Enabling TLS 1.3 for openssl based services on SUSE Linux Enterprise Server 12 SP5
This document (000020606) is provided subject to the disclaimer at the end of this document.
Current Product StatusWith SUSE Linux Enterprise 15 SP2 or later TLS 1.3 is available in all cryptographic libraries and services.
SUSE Linux Enterprise 12 SP3, 12 SP4, 15 GA and SP1 do not have full TLS 1.3 support, and are already in Long Term Support and will reach end of life before the above dates. SUSE is not considering full TLS 1.3 enablement for these service packs.
SUSE Linux Enterprise Server 12 SP5 is a longer running product in a longer maintenance phase, with no further Service Packs planned. Its regular end of maintenance is October 2024 and its Long Term Service Pack Support ends in October 2027.
Currently the SUSE Linux Enterprise Server 12 SP5 system openssl 1.0.2 library is used by libraries and applications, and it supports TLS 1.2 and older TLS protocols, but does not support the new TLS 1.3 protocol.
SUSE is working on TLS 1.3 enablement of SUSE Linux Enterprise Server 12 SP5. To be able to use TLS 1.3, SUSE is already shipping the openssl 1.1.1 library as secondary parallel installable and usable library.
However, applications or libraries that want to use TLS 1.3 must be rebuilt to switch from the openssl 1.0.2 to the openssl 1.1.1 library. SUSE has started working on this transition and will be providing the services as they become available over the next few months. Changes will be published here as each service is released:
vsftpd and nodejs14, nodejs16, nodejs18
- vsftpd on SLES 12 SP5 was updated to enable TLS 1.3 on March 2nd 2022.
This change was an in-place upgrade and is transparent to users of vsftpd.
- nodejs14, nodejs16 and nodejs18 on SLES 12 SP5 are shipped with TLS 1.3 enabled.
Apache2 TLS 1.3 support for SLES 12 SP5
As of April 10th 2023 SUSE released a TLS1.3 enabled flavor of apache2 for SLES 12 SP5.
These are the following RPM packages: apache2-tls13, apache2-tls13-prefork, apache2-tls13-worker, apache2-tls13-utils, apache2-tls13-devel
The only difference to the apache2 packages is that they link against openssl 1.1.1 and by that
enable TLS 1.3 support for Apache2.
These packages can be used instead of the existing apache2 packages without -tls13 in place.
We decided to do this additional set of packages, as there still could be interoperability issues between the tls13 flavor packages and third party apache2 modules linking against openssl 1.0 that could lead to crashes of apache2.
We recommend testing in testsetups before deploying this to production.
Compatibility considerationsThe switchover should be without any need of configuration changes.
The older TLS 1.0 and 1.1 protocols will currently not be disabled.
FIPS considerationsAs of now only openssl 1.0.2p on SUSE Linux Enterprise Server 12 SP5 is FIPS certified.
The openssl 1.1.1 library on SUSE Linux Enterprise Server 12 SP5 uses the same sourcecode as the FIPS certified openssl 1.1.1 version on SUSE Linux Enterprise 15 SP2, but as its not the same binary code is not FIPS certified on its own.
How to migrate to TLS 1.3 enabled Apache2An in-place migration is possible:
1. Backup your /etc/apache2 directory, with e.g.:
# cp -a /etc/apache2 /etc/apache2.backup2. Then migrate using zypper (or just install fresh with the same command):
# zypper in apache2-tls13 Problem: apache2-2.4.51-35.32.1.x86_64 conflicts with apache-tls13 provided by apache2-tls13-2.4.51-35.32.1.x86_64 Solution 1: Following actions will be done: deinstallation of apache2-2.4.51-35.32.1.x86_64 deinstallation of apache2-utils-2.4.51-35.32.1.x86_64 deinstallation of apache2-prefork-2.4.51-35.32.1.x86_64 Solution 2: do not install apache2-tls13-2.4.51-35.32.1.x86_64 Choose from above solutions by number or cancel [1/2/c] (c): 1 Resolving dependencies... Resolving package dependencies... The following 3 NEW packages are going to be installed: apache2-tls13 apache2-tls13-prefork apache2-tls13-utils The following 3 packages are going to be REMOVED: apache2 apache2-prefork apache2-utils 3 new packages to install, 3 to remove. Overall download size: 1.7 MiB. Already cached: 0 B. After the operation, 160.0 B will be freed. Continue? [y/n/...? shows all options] (y): ...While this transition should keep the configuration in-place, check if anything was modified.
3. Restart apache2
# rcapache2 restart
4. Verify everything is working
Migrating back to non-TLS 1.3 Apache2
Migrating back is also possible using "zypper in apache2" similar to above, but in that case the /etc/apache2 configuration will be overwritten, so you should back it up before doing so or check all ".rpmsave" or ".rpmnew" files after the migration.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020606
- Creation Date: 13-Apr-2023
- Modified Date:13-Apr-2023
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com