I'd like to have TLSv1.2 support in Apache on my Scientific Linux 6 (RHEL6 rebuild) server.
Is there some semi-supported pathway to getting this working? Preferably with minimal custom rebuilding. Right now I'm using mod_ssl with open_ssl, as provided in the SL6 repositories.
Edit: Once TLSv1.2 support is available, the Apache configuration is well-documented and not too difficult. The problem is that RHEL6 ships with OpenSSL 1.0.0, which only supports TLS through 1.0 or 1.1.
Best Answer
I've written a quick guide on backporting the OpenSSL 1.0.1 RPM from Fedora Core to support RHEL6 and variants by replacing the bundled 1.0.0 version to add TLSv1.2 and ECC support. Built and tested against CentOS 6.4 in September of 2013:
Guide to OpenSSL 1.0.1 RPM for CentOS 6
Please note: That's the place where I keep my own copy of OpenSSL and OpenSSH up-to-date. Improvements in CentOS 6.5 have largely mitigated the demand for TLS1.2 and flaws like Heartbleed are addressed there, while this answer will forever be stuck in 2013. Don't follow the steps below verbatim, it is imperative you run 1.0.1g or newer.
Now with github: github/ptudor/centos6-openssl
I've made a patch available that I will reference in this guide: openssl-spec-patricktudor-latest.diff
First, prepare your build environment. (If you've installed EPEL, use mock. Keeping it simple here...)
Next, grab the Fedora Core 20 SRPM for OpenSSL and the full OpenSSL source.
Now apply the old secure_getenv syntax and apply the patch:
Run the build:
Everything went well hopefully, so let's install the new RPMs:
Make sure it actually worked:
The link above at my website has more details but this should be a good starting point.
Thanks, enjoy.
20130819: Rawhide revision bumped from 14 to 15.
20130831: fc20 revision bumped from 15 to 18.
20130906: fc20 revision bumped from 18 to 19.
20140408: just go to my website for anything after 1.0.1g.