Re: CentOS 6 - httpd 2.2.29

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, December 18, 2014 00:31, Jake Shipton wrote:
>
> Hi Alex,
>
> In this situation 2.2.29 actually does offer an advantage over CentOS
> version 2.2.15.
>
> The version provided by CentOS does not support Forward Secrecy for SSL
> or TLS 1.2.
>
> Version 2.2.24+ of upstream Apache includes patches which enable both
> Forward Secrecy and TLS 1.2.
>
> Now that C6's OpenSSL can also support both TLS 1.2, and Forward
> Secrecy, upgrading Apache slightly to be able to use both of those is a
> very viable option.
>
> Although, in my case I cheat, I compile my own 2.2.29 RPM and then apply
> any missing patches and new security patches from RHEL sources myself to
> get the best of both worlds.
>

CentOS-6.6
<---
rpm -qi httpd
Name        : httpd                        Relocations: (not relocatable)
Version     : 2.2.15                            Vendor: CentOS
Release     : 39.el6.centos                 Build Date: Thu 16 Oct 2014
10:49:26  EDT
Install Date: Tue 21 Oct 2014 03:14:55  EDT      Build Host:
c6b9.bsys.dev.centos.org
Group       : System Environment/Daemons    Source RPM:
httpd-2.2.15-39.el6.centos.src.rpm
Size        : 3085394                          License: ASL 2.0
Signature   : RSA/SHA1, Fri 17 Oct 2014 04:02:19  EDT, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
--->

This server supports both TLS-1.2 and PFS.  The httpd configuration file for
the server host above includes this line:

SSLProtocol -all  +TLSv1.1  +TLSv1.2  +TLSv1

And this produces no errors.

I am writing this message over an https link to the aforementioned server
running Squirrelmail.  The Calomel Firefox plugin reports
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the cipher suite in use and that PFS
is enabled on this link.

I also have configured security.tls.version.min to 3 in Firefox's about:config
to check and the link is not affected. This indicates that tls-1.2 is in fact
supported.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux