TLS 1.2

[Madness]

Apparently i need to update TLS 1.2 for paypal and my server does not have the required SSL libraries to support this.

CentOS 6.6 (Final)

Can anyone please walk me through this or shoot me a link to a tut.

any help is much appreciated

 

[websavers]

TLS 1.2 should be supported by the installed system OpenSSL binaries as long as you've kept 'em updated via yum.

 

[Madness]

TLS 1.2 should be supported by the installed system OpenSSL binaries as long as you've kept 'em updated via yum.

Yep "yum update openssl" Im Using xenforo and in the control panel its displaying that message above, apparently it only displays if your not using 1.2.

 

[trialotto]

@Madness,

Just install the appropriate OpenSSL package manually, a nice procedure has been given in: https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678

After installing the OpenSSL 1.0.1s version, you should still run the command: plesk sbin pci_compliance_resolver --enable <service>

This command will not only allow TLS 1.2, but also disallow all vulnerable SSL connections (read: securing your server according to PCI compliance settings).

Note that, if you decide to apply PCI compliant settings to all services, you can simple use the "--enable flag" alone (without a service name behind it), in which case ProFtpd will also be made PCI compliant, which on it´s turn requires that you enable passive ports (just add a file called custom.conf to /etc/proftpd.d directory and add to the content the line "ServerIdent Off" and the line "PassivePorts <start port range> <end port range>", with some custom port range).

Hope the above helps a bit.

If you have questions, just let me know.

Regards......

 

[Madness]

@Madness,

Just install the appropriate OpenSSL package manually, a nice procedure has been given in: https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678

After installing the OpenSSL 1.0.1s version, you should still run the command: plesk sbin pci_compliance_resolver --enable <service>

This command will not only allow TLS 1.2, but also disallow all vulnerable SSL connections (read: securing your server according to PCI compliance settings).

Note that, if you decide to apply PCI compliant settings to all services, you can simple use the "--enable flag" alone (without a service name behind it), in which case ProFtpd will also be made PCI compliant, which on it´s turn requires that you enable passive ports (just add a file called custom.conf to /etc/proftpd.d directory and add to the content the line "ServerIdent Off" and the line "PassivePorts <start port range> <end port range>", with some custom port range).

Hope the above helps a bit.

If you have questions, just let me know.

Regards......

Ive updated manually from this tut https://talk.plesk.com/threads/important-exploit-in-sslv2-update-openssl.337191/#post-797678

Result:
openssl version
OpenSSL 1.0.1s 1 Mar 2016

but if i run this rpm -q openssl

I get openssl-1.0.1e-42.el6_7.4.x86_64

phpinfo.php also says

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013

 

[websavers]

I could be wrong about this, but I think those detection systems are checking for your raw version of OpenSSL, assuming it won't work, and not actually confirming TLS1.2 connectivity. From what I've read, it's been baked into OpenSSL versions in Redhat/CentOS systems for at least a year now. The only reason it wouldn't be obvious is because Redhat/CentOS adds essential features and security fixes by backporting them into the original system installed version number, rather than installing the new version.