How to enable TLS 1.1 and 1.2 with OpenSSL and Apache

Solution 1:

TLS1.2 is now available for apache, to add TLSs1.2 you just need to add in your https virtual host configuration:

SSLProtocol -all +TLSv1.2

-all is removing other ssl protocol (SSL 1,2,3 TLS1)

+TLSv1.2 is adding TLS 1.2

for more browser compatibility you can use

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

by the way you can increase the Cipher suite too using:


You can test your https website security with an online scanner like:

Solution 2:

Compile apache with the latest version of OpenSSL to enable TLSv1.1 and TLSv1.2

SSLProtocol +TLSv1.1 +TLSv1.2

Solution 3:

According to the OpenSSL changelog, support for TLS 1.2 was added to the development branch of OpenSSL 1.0.1, but this version is not yet released. Probably some changes will also be needed in the mod_ssl code to actually enable TLS 1.2 for Apache.

Another commonly used SSL/TLS library is NSS; it is used by a less well known Apache module mod_nss; unfortunately, current NSS releases also do not support TLS 1.2.

Yet another SSL/TLS library is GnuTLS, and it pretends to support TLS 1.2 already in its current release. There is an Apache module using GnuTLS: mod_gnutls, which also claims to support TLS 1.2. However, this module seems to be rather new, and might be not very stable; I never tried to use it.

Solution 4:

You cannot, OpenSSL does not offer a release for TLS 1.1 yet.

One pertinent comment on /. for this issue:

Will you kindly explain to the unwashed masses how you would implement TLS 1.1 and 1.2 support in a world where the dominant library OpenSSL does not yet support either of the protocols in its stable releases? Sure, you can use GnuTLS and mod_gnutls, and I have tried it, but there was no point, as no browser apart from Opera supported it and there were some weird glitches in the module. IE 8/9 were supposed to support them under Vista and 7, but failed to access the site served by mod_gnutls when 1.1 and 1.2 were enabled on the client side. I tried it anew yesterday just out of curiosity, and now even Opera 11.51 chokes on TLS 1.1 and 1.2. So there. Nothing really supports the protocols. Must wait for OpenSSL 1.0.1 for TLS 1.1 and nobody knows when that will hit the repos.

Solution 5:

Adam Langley, a Google Chrome engineer, points out that TLS 1.1 would not have solved this problem due to an implementation issue with SSLv3 that everyone has to work around: browsers have to downgrade to SSLv3 to support buggy servers, and an attacker can initiate this downgrade.