TLS Basics

• 2019/01/03 I updated some servers after Bitbucket announced it would only support TLS 1.2 in December 2019. Here is a quick refresher.

SSL recap

SSL (Secure Socket Layer) is the protocol that made encrypted communication possible. When HTTPS became mainstream, SSL allowed browsers to connect securely.

TLS

TLS (Transport Layer Security) is the successor to SSL. It incorporates fixes for known attacks and is more secure overall.

Why Bitbucket dropped TLS 1.0/1.1

Older TLS versions have known vulnerabilities, so providers like GitHub (as of Feb 2018) and Bitbucket refuse connections that negotiate anything below 1.2. They cannot guarantee security otherwise.

Restricting TLS versions on your site

You can configure your own site (e.g., Apache) to only accept modern TLS versions, but beware: very old clients will no longer connect. See https://weblabo.oscasierra.net/apache-httpd-sslprotocol/ for Apache settings.

Testing with OpenSSL or curl

Specify the TLS version explicitly:

openssl s_client -connect yourdomain:443 -tls1_2

If Cipher is nonzero, the handshake succeeded. Change the suffix (e.g., -tls1_1) to see how domains like GitHub reject older versions.

Using curl:

curl -s -v --tlsv1.2 https://yourdomain > /dev/null

Adjust the flag to test other versions.

Updating OpenSSL

On older servers (CentOS 5, etc.) the bundled OpenSSL may not support these flags. Upgrade OpenSSL if needed (https://k-sugi.sakura.ne.jp/it_synthesis/linux/4370/).

Closing

Even if you do not do infra daily, it is worth knowing what TLS is. Give it a look while you have the chance.

Reference

• https://ssl.sakura.ad.jp/column/ssl_tls/