SUSE Conversations


TLS 1.2

mge1512

By: mge1512

December 3, 2013 12:44 pm

Reads:813

Comments:2

Rating:5.0

Summary

SUSE has just released a new Apache webserver module, which supports the “Transport Layer Security” (TLS 1.2) standard for HTTPS, the primary use case of the TLS cryptographic protocol.

Details

Background

Governmental agencies around the world, such as the US American NIST (NIST SP 800-52 Rev.1) and the German BSI (BSI TR-02102-2) have recently issued guidance to use Version 1.2 of the “Transport Layer Security” (TLS) cryptographic protocol as a minimum standard for encryption. This is primarily important for HTTPS encryption of web traffic.

OpenSSL – a backward compabilities’ nightmare

HTTPS encryption in SUSE Linux Enterprise 11 SP2 and SP3 is based on the cryptographic libraries that are part of OpenSSL 0.9.8j.

Unfortunately, OpenSSL 0.9.8 doesn’t support either TLS 1.1 or 1.2, and this support cannot be added easily. Even worse, an update to a more recent OpenSSL version is not possible, as OpenSSL is notoriously incompatible with itself; in other words, an OpenSSL version upgrade would trigger a rebuild of a significant number of other packages in SUSE Linux Enterprise 11 — and subsequently would require a high number of updates to be installed on all our customers’ production systems. And a version upgrade would break (third party) applications. Not a solution, obviously.

An overview on the “notorious incompatibility” of OpenSSL is available via the Upstream Tracker (OpenSSL), a service originally funded by Linux Foundation.

Heading towards a solution … Mozilla’s NSS

Aware of this conflict, SUSE’s security team has for some time already been looking for an approach to provide TLS 1.2 with a minimum of annoyance for our customers.

Fortunately, there are other crypto libraries beyond OpenSSL, and amongst those, NSS is the best option. Here is why:

  • The library is stable and proven to work, as it provides HTTPS support (including TLS) for the Firefox Web-Browser.
  • An Apache module already exists, which is derived from mod_ssl and thus easy to use for administrators used to mod_ssl.
  • The NSS library is already part of SUSE Linux Enterprise 11, and support for TLS 1.2 can be provided easily with full backward compatibility, see Upstream Tracker (NSS).

The result

Last week, we shipped all necessary packages via the Maintenance Channels for SUSE Linux Enterprise 11 SP2 and SP3 to deliver:

  • Mozilla NSS Update with support for TLS 1.2. Please update the packages: libfreebl3, libsoftokn3, mozilla-nspr, mozilla-nss.
  • New package “apache2-mod_nss”.

Please don’t forget to read /usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt for a smooth start with mod_nss. Enjoy!

Changelog

  • 2014-01-23: Clarification, which impact a version update of OpenSSL would have on applications and production systems.
VN:F [1.9.22_1171]
Rating: 5.0/5 (4 votes cast)
TLS 1.2, 5.0 out of 5 based on 4 ratings

Tags: ,
Categories: Announcements, Enterprise Linux, Expert Views, Server, SUSE Linux Enterprise, SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

2 Comments

  1. By:jimsmithson

    Good article. A bit difficult to change from mod_ssl to mod_nss. Now how do we setup Perfect Forward Secrecy (PFS)?

Comment

RSS