TLS 1.2 ?

mario · April 03, 2012, 09:41:02 PM

Now with 2.4.1 which includes OpenSSL 1.0.1 I've secured my server against BEAST attack with


SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

However, when I run the https://www.ssllabs.com/ssldb/analyze.html test, I see that apache supports up to TLS 1.0, but not TLS 1.1 nor TLS 1.2. But OpenSSL 1.0.1 should support TLS v1.2

Is there any chance to have the 256 bit encryption again and / or ( TLS 1.1 or TLS 1.2)

Gregg · April 04, 2012, 10:39:43 PM

I played with this a couple weeks ago and used Opera because I know it's supposed to be TLS 1.2 compatible.

https://www.apachehaus.net/Qualys/

First cipher in order is TLS/1.2 256bit, however, no matter what I did, Opera would only use 128 bit ciphers, I deselected all non 256 TLS/1.2 cyphers in Opera's options and it could not communicate. FF would only use RC4. I forgot what happened when I denied TLS/1.0 at the server, FF likely did not work. What was odd however was I actually lost points on Qualys score after doing that.

mario · April 04, 2012, 11:08:29 PM

What is your SSLCipherSuite ?

Gregg · April 04, 2012, 11:27:29 PM

SSLProtocol all -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Gregg · April 05, 2012, 12:41:51 AM

Another interesting thing, if I turn off all but TLS/1.2 in opera, it will not connect. But if I have TLS/1/1 & 1.2 options checked, it will and page info shows it as TLS/1.2.

https://www.apachehaus.net/Qualys/opera.png

IE9 is like Firefox, falls back to RC4
https://www.apachehaus.net/Qualys/ie9.png

mario · April 06, 2012, 12:36:23 PM

If I use SSLProtocol all -SSLv3 some browsers and ssllabs.com can't connect. With your config the main target firefox still uses 128 bit encryption than :-/
But the ssllabs.com test shows now TLS 1.2. I whish the browser could use that.

TLS 1.2 ?

mario

Gregg

mario

Gregg

Gregg

mario