This post is about moving away from the old school implementation of SSL and upgrading to TLS, or specifically GnuTLS in Apache on Ubuntu Linux. The reason you would want to do this is so that your web server will support more the more secure TLS versions 1.1 and 1.2.
The main reason one would want to replace SSL with TLS though is probably because they found out during a PCI scan that their web server was susceptible to the BEAST attack, and it was recommended that they upgrade to TLS 1.1 or TLS 1.2. No matter the reason, it's not that difficult.
First you will want to disable SSL in Apache by running:
sudo a2dismod sslNext you will want to install GnuTLS by running:
sudo apt-get install libapache2-mod-gnutlsNext you will want to enable the GnuTLS module:
sudo a2enmod gnutlsNow you will need to edit the apache2 config you have for SSL using your favorite text editor. I am using default-ssl located in /etc/apache2/sites-available. Comment out the following items with the # symbol:
#SSLEngine on
#SSLCertificateFile /path/to/public.cer#SSLCertificateKeyFile /path/to/private.key#SSLCACertificateFile /path/to/ca-bundle.pem# SSLOptions +StdEnvVars# SSLOptions +StdEnvVars
Now change <IfModule mod_ssl.c> at the beginning to <IfModule mod_gnutls.c> and paste the following under #SSLEngine on:
#GnuTLSGnuTLSEnable onGnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0GnuTLSCertificateFile /path/to/public.cer GnuTLSKeyFile /path/to/private.key GnuTLSClientCAFile /path/to/ca-bundle.pemNow save the file and restart Apache by running:
sudo service apache2 restartIf you have any errors after restarting you may need to comment out some other SSL related items in the config. Otherwise your site should now be using the most secure version of TLS that your browser supports:
The problem with this setup is that not all browsers support TLS 1.1 yet. I'm looking at you Firefox. Anyway, if you still need to be PCI compliant, but still offer support to shitty browsers, you can do it at the expense of encryption strength by only using RC4. To do that replace the string after GnuTLSPriorities to say:
NONE:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL
The above string will only give you 128bit encryption, but will protect you fromThe BEAST while allowing your users to use shitty browsers.Pretty cool right? Are you upgrading your web server to TLS 1.1 and 1.2? Is it for PCI compliance issues or something else? Let us know in the comments.