PDA

View Full Version : SLES 11 SP4 Openssl version for TLS 1.2



Emmermacher
16-Apr-2018, 12:28
Hello.

For my apache2 2.2.34 on SLES11 Sp4 I want enable TLS 1.2. For this I need a higher version of openssl (for the moment 0.9.8)
Where I can find a working version? Is this supported?

Thanks in advance for your answers.

Regards

Dirk Emmermacher

ab
16-Apr-2018, 12:41
Yes, it is an option, though you would probably be better-served going to
SLES 12:

https://www.suse.com/documentation/suse-best-practices/singlehtml/securitymodule/securitymodule.html

The reason for this Security Module is that an enterprise distribution
like SLES (as you know) focuses on stability more than the latest bleeding
edge code, and as a result updating a major release of some software
within a version of SLES (e.g. SLES 11) is not done. This is one of the
reasons that SLES 11 was never vulnerable to the Heartbleed issues that
plagued so many other distributions, as the new feature was introduced in
OpeSSL 1.x which was newer than what SLES 11 had at the time it shipped.

Still, there is a need to get TLS 1.2 into environments now that OpenSSL
has had more time to bake, so SUSE uses these modules, a lot more in SLES
12 actually, to allow certain groups of packages to move at a different
pace than the base OS. This is the only one I've seen publicized widely
for SLES 11, and the reason is for your exact use case.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

Emmermacher
16-Apr-2018, 13:07
Hello ab.

Thanks for your answer. I know that its time for a change. For the moment I have too much other projects.
I hoped, that I could solve this as a quick solution...

Regard from Hannover, Germany

Dirk

ab
16-Apr-2018, 14:08
On 04/16/2018 06:14 AM, Emmermacher wrote:
>
> Hello ab.
>
> Thanks for your answer. I know that its time for a change. For the
> moment I have too much other projects.
> I hoped, that I could solve this as a quick solution...

Fair enough, and that is part of the reason SUSE made this option
available, so that you can solve this more-easily than by upgrading your
entire system to SLES 12. Let us know how it works for you if you get a
chance to implement it.

Another option, depending on your needs, is that you could potentially use
some sort of proxy, e.g. haproxy, or Squid, or something that then does
the TLS 1.2 bits for you for your clients' benefits, but does not need to
do TLS 1.2 back to your server. This could potentially be done with other
products too, like Access Manager, but the main benefit is you could
potentially do so without touching your current system at all, minimizing
risk of downtime due to a broken configuration.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.