Enabling TLS 1.3 for openssl based services on SUSE Linux Enterprise Server 12 SP5

SUSE Linux Enterprise Server 12 SP 5

In 2018 the long awaited new TLS 1.3 protocol finished standardization. TLS 1.3 is a major improvement on the previous SSL and TLS (up to 1.2) protocols and fixes several shortcomings and has speedups compared to older versions. To enforce adoption the US government has published NIST SP 800-52r2, which states that services shall support TLS 1.3 by January 1st 2024. SUSE generally expects that support of TLS 1.3 will become mandatory in the next years.
 

Current Product Status

With SUSE Linux Enterprise 15 SP2 or later TLS 1.3 is available in all cryptographic libraries and services.

SUSE Linux Enterprise 12 SP3, 12 SP4, 15 GA and SP1 do not have full TLS 1.3 support, and are already in Long Term Support and will reach end of life before the above dates. SUSE is not considering full TLS 1.3 enablement for these service packs.

SUSE Linux Enterprise Server 12 SP5 is a longer running product in a longer maintenance phase, with no further Service Packs planned. Its regular end of maintenance is October 2024 and its Long Term Service Pack Support ends in October 2027.

Currently the SUSE Linux Enterprise Server 12 SP5 system openssl 1.0.2 library is used by libraries and applications, and it supports TLS 1.2 and older TLS protocols, but does not support the new TLS 1.3 protocol.

SUSE is working on TLS 1.3 enablement of SUSE Linux Enterprise Server 12 SP5. To be able to use TLS 1.3, SUSE is already shipping the openssl 1.1.1 library as secondary parallel installable and usable library.

However, applications or libraries that want to use TLS 1.3 must be rebuilt to switch from the openssl 1.0.2 to the openssl 1.1.1 library. SUSE has started working on this transition and will be providing the services as they become available over the next few months.  Changes will be published here as each service is released:

vsftpd and nodejs14, nodejs16, nodejs18

- vsftpd on SLES 12 SP5 was updated to enable TLS 1.3 on March 2nd 2022.

This change was an in-place upgrade and is transparent to users of vsftpd.

- nodejs14, nodejs16 and nodejs18 on SLES 12 SP5 are shipped with TLS 1.3 enabled.

Apache2 TLS 1.3 support for SLES 12 SP5

As of April 10th 2023 SUSE released a TLS1.3 enabled flavor of apache2 for SLES 12 SP5.

These are the following RPM packages: apache2-tls13, apache2-tls13-prefork, apache2-tls13-worker, apache2-tls13-utils, apache2-tls13-devel

The only difference to the apache2 packages is that they link against openssl 1.1.1 and by that
enable TLS 1.3 support for Apache2.

These packages can be used instead of the existing apache2 packages without -tls13 in place.

We decided to do this additional set of packages, as there still could be interoperability issues between the tls13 flavor packages and third party apache2 modules linking against openssl 1.0 that could lead to crashes of apache2.

We recommend testing in testsetups before deploying this to production.

Compatibility considerations

The switchover should be without any need of configuration changes.
The older TLS 1.0 and 1.1 protocols will currently not be disabled.
 

FIPS considerations

As of now only openssl 1.0.2p on SUSE Linux Enterprise Server 12 SP5 is FIPS certified.

The openssl 1.1.1 library on SUSE Linux Enterprise Server 12 SP5 uses the same sourcecode as the FIPS certified openssl 1.1.1 version on SUSE Linux Enterprise 15 SP2, but as its not  the same binary code is not FIPS certified on its own.
 

How to migrate to TLS 1.3 enabled Apache2

An in-place migration is possible:

1. Backup your /etc/apache2 directory, with e.g.:

# cp -a /etc/apache2 /etc/apache2.backup

2. Then migrate using zypper (or just install fresh with the same command):

# zypper in apache2-tls13

Problem: apache2-2.4.51-35.32.1.x86_64 conflicts with apache-tls13 provided by apache2-tls13-2.4.51-35.32.1.x86_64
 Solution 1: Following actions will be done:
  deinstallation of apache2-2.4.51-35.32.1.x86_64
  deinstallation of apache2-utils-2.4.51-35.32.1.x86_64
  deinstallation of apache2-prefork-2.4.51-35.32.1.x86_64
 Solution 2: do not install apache2-tls13-2.4.51-35.32.1.x86_64

Choose from above solutions by number or cancel [1/2/c] (c): 1
Resolving dependencies...
Resolving package dependencies...

The following 3 NEW packages are going to be installed:
  apache2-tls13 apache2-tls13-prefork apache2-tls13-utils

The following 3 packages are going to be REMOVED:
  apache2 apache2-prefork apache2-utils

3 new packages to install, 3 to remove.
Overall download size: 1.7 MiB. Already cached: 0 B. After the operation, 160.0 B will be freed.
Continue? [y/n/...? shows all options] (y): 
...

While this transition should keep the configuration in-place, check if anything was modified.

3. Restart apache2

# rcapache2 restart

4. Verify everything is working
 

Migrating back to non-TLS 1.3 Apache2

Migrating back is also possible using "zypper in apache2" similar to above, but in that case the /etc/apache2 configuration will be overwritten, so you should back it up before doing so or check all ".rpmsave" or ".rpmnew" files after the migration.