The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: TLS 1.2 ?  (Read 7292 times)

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 586
TLS 1.2 ?
« on: April 03, 2012, 09:41:02 PM »

Now with 2.4.1 which includes OpenSSL 1.0.1 I've secured my server against BEAST attack with
Code: [Select]
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

However, when I run the https://www.ssllabs.com/ssldb/analyze.html test, I see that apache supports up to TLS 1.0, but not TLS 1.1 nor TLS 1.2. But OpenSSL 1.0.1 should support TLS v1.2

Is there any chance to have the 256 bit encryption again and / or ( TLS 1.1 or TLS 1.2)
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 849
Re: TLS 1.2 ?
« Reply #1 on: April 04, 2012, 10:39:43 PM »

I played with this a couple weeks ago and used Opera because I know it's supposed to be TLS 1.2 compatible.

https://www.apachehaus.net/Qualys/

First cipher in order is TLS/1.2 256bit, however, no matter what I did, Opera would only use 128 bit ciphers, I deselected all non 256 TLS/1.2 cyphers in Opera's options and it could not communicate.  FF would only use RC4. I forgot what happened when I denied TLS/1.0 at the server, FF likely did not work. What was odd however was I actually lost points on Qualys score after doing that.
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 586
Re: TLS 1.2 ?
« Reply #2 on: April 04, 2012, 11:08:29 PM »

What is your SSLCipherSuite ?
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 849
Re: TLS 1.2 ?
« Reply #3 on: April 04, 2012, 11:27:29 PM »

SSLProtocol all -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 849
Re: TLS 1.2 ?
« Reply #4 on: April 05, 2012, 12:41:51 AM »

Another interesting thing, if I turn off all but TLS/1.2 in opera, it will not connect. But if I have TLS/1/1 & 1.2 options checked, it will and page info shows it as TLS/1.2.

https://www.apachehaus.net/Qualys/opera.png

IE9 is like Firefox, falls back to RC4
https://www.apachehaus.net/Qualys/ie9.png
« Last Edit: April 06, 2012, 09:24:34 PM by Gregg »
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 586
Re: TLS 1.2 ?
« Reply #5 on: April 06, 2012, 12:36:23 PM »

If I use SSLProtocol all -SSLv3 some browsers and ssllabs.com can't connect. With your config the main target firefox still uses 128 bit encryption than :-/
But the  ssllabs.com test shows now TLS 1.2. I whish the browser could use that.
« Last Edit: April 06, 2012, 01:46:15 PM by mario »
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13