View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Why no one use TLS 1.1 or TLS 1.2?
Log in to Ask a Question

Why no one use TLS 1.1 or TLS 1.2?

general

As title.

There are plenty of security holes with SSL 3.0/TLS 1.0.

RedHat still using TLS 1.0 and many other distro too.

Servers generally doesn't upgrade to newer TLS yet,

why?

I like to use the official repo for the OpenSSL rpm,

the latest RPM from RedHat/CentOS support TLS 1.0 and not the newer one.

Should I warry about that?

May I sleep quiet knowing that my server is using TLS1.0?

13 Replies

Most distros, especially those common on servers, try to avoid upgrading upgrading stuff between releases. They want to avoid doing anything to compromise stability.

If they do provide upgrades, it's usually "backported" security fixes – in other words, they take security fixes from newer versions of the software in question and they adapt it to the older version that they currently provide. There is much less risk to stability that way.

Usually you have to wait for the next release of your distro to get newer versions of the software you use -- either that, or find a 3rd party repository with a newer version. You really need to be careful with those, sometimes they work really well and sometimes they cause great pain.

I know what you saied but the question in the initial post is different.

How can be possible that one of the most important security module (OpenSSL) isn't upgraded yet with the security holes fixed?

TLS 1.0 is old and with many security holes, why "server distros" doesn't upgraded yet with the new TLS 1.2 or backported the security patched to 1.0?

Because there are still a ton of mainstream browsers that do not support TLS 1.1 or 1.2, yet:

http://en.wikipedia.org/wiki/Transport_ … b_browsers">http://en.wikipedia.org/wiki/TransportLayerSecurity#Web_browsers

TL;DR: Chrome and Safari are the only browsers whose current stable release supports anything newer than TLS 1.0 out of the box. IE/Firefox/Opera don't.

Servers sadly still need TLS 1.0, but what about SSL 3.0? The TLS 1.0 column on swaj's link is all-green except for IE 6.

@swaj:

Because there are still a ton of mainstream browsers that do not support TLS 1.1 or 1.2, yet:

http://en.wikipedia.org/wiki/Transport_ … b_browsers">http://en.wikipedia.org/wiki/TransportLayerSecurity#Web_browsers

we are talking about servers not browser.

one things is sure, a server may offer TLS 1.0, 1.1 and 1.2 and a browser can use the latest protocol it supports.

if servers doesn't starts supporting newer TLS, browsers have no reason to push the accelerator on implementing this support.

To be honest, I was surprised to hear you say that any servers don't support TLS 1.1 and 1.2. Ubuntu 12.04 – over a year old -- does and I assumed every other distro would also have caught up.

@mnordhoff:

To be honest, I was surprised to hear you say that any servers don't support TLS 1.1 and 1.2. Ubuntu 12.04 – over a year old -- does and I assumed every other distro would also have caught up.

where I saied ANY?

In any case I'm talking about server distros not the development one that obviously has the latest feature.

Ubuntu 12.04 LTS is (or can be used as) a server distro, not a development one. 12.10/13.04/13.10 would certainly qualify as development distros, but there are many servers out there relying on Ubuntu Server LTS releases. The majority of Linodes do, for that matter.

Enterprises prefer fixed release cycles (Ubuntu) over rolling release cycles (Debian). Developers tend to be the reverse.

For what it's worth, lighttpd 1.4.28 on Ubuntu 12.04 LTS supports up to TLS 1.2:

Protocols
TLS 1.2    Yes
TLS 1.1     Yes
TLS 1.0     Yes
SSL 3.0    Yes
SSL 2.0    No

Source: ~~[https://www.ssllabs.com/ssltest/analyze.html?d=rocwiki.org" target="_blank">](https://www.ssllabs.com/ssltest/analyze … ocwiki.org">https://www.ssllabs.com/ssltest/analyze.html?d=rocwiki.org](

@hoopycat:

For what it's worth, lighttpd 1.4.28 on Ubuntu 12.04 LTS supports up to TLS 1.2:

Protocols
TLS 1.2    Yes
TLS 1.1     Yes
TLS 1.0     Yes
SSL 3.0    Yes
SSL 2.0    No

Source: ~~[https://www.ssllabs.com/ssltest/analyze.html?d=rocwiki.org" target="_blank">](https://www.ssllabs.com/ssltest/analyze … ocwiki.org">https://www.ssllabs.com/ssltest/analyze.html?d=rocwiki.org](

ok ubuntu rocks.

Why RedHat doesn't rocks too? :)

RedHat 5 and RedHat 6 are a lot older than Ubuntu 12.04LTS (RH6 was released in 2010; Ubuntu in 2012). Newer TLS versions came in with OpenSSL 1.0.x; RedHat still uses 0.9.x versions.

Current Fedora released and the upcoming RedHat 7 (expected this year) will have TLS1.2

@sweh:

RedHat 5 and RedHat 6 are a lot older than Ubuntu 12.04LTS (RH6 was released in 2010; Ubuntu in 2012). Newer TLS versions came in with OpenSSL 1.0.x; RedHat still uses 0.9.x versions.

Current Fedora released and the upcoming RedHat 7 (expected this year) will have TLS1.2

CentOS/RHEL 6.4 uses OpenSSL 1.0.0 not 0.9.x and TLS 1.2 has been implemented in 1.0.1 not in 1.0.x, 1.0.x means also 1.0.0 :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct