Ubuntu – How to enable TLS 1.2 in apache

Apache2openssltls

The current enabled TLS on my server is "tls 1", how can i enable tls 1.2 on my ubuntu server, and do i have to upgrade my openssl first?

# apache2ctl -v
Server version: Apache/2.2.12 (Ubuntu)

# openssl version -a
OpenSSL 0.9.8g 19 Oct 2007
built on: Fri Dec  3 23:05:00 UTC 2010
platform: debian-amd64
options:  bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(ptr2) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int -DMD5_ASM

Best Answer

In order to use TLSv1.1 and TLSv1.2 for SSLProtocol, you need at least version 2.2.23 (in addition to OpenSSL 1.0.1 or higher).

Once you have the latest,

Add

SSLProtocol TLSv1.1

/etc/httpd/conf.d/ssl.conf

Related Solutions

Ubuntu – How to enable TLS 1.2 in Nginx

First you need to activate SSL/TLS in your nginx.conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.org;

    ssl_certificate /etc/ssl/example.org.crt;
    ssl_certificate_key /etc/ssl/private/example.org.key;

The two listen lines enable SSL at your IPv4 and IPv6 connection. If you have no IPv6 you might leave out the second listen line.

I assume that your server certificate is in /etc/ssl. If you use another path, you'd change the last two lines.

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

This enables different TLS versions. All current browsers are able to use TLS1.2. For older browsers I wrote a small howto enable secure settings.

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;

The first line sets the ciphers which your nignx should use. The second line prefers the cipher suites on the server (and not the client) side. So you can use strong(er) ciphers.

If you're done, your nginx should use TLS1.2. If you'd like, you can add your site to a TLS1.2 hall of fame and be proud. ;)

However there are several methods to improve the settings. I follow this german guide for secure nginx configuration.

Ubuntu – How force that all connections to the Apache use TLSv1.1 or TLSv1.2

Setting SSLCipherSuite with just ciphers that are just supported in TLSv1.2 bypass the Apache 2.2 limitation of parse TLSv1.1 string to limited TLS to version over 1.0.

Best Answer

Related Solutions

Ubuntu – How to enable TLS 1.2 in Nginx

Ubuntu – How force that all connections to the Apache use TLSv1.1 or TLSv1.2

Related Question