SUSE has just released a new Apache webserver module, which supports the “Transport Layer Security” (TLS 1.2) standard for HTTPS, the primary use case of the TLS cryptographic protocol.
Governmental agencies around the world, such as the US American NIST (NIST SP 800-52 Rev.1) and the German BSI (BSI TR-02102-2) have recently issued guidance to use Version 1.2 of the “Transport Layer Security” (TLS) cryptographic protocol as a minimum standard for encryption. This is primarily important for HTTPS encryption of web traffic.
OpenSSL – a backward compabilities’ nightmare
HTTPS encryption in SUSE Linux Enterprise 11 SP2 and SP3 is based on the cryptographic libraries that are part of OpenSSL 0.9.8j.
Unfortunately, OpenSSL 0.9.8 doesn’t support either TLS 1.1 or 1.2, and this support cannot be added easily. Even worse, an update to a more recent OpenSSL version is not possible, as OpenSSL is notoriously incompatible with itself; in other words, an OpenSSL version upgrade would trigger a rebuild of a significant number of other packages in SUSE Linux Enterprise 11 — and subsequently would require a high number of updates to be installed on all our customers’ production systems. And a version upgrade would break (third party) applications. Not a solution, obviously.
An overview on the “notorious incompatibility” of OpenSSL is available via the Upstream Tracker (OpenSSL), a service originally funded by Linux Foundation.
Heading towards a solution … Mozilla’s NSS
Aware of this conflict, SUSE’s security team has for some time already been looking for an approach to provide TLS 1.2 with a minimum of annoyance for our customers.
Fortunately, there are other crypto libraries beyond OpenSSL, and amongst those, NSS is the best option. Here is why:
- The library is stable and proven to work, as it provides HTTPS support (including TLS) for the Firefox Web-Browser.
- An Apache module already exists, which is derived from mod_ssl and thus easy to use for administrators used to mod_ssl.
- The NSS library is already part of SUSE Linux Enterprise 11, and support for TLS 1.2 can be provided easily with full backward compatibility, see Upstream Tracker (NSS).
Last week, we shipped all necessary packages via the Maintenance Channels for SUSE Linux Enterprise 11 SP2 and SP3 to deliver:
- Mozilla NSS Update with support for TLS 1.2. Please update the packages: libfreebl3, libsoftokn3, mozilla-nspr, mozilla-nss.
- New package “apache2-mod_nss”.
Please don’t forget to read
/usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt for a smooth start with mod_nss. Enjoy!
- 2014-01-23: Clarification, which impact a version update of OpenSSL would have on applications and production systems.