Unfortunately many distributions are slow to pick up the most recent distributions of these core software packages. I see many arguments why this not a problem, the most common being the enterprise distributions backport the most important security fixes so it’s not necessary to get more recent versions.
The problem with this argument is that sometimes security fixes are not patches but are in-fact new features. TLS 1.2 is a great example of this, it has numerous security fixes in it that don’t exist in earlier incarnations of the protocol and the older versions of OpenSSL simply do not support it.
Another argument I hear is “make install” is so easy it doesn’t really matter that distributions do not carry the latest packages because you can just build it yourself. This argument has several issues, one of which is production systems should hardened with only the minimal binaries on it to be supportable, bringing in a development environment on is about as opposite of that as you can be.
So what is a server administrator to do? Thankfully there are several additional repositories available for Enterprise Linux Distributions that offer stable and recent builds of the most commonly used packages, two such repositories are:
Between these two (depending on your OS version) you can probably get the most recent OpenSSL, Nginx, and Apache distributions and all the goodness they carry.
In my case I use Centos 6.3, if you do also you can follow the steps here to add these repositories to you own systems.
Once you have added the repositories you can simply use the IUS replace plug-in to replace your current distribution of OpenSSL with the latest, for example:
yum replace openssl --replace-with=openssl10 --enablerepo=ius-testing
That’s it, now you can enable TLS 1.2 and any other modern TLS features carried by this build of OpenSSL. It is worth noting that at this time this build does not include support for ECC and ECDH which are required for forward secrecy with modern browsers, to get a version that supports these algorithms you will have to build your own.
Pingback: What you need to know about Configuring SSL
Pingback: Deploying SSL – Beyond the certificate and cipher suites
Pingback: CA Security Council | Getting the Most Out of SSL Part 2: Configuration
Hi, I followed similar advice (found elsewhere) and openssl10 has been running fine on my system for quite a few months. Unfortunately, yesterday I did ‘yum upgrade’ and it wouldn’t work because of openssl dependency problems. I did ‘yum upgrade -x openssl’ and it seemed to upgrade fine, but now I cannot ssh in! Likely a dependency problem, but gonna have to reinstall the server as I don’t have access anymore.
This is just a warning about the pitfalls of deviating away from the well-tested path for your installation.