Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" solution. -- Eero 2015-04-17 14:15 GMT+03:00 Johnny Hughes <johnny at centos.org>:> On 04/16/2015 05:00 PM, Eero Volotinen wrote: > > in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5 > > > > -- > > Eero > > > > If you do that, then you are at the mercy of Mr. Bergmann to provide > updates for all security issues for openssl. Has he updated his RPMs > since 2014-11-19 23:57:58? Does his patch work on the latest > RHEL/CentOS EL5 openssl-0.9.8 package? > > The answer right now for him providing newer packages is, I have no > idea. His repo > ( > http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__centos_5/index.html > ) > does not seem to be available: > ===================================================================> Attempted reposync: > > Error setting up repositories: failure: repodata/repomd.xml from tuxad: > [Errno 256] No more mirrors to try. > http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14] > HTTP Error 404 - Not Found > ===================================================================> > Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his > patches) .. doing so is not at all certified as safe, nor has it been > tested by anyone that I can see (other than in that blog entry). It > might be fine .. it might not be. > > People can make any choice that they want, but I would be looking to > upgrade to at least CentOS-6 at this point if I wanted newer TLS support > and not depending on one person to provide packages (or patches) of this > importance for all my EL5 machines. But, that is just me. > > Please note, I have no idea who Mr. Bergmann is and I am not in any way > being negative about those packages and patches .. they are extremely > nice and seem to work. However, I can not see the rest of his repo > right now and I would not trust MY production machines to a one person > operation with something as important as openssl. > > Thanks, > Johnny Hughes > > > > > 2015-04-16 21:02 GMT+03:00 Eero Volotinen <eero.volotinen at iki.fi>: > > > >> well. this hack solution might work: > >> > http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for_rhel__centos_5/index.html > >> > >> -- > >> Eero > >> > >> 2015-04-16 17:30 GMT+03:00 Leon Fauster <leonfauster at googlemail.com>: > >> > >>> Am 16.04.2015 um 11:46 schrieb Leon Fauster < > leonfauster at googlemail.com>: > >>>> Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen at iki.fi > >: > >>>>> Is there any nice way to get tlsv1.2 support to centos 5? > >>>>> upgrading os to 6 is not option available. > >>>> > >>>> > >>>> Unfortunately not. > >>> > >>> > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1066914 > >>> > >>> -- > >>> LF > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
The cheapest sollution is probably compiling a private openssl somewhere on the system and then compiling apache using that private openssl version instead of the default system-wide one. Regards, Dennis On 17.04.2015 13:20, Eero Volotinen wrote:> Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 > and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" > solution. > > -- > Eero > > 2015-04-17 14:15 GMT+03:00 Johnny Hughes <johnny at centos.org>: > >> On 04/16/2015 05:00 PM, Eero Volotinen wrote: >>> in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5 >>> >>> -- >>> Eero >>> >> >> If you do that, then you are at the mercy of Mr. Bergmann to provide >> updates for all security issues for openssl. Has he updated his RPMs >> since 2014-11-19 23:57:58? Does his patch work on the latest >> RHEL/CentOS EL5 openssl-0.9.8 package? >> >> The answer right now for him providing newer packages is, I have no >> idea. His repo >> ( >> http://www.tuxad.de/blog/archives/2014/12/07/yum_repository_for_rhel__centos_5/index.html >> ) >> does not seem to be available: >> ===================================================================>> Attempted reposync: >> >> Error setting up repositories: failure: repodata/repomd.xml from tuxad: >> [Errno 256] No more mirrors to try. >> http://www.tuxad.com/repo/5/x86_64/tuxad/repodata/repomd.xml: [Errno 14] >> HTTP Error 404 - Not Found >> ===================================================================>> >> Red Hat chose not to turn on those cyphers in RHEL-5 (the ones in his >> patches) .. doing so is not at all certified as safe, nor has it been >> tested by anyone that I can see (other than in that blog entry). It >> might be fine .. it might not be. >> >> People can make any choice that they want, but I would be looking to >> upgrade to at least CentOS-6 at this point if I wanted newer TLS support >> and not depending on one person to provide packages (or patches) of this >> importance for all my EL5 machines. But, that is just me. >> >> Please note, I have no idea who Mr. Bergmann is and I am not in any way >> being negative about those packages and patches .. they are extremely >> nice and seem to work. However, I can not see the rest of his repo >> right now and I would not trust MY production machines to a one person >> operation with something as important as openssl. >> >> Thanks, >> Johnny Hughes >> >> >> >>> 2015-04-16 21:02 GMT+03:00 Eero Volotinen <eero.volotinen at iki.fi>: >>> >>>> well. this hack solution might work: >>>> >> http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for_rhel__centos_5/index.html >>>> >>>> -- >>>> Eero >>>> >>>> 2015-04-16 17:30 GMT+03:00 Leon Fauster <leonfauster at googlemail.com>: >>>> >>>>> Am 16.04.2015 um 11:46 schrieb Leon Fauster < >> leonfauster at googlemail.com>: >>>>>> Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen at iki.fi >>> : >>>>>>> Is there any nice way to get tlsv1.2 support to centos 5? >>>>>>> upgrading os to 6 is not option available. >>>>>> >>>>>> >>>>>> Unfortunately not. >>>>> >>>>> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1066914 >>>>> >>>>> -- >>>>> LF >> >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> >> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On 04/17/2015 11:20 PM, Eero Volotinen wrote:> Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 > and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" > solution.Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The only attack against 1.0 that I'm aware of is BEAST and that has been largely mitigated by browser-side fixes to the point where TLS 1.0 is now considered to be safe. No doubt there will in time be other attacks that necessitate an upgrade, but for now I would just stick with the version of openssl and apache that comes with CentOS 5 and focus on moving to CentOS 6 or 7 as a medium (not long) term goal. At the end of the day I think it's better to just go this route than have to deal with the hacky solutions for getting 1.1 and 1.2 out of CentOS 5. Peter
2015-04-17 14:26 GMT+03:00 Dennis Jacobfeuerborn <dennisml at conversis.de>:> The cheapest sollution is probably compiling a private openssl somewhere > on the system and then compiling apache using that private openssl > version instead of the default system-wide one.==================> >Well, not really. cheapest and working solution is to use apache on centos 6/7 with sslproxy engine to first decrypt traffic and then encrypt using tlsv1.0 -- Eero
2015-04-17 14:40 GMT+03:00 Peter <peter at pajamian.dhs.org>:> On 04/17/2015 11:20 PM, Eero Volotinen wrote: > > Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 > > and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" > > solution. > > Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The > only attack against 1.0 that I'm aware of is BEAST and that has been > largely mitigated by browser-side fixes to the point where TLS 1.0 is > now considered to be safe. No doubt there will in time be other attacks > that necessitate an upgrade, but for now I would just stick with the >Well, PCI DSS 3.1 standard soon denies use of sslv3 and early version of tls(v1.0) Also noted that is possible to do ssl termination and encryption again with mod_ssl sslproxyengine. -- Eero