How Can I Set up TLSv1.2 on CentOS?
If TLSv1.2 cannot be configured on CentOS6.5, which versions of CentOS support TLSv1.2?
Based on my understanding of this blog update, TLSv1.2 should be available on CentOS 6.5. You can test if your website supports TLSv1.2 by running the following command from your local machine:
openssl s_client -connect your.domain.name:443 -tls1_2
You should see something like:
SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256
More important than the operating system, however, is the version of OpenSSL you are using. You will just want to make sure you are using OpenSSL 1.0.1 or later. OpenSSL 0.9.8 does not support TLS 1.2. You can confirm this at the OpenSSL changelog. To check which version of OpenSSL you are running, you can run the following commands:
openssl version yum info openssl
To download, compile, and install the latest version of OpenSSL, you can run the following commands:
#Downloads the latest version cd /usr/src wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz tar -zxf openssl-1.0.2-latest.tar.gz #Manually compiles OpenSSL and upgrades OpenSSL cd openssl-1.0.2a ./config make make test make install #If you are still seeing the old version still displayed, make a copy of the Open SSL bin file mv /usr/bin/openssl /root/ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
From there you can run the
openssl version command again to verify it has installed/updated properly. Hope this helps point you in the right direction!
OpenSSL isn't the only thing that requires TLS 1.2. Actually for server wide TLS 1.2 you want to be on CentOS 6.8+ or CentOS 7.2+ as only those newer versions have TLS 1.2 support for system provided curl and git. Paypal clients like PHP would require curl to support TLS 1.2 too.
Known incompatible clients
As noted above, the vast majority of traffic should be unaffected by > this change. However, there are a few remaining clients that we anticipate will be affected. Fortunately, the majority of clients can be updated to work with TLSv1.2.
Git on Red Hat 5, < 6.8, and < 7.2
Red Hat 5, 6, and 7 shipped with Git clients that did not support TLSv1.2. This can be addressed by updating to versions 6.8 and 7.2 (or greater) respectively. Unfortunately, Red Hat 5 does not have a point release that supports TLSv1.2. We advise that users of Red Hat 5 upgrade to a newer version of the operating system.