How To Enable TLS 1.2 Protocol
As we move on to higher level of technological advancements to protect and safe guard information, the older communication protocols like SSL and TLS 1.0 are getting obsolate and even no longer acceptable for PCI compliance. Few months back, the PCI Council released version 3.1 of their Data Security Standard (DSS). The Council has decided that SSL and TLS 1.0 can no longer be used after June 30, 2016. The PCI Council says servers and clients should disable SSL and then preferably transition everything to TLS 1.2. So here in this article we will discuss how to enable tls 1.2 in commonly used web servers and Java virtual machines to safe guard our information.
Below are few things which you shall be aware of before we start the discussion:
1) POODLE vulnerability applies to SSL 3.0 (SSLV3). It does not apply to TLS 1.0, 1.1 and 1.2 (ref. Wikipedia POODLE)
2) There is a variation of POODLE attack that impacts certain implementations of TLS (ref. POODLE attack against TLS). Implementations of TLS that are vulnerable may be vulnerable for TLS 1.0, 1.1 & 1.2 (F5 Networks implementation of TLS 1.0 & 1.1 seem vulnerable to this attack – ref. CVE-2014-8730)
3) For a successful connection to be established between client and server the following conditions must be met
3.a) Protocol Match – Client & server must support a mutually common protocol
3.b) Protocol Version Match – Client & server must support a mutually common version of the mutually common protocol
NOTE: There are no known flaw in TLS protocol (1.0, 1.1 or 1.2) in itself. There could be a flaw in the implementation of this protocol by different implementer (Example: F5 Networks) that could be exploited.
We will cover below topics in this article:
- How to enable TLS 1.2 in Apache
- OpenSSL TLS 1.2 Support
- How to enable TLS 1.2 in IIS
- How to enable TLS 1.2 Support in Java
How To Enable TLS 1.2 in Apache:
TLS1.2 is now available for apache, to add TLSs1.2 support you need to add below in your https virtual host configuration:
SSLProtocol -ALL +TLSv1.2
-ALL is removing other ssl protocol (SSL 1,2,3 TLS1)
+TLSv1.2 is adding TLS 1.2
For more browser compatibility you can use
SSLProtocol -ALL +TLSv1.1 +TLSv1.2 SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
You can test your https website security with an online scanner
OpenSSL TLS 1.2 Support:
To check if your system supports TLS 1.2 or not you can use below command :
openssl s_client -connect google.com:443 -tls1_2
If you get the certificate chain and the handshake like below example output then your system supports TLS 1.2. If you do not see the certificate chain like below or received handshake error then it does not support TLS 1.2. You can also test for TLS 1 or TLS 1.1 with -tls1 or tls1_1 respectively.
Example Output:
sh-4.2# openssl s_client -connect google.com:443 -tls1_2
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH0jCCBrqgAwIBAgIIVnW85e/YrWkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0ODI3WhcNMTcwMzA5MTMzNTAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqHGBLkAX
plf+b9uVIVzWJCZUmCpI61KORGZuCvejve2gAGR5F9wAYkK/VF+mcP6hvj3F8hDo
HD++UKwXkMN8gOaDMyTJqFgFvZWbxQ1NG/lUnR2eFjSdnxktbNBlbbbXmqYJu1yN
34J7i45FCkp8n6yc+4xn41dadf4188i3g/BlaTDeJmHsEQpYNrScrr2KeUyx8xGr
fOEDKPOGGmxVmWxjr80+A7MubRoNskxFBHTu0cUUv0KPopaqAIjxM2OtNgRMB6Sf
C+hWgWckIkU4yzPNxry743fpXu2DQFyzO+H3eqATYHMIGzWvajz+qVrdW4TifyP8
5VqnjhFCxGYtQQIDAQABo4IEnzCCBJswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDawYDVR0RBIIDYjCCA16CDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp
cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou
Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou
Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy
Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j
b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRp
bWcuY29tghphbmRyb2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5kcm9pZC5jb22C
G2RldmVsb3Blci5hbmRyb2lkLmdvb2dsZS5jboIEZy5jb4IGZ29vLmdsghRnb29n
bGUtYW5hbHl0aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29t
ggp1cmNoaW4uY29tggp3d3cuZ29vLmdsggh5b3V0dS5iZYILeW91dHViZS5jb22C
FHlvdXR1YmVlZHVjYXRpb24uY29tMGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcw
AoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYf
aHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNVHQ4EFgQUz61JUCag
/oyz2ifZJB5pEL9wWHswDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2
aLV29YG2u2IaulqBLzAhBgNVHSAEGjAYMAwGCisGAQQB1nkCBQEwCAYGZ4EMAQIC
MDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5j
cmwwDQYJKoZIhvcNAQELBQADggEBAFk/zR3rf5g59BeU4VZ8fSc/cSQVtk+EjONY
b3rM8+Xqid9e/ishcELixKDQwNlsm0sppuEkG3fb9DQZgrdvRXG+66YsQWQkeVdr
LUvwRzNrXGh+R7B0fFsd6ASwuRv2u1KDC0KwGrY2x6GXEIfItvs9Rtwb2zoNpndc
9TyOGr5zgxWRIRrYibQsBe2xrBWBFlp/nBsJjmA/aHwy27X9NAXaCT7LuDAOZ9T1
+P2wk5nF8yzC+A4MBQw7CUIHgjQ0r+SJNqmcO6vMRvOdFGi7kICSnqPccNQ0X/86
E2vlaYBKyg4A+NuV4hSxAmxza3j1cB+jkz5muR3sgVOE9ZenfzY=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4577 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: C1B5129FCFA85ED908A233C4C00D486361F9215FBE770EE84AFAEAB43545A3DF
Session-ID-ctx:
Master-Key: 6B348FF5C3ABF8F4FD6707E1037D2F82277A61A228AFF694BDD0CFD96379E698124379DCD8519E56890B15B72F67C9A6
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - ec b0 b7 9d 03 9d a4 09-0d d0 22 8a ae 07 2e 28 .........."....(
0010 - 02 0c 36 79 7b 2a c4 1b-3e 82 12 4a 9f 3f e8 01 ..6y{*..>..J.?..
0020 - ac f4 3e 6b f1 95 60 2f-9d fc c9 cb 73 b3 49 de ..>k..`/....s.I.
0030 - 9a a9 9a 2b ab 96 59 22-2a b1 40 19 73 ae 54 b2 ...+..Y"*[email protected].
0040 - f8 93 de a7 be 8d f1 f3-ca 14 fd 75 7c 63 f7 7b ...........u|c.{
0050 - 9e 2a bd 79 6d 71 9b 48-a8 c5 86 e8 f6 d9 d7 5b .*.ymq.H.......[
0060 - 6f 61 91 05 dd 2e db 8b-fa 6c 76 56 16 74 ae 1e oa.......lvV.t..
0070 - 7b f3 32 c3 8c ea de c0-c2 1b 0a ea 1d 37 99 43 {.2..........7.C
0080 - fb cc 25 c9 a6 00 97 df-16 b7 69 7d 5f e1 70 47 ..%.......i}_.pG
0090 - e2 22 5a 68 71 f2 4a 55-29 9d 2d f8 2d 4b fe 5e ."Zhq.JU).-.-K.^
00a0 - 65 54 3b b6 eT;.
Start Time: 1483345361
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
GET /
HTTP/1.0 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: https://www.google.co.in/?gfe_rd=cr&ei=1w1qWJOYOfHI8AfG05nABg
Content-Length: 262
Date: Mon, 02 Jan 2017 08:22:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="35,34"
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.co.in/?gfe_rd=cr&ei=1w1qWJOYOfHI8AfG05nABg">here</A>.
</BODY></HTML>
read:errno=0
How To Enable TLS 1.2 in IIS:
1. Open registry edit and navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2].
Note: Incase the TLS 1.2 key is not available create it fresh.
2. Create below keys to enable support for TLS 1.2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
3. Reboot the system and check. IIS should be accepting TLS 1.2 connections.
To know more about TLS support you can visit Microsoft Link here
If you want to know on how to disable SSLV3 on IIS you can head over here
How To Enable TLS 1.2 Support in Java:
If any of your client applications are running on Java 7 or below(Default TLS 1.0) and connects to server for its regular work flows, below steps needs to be followed to enable TLS 1.2 in client/server Java virtual machine’s. This is required in case TLS 1.0 is completely disabled in all connecting servers.
Below are the reasons why connection will fail once TLS 1.0 gets completely disabled in all servers:
1) Client JVM would attempt to make a TLS 1.0 connection to the server since by default only TLS 1.0 is enabled on Java SE 7 (NOTE: Though Java SE 7 supports TLS 1.1 & 1.2 though these 2 versions are not enabled by default for client connections)
2) We have set Apache/IIS configurations to only accept TLS 1.1 and/or 1.2(SSLProtocol -ALL +TLSv1.1 +TLSv1.2) connections as mentioned above. So any connections with TLS 1.0 will be rejected.
Enable TLS 1.2:
Add ( -Dhttps.protocols=”TLSv1.1,TLSv1.2″ -Djdk.tls.client.protocols=”TLSv1.1,TLSv1.2″ ) to Java command line arguments which is used to launch client application. This will allow to turn off support for TLS 1.0 on the server side completely and will allow to use the Apache/IIS configurations to support TLSv1.2 .
References:
http://superuser.com/questions/747377/enable-tls-1-1-and-1-2-for-clients-on-java-7 http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.