How Can I Set up TLSv1.2 on CentOS?

Linode Staff

If TLSv1.2 cannot be configured on CentOS6.5, which versions of CentOS support TLSv1.2?

2 Replies

Hey there!

Based on my understanding of this blog update, TLSv1.2 should be available on CentOS 6.5. You can test if your website supports TLSv1.2 by running the following command from your local machine:

openssl s_client -connect your.domain.name:443 -tls1_2 

You should see something like:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256

More important than the operating system, however, is the version of OpenSSL you are using. You will just want to make sure you are using OpenSSL 1.0.1 or later. OpenSSL 0.9.8 does not support TLS 1.2. You can confirm this at the OpenSSL changelog. To check which version of OpenSSL you are running, you can run the following commands:

openssl version
yum info openssl

To download, compile, and install the latest version of OpenSSL, you can run the following commands:

#Downloads the latest version
cd /usr/src
wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
tar -zxf openssl-1.0.2-latest.tar.gz

#Manually compiles OpenSSL and upgrades OpenSSL
cd openssl-1.0.2a
./config
make
make test
make install

#If you are still seeing the old version still displayed, make a copy of the Open SSL bin file
mv /usr/bin/openssl /root/
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

From there you can run the openssl version command again to verify it has installed/updated properly. Hope this helps point you in the right direction!

OpenSSL isn't the only thing that requires TLS 1.2. Actually for server wide TLS 1.2 you want to be on CentOS 6.8+ or CentOS 7.2+ as only those newer versions have TLS 1.2 support for system provided curl and git. Paypal clients like PHP would require curl to support TLS 1.2 too.

Known incompatible clients
As noted above, the vast majority of traffic should be unaffected by > this change. However, there are a few remaining clients that we anticipate will be affected. Fortunately, the majority of clients can be updated to work with TLSv1.2.

and

Git on Red Hat 5, < 6.8, and < 7.2
Red Hat 5, 6, and 7 shipped with Git clients that did not support TLSv1.2. This can be addressed by updating to versions 6.8 and 7.2 (or greater) respectively. Unfortunately, Red Hat 5 does not have a point release that supports TLSv1.2. We advise that users of Red Hat 5 upgrade to a newer version of the operating system.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct