Enabling TLS 1.3 for openssl based services on SUSE Linux Enterprise Server 12 SP5

This document (000020606) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 SP 5

Situation

In 2018 the long awaited new TLS 1.3 protocol finished standardization. TLS 1.3 is a major improvement on the previous SSL and TLS (up to 1.2) protocols and fixes several shortcomings and has speedups compared to older versions. To enforce adoption the US government has published NIST SP 800-52r2, which states that services shall support TLS 1.3 by January 1st 2024. SUSE generally expects that support of TLS 1.3 will become mandatory in the next years.
 

Current Product Status

With SUSE Linux Enterprise 15 SP2 or later TLS 1.3 is available in all cryptographic libraries and services.

SUSE Linux Enterprise 12 SP3, 12 SP4, 15 GA and SP1 do not have full TLS 1.3 support, and are already in Long Term Support and will reach end of life before the above dates. SUSE is not considering full TLS 1.3 enablement for these service packs.

SUSE Linux Enterprise Server 12 SP5 is a longer running product in a longer maintenance phase, with no further Service Packs planned. Its regular end of maintenance is October 2024 and its Long Term Service Pack Support ends in October 2027.

Currently the SUSE Linux Enterprise Server 12 SP5 system openssl 1.0.2 library is used by libraries and applications, and it supports TLS 1.2 and older TLS protocols, but does not support the new TLS 1.3 protocol.

Resolution

SUSE is working on TLS 1.3 enablement of SUSE Linux Enterprise Server 12 SP5. To be able to use TLS 1.3, SUSE is already shipping the openssl 1.1.1 library as secondary parallel installable and usable library.

However, applications or libraries that want to use TLS 1.3 must be rebuilt to switch from the openssl 1.0.2 to the openssl 1.1.1 library. SUSE has started working on this transition and will be providing the services as they become available over the next few months.  An update will be provided here as each service is released.

Additional Information

Compatibility considerations

The switchover should be without any need of configuration changes.
The older TLS 1.0 and 1.1 protocols will currently not be disabled.
 

FIPS considerations

As of now only openssl 1.0.2p on SUSE Linux Enterprise Server 12 SP5 is FIPS certified.

The openssl 1.1.1 library on SUSE Linux Enterprise Server 12 SP5 uses the same sourcecode as the FIPS certified openssl 1.1.1 version on SUSE Linux Enterprise 15 SP2, but as its not  the same binary code is not FIPS certified on its own.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020606
  • Creation Date: 11-May-2022
  • Modified Date:12-May-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center