5

I built and installed openssl 1.0.1. How do I force Apache to use TLS 1.2 Ciphers?

1 Answers1

1

TLS 1.2 is covered in these 2 documents;
https://www.rfc-editor.org/rfc/rfc5246
https://www.rfc-editor.org/rfc/rfc6176

Basically the latter doc is Prohibiting SSL 2.0 from being negotiated by TLS1.2 and this is the default for httpd 2.2 shipped with fedora; eg SSLProtocol all -SSLv2

However your question was about CipherSuites which are also covered in those docs; By the looks of it, the only mandatory cipher suite for TLS 1.2 is TLS_RSA_WITH_AES_128_CBC_SHA

Appendix C. Cipher Suite Definitions
Cipher Suite                            Key        Cipher         Mac
                                        Exchange
TLS_RSA_WITH_AES_128_CBC_SHA            RSA          AES_128_CBC  SHA

This says that the server must provide an RSA certificate for key exchange, and that the cipher should be AES_128_CBC and the Mac SHA.

From the httpd mod_ssl docs, this translates to;

 SSLCipherSuite aRSA:kRSA:AES128-CBC:SHA

which is documented here;
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

Community
  • 1
Tom
  • 11,176
  • 5
  • 41
  • 63
  • After upgrading openssl from 1.0.0e to 1.0.1 and changing the SSLCipherSuite, do I need to rebuild or make any configuration tweaks to apache2? –  Mar 24 '12 at 09:15
  • At a guess, I think that if you restart apache2 that if it starts then it would have upgraded OK. However I would confirm the log messages for the restart are OK. – Tom Mar 24 '12 at 09:25