Set up SSLVersion for TLS
TLS 1.3, finalized on 2018-03-21; RFC 8446 on 2018-08-10 dated August 2018.
OpenSSL 1.1.1 on 2018-09-11 (support for TLS 1.3 and SHA-3)(https://www.openssl.org/news/openssl-1.1.1-notes.html and https://wiki.openssl.org/index.php/TLS1.3)
First beta version of Red Hat Linux 8 mid November 2018: support for OpenSSL 1.1.1 and TLS 1.3
Red Hat Enterprise Linux 8 was officially released on 2019-05-07. Upgrading requires some steps finishing with: # yum install leapp (this statement misses in CentOS 8).
CentOS 8 was released on 2019-09-24 (derived from Red Hat Enterprise Linux).
Analyze TLS versions with: https://www.immuniweb.com/ssl/
Operate with TLS 1.2 / 1.3 for mx and outbound. Test with: https://mecsa.jrc.ec.europa.eu
Test TLS, see ‘SSLVersion in use’: https://www.checktls.com
TLS 1.0 if enabled:
The server has TLS 1.0 enabled. Since the 30th of June 2018 it is non-compliant with PCI DSS 3.2.1.
TLS 1.1 if missing:
The support of TLS 1.1 is mandatory according to HIPAA guidance
- https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls Quote: 30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS 1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
- https://luxsci.com/blog/level-ssl-tls-required-hipaa.html Quote: TLS 1.0+ is OK to be used when interoperability with non-government systems is required
In control panels:
- DirectAdmin changes for TLS 1.0 / 1.1 in default setup: https://help.directadmin.com/item.php?id=571
- Plesk has a problem without TLS 1.0 in Plesk Premium Antivirus: https://support.plesk.com/hc/en-us/articles/115000422229-How-to-enable-disable-particular-TLS-version-in-Plesk-on-Linux-
- As of cPanel & WHM version 68 (release notes on 2018-4-9), we only support TLS 1.2: https://documentation.cpanel.net/display/CKB/What+is+Domain+TLS
In Mail Transfer Agents (MTA):
- Kerio Connect: Change default setup in order to offer TLS 1.2 for outbound email in
- Proxmox Mail Gateway 5.1 (ISO release 1): Allow to configure TLS policy via GUI (October 5th/9th, 2018)
– The PHP Swift Mailer library was fixed in July 2018 for TLS 1.1 and TLS 1.2. Or PHP 7.2 can stream above TLS 1.0;
– Feedback for GFI to the Kerio Connect mail server product to have a clearer diagnosis of TLS version preference, especially that TLS 1.2 is default not offered for outbound email;
– How to fine-tune ciphers and TLS, see: https://webhostingtech.nl/security-setup/tuning-ciphers-and-tls/
– For CentOS 8 End of life changed to 2021-12-31.
AlmaLinux based on Red Hat, is the alternative with a few conversion statements: https://en.wikipedia.org/wiki/AlmaLinux