How can I get TLSv1.2 support in Apache on RHEL6/CentOS/SL6?

I've written a quick guide on backporting the OpenSSL 1.0.1 RPM from Fedora Core to support RHEL6 and variants by replacing the bundled 1.0.0 version to add TLSv1.2 and ECC support. Built and tested against CentOS 6.4 in September of 2013:

Guide to OpenSSL 1.0.1 RPM for CentOS 6

Please note: That's the place where I keep my own copy of OpenSSL and OpenSSH up-to-date. Improvements in CentOS 6.5 have largely mitigated the demand for TLS1.2 and flaws like Heartbleed are addressed there, while this answer will forever be stuck in 2013. Don't follow the steps below verbatim, it is imperative you run 1.0.1g or newer.

Now with github: github/ptudor/centos6-openssl

I've made a patch available that I will reference in this guide: openssl-spec-patricktudor-latest.diff

First, prepare your build environment. (If you've installed EPEL, use mock. Keeping it simple here...)

yum -y groupinstall "Development tools" 
yum -y install rpm-build zlib-devel krb5-devel
mkdir -p $HOME/redhat/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo "%_topdir $HOME/redhat/" > ~/.rpmmacros

Next, grab the Fedora Core 20 SRPM for OpenSSL and the full OpenSSL source.

rpm -Uvh http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/source/SRPMS/o/openssl-1.0.1e-42.fc21.src.rpm
cd ~/redhat/SOURCES/
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz.sha1
openssl dgst -sha1 openssl-1.0.1g.tar.gz ; cat openssl-1.0.1g.tar.gz.sha1

Now apply the old secure_getenv syntax and apply the patch:

cd ~/redhat/SOURCES/
sed -i -e "s/secure_getenv/__secure_getenv/g" openssl-1.0.1e-env-zlib.patch
cd ~/redhat/SPECS/
wget http://www.ptudor.net/linux/openssl/resources/openssl-spec-patricktudor-fc20-19.diff
patch -p1 < openssl-spec-patricktudor-latest.diff

Run the build:

time rpmbuild -ba openssl.spec

Everything went well hopefully, so let's install the new RPMs:

cd ~/redhat/RPMS/x86_64/
sudo rpm -Fvh openssl-1.0.1g-*.rpm openssl-libs-1.0.1g-*.rpm openssl-devel-1.0.1g-*.rpm

Make sure it actually worked:

openssl ciphers -v 'TLSv1.2' | head -4

The link above at my website has more details but this should be a good starting point.

Thanks, enjoy.

20130819: Rawhide revision bumped from 14 to 15.

20130831: fc20 revision bumped from 15 to 18.

20130906: fc20 revision bumped from 18 to 19.

20140408: just go to my website for anything after 1.0.1g.

Tags:

Rhel

Openssl

Scientific Linux

Apache Httpd

Recent Posts