How to enable TLS 1.1 and 1.2 with OpenSSL and Apache

TLS1.2 is now available for apache, to add TLSs1.2 you just need to add in your https virtual host configuration:

SSLProtocol -all +TLSv1.2

-all is removing other ssl protocol (SSL 1,2,3 TLS1)

+TLSv1.2 is adding TLS 1.2

for more browser compatibility you can use

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

by the way you can increase the Cipher suite too using:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$

You can test your https website security with an online scanner like: https://www.ssllabs.com/ssltest/index.html


Compile apache with the latest version of OpenSSL to enable TLSv1.1 and TLSv1.2

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

SSLProtocol +TLSv1.1 +TLSv1.2

According to the OpenSSL changelog, support for TLS 1.2 was added to the development branch of OpenSSL 1.0.1, but this version is not yet released. Probably some changes will also be needed in the mod_ssl code to actually enable TLS 1.2 for Apache.

Another commonly used SSL/TLS library is NSS; it is used by a less well known Apache module mod_nss; unfortunately, current NSS releases also do not support TLS 1.2.

Yet another SSL/TLS library is GnuTLS, and it pretends to support TLS 1.2 already in its current release. There is an Apache module using GnuTLS: mod_gnutls, which also claims to support TLS 1.2. However, this module seems to be rather new, and might be not very stable; I never tried to use it.