I built and installed openssl 1.0.1. How do I force Apache to use TLS 1.2 Ciphers?
SSL/TLS 1.2 on Apache with openssl 1.0.1
apache-2.2openssl
Related Topic
- SSL Ciphers – Resolve SSL Cipher Discrepancies in Apache 2.2 and OpenSSL 1.0.1
- How to disable TLS v1 in Apache v2.2 (Openssl 1.0.1)
- What are the Minimum requirements for TLS 1.2 on Apache Web server
- Ssl – Centos 5.11 OpenSSL TLS 1.2 for Paypal
- Debian – Force Applications to Use TLS 1.2 for Certain Domains
Best Answer
TLS 1.2 is covered in these 2 documents;
https://www.rfc-editor.org/rfc/rfc5246
https://www.rfc-editor.org/rfc/rfc6176
Basically the latter doc is Prohibiting SSL 2.0 from being negotiated by TLS1.2 and this is the default for httpd 2.2 shipped with fedora; eg
SSLProtocol all -SSLv2However your question was about CipherSuites which are also covered in those docs; By the looks of it, the only mandatory cipher suite for TLS 1.2 is TLS_RSA_WITH_AES_128_CBC_SHA
This says that the server must provide an RSA certificate for key exchange, and that the cipher should be AES_128_CBC and the Mac SHA.
From the httpd mod_ssl docs, this translates to;
which is documented here;
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite