if I wanted newer TLS support and not depending on one person to provide packages (or patches) of this importance for all my EL5 machines. But, that is just me.
Please note, I have no idea who Mr. Bergmann is and I am not in any way being negative about those packages and patches .. they are extremely nice and seem to work. However, I can not see the rest of his repo right now and I would not trust MY production machines to a one person operation with something as important as openssl.
Thanks, Johnny Hughes
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2
and tlsv1.2 and then re-encrypts traffic with tls1.0 might be “cheapest”
solution.
The cheapest sollution is probably compiling a private openssl somewhere on the system and then compiling apache using that private openssl version instead of the default system-wide one.
Regards,
Dennis
Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The only attack against 1.0 that I’m aware of is BEAST and that has been largely mitigated by browser-side fixes to the point where TLS 1.0 is now considered to be safe. No doubt there will in time be other attacks that necessitate an upgrade, but for now I would just stick with the version of openssl and apache that comes with CentOS 5 and focus on moving to CentOS 6 or 7 as a medium (not long) term goal. At the end of the day I think it’s better to just go this route than have to deal with the hacky solutions for getting 1.1 and 1.2 out of CentOS 5.
Peter
2015-04-17 14:26 GMT+03:00 Dennis Jacobfeuerborn:
Well, not really. cheapest and working solution is to use apache on CentOS
6/7 with sslproxy engine to first decrypt traffic and then encrypt using tlsv1.0
2015-04-17 14:40 GMT+03:00 Peter:
Well, PCI DSS 3.1 standard soon denies use of sslv3 and early version of tls(v1.0)
Also noted that is possible to do ssl termination and encryption again with mod_ssl sslproxyengine.