Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 4. Planning and implementing TLS

When hardening TLS configuration, balance strict security settings against client compatibility. Implementing the strictest configuration limits client support, whereas relaxing settings increases compatibility but lowers overall system security

TLS (Transport Layer Security) is a cryptographic protocol used to secure network communications. When hardening system security by configuring preferred key-exchange protocols, authentication methods, and encryption algorithms, the broader the range of supported clients, the lower the resulting security.

Conversely, strict security settings limit compatibility with clients, potentially locking some users out of the system. Be sure to target the strictest available configuration and relax it only when required for compatibility.

4.1. SSL and TLS protocols
Link kopieren

Review the history and usage recommendations for SSL and TLS protocols. This helps you understand which protocol versions are secure for network communication and which should be avoided.

The Secure Sockets Layer (SSL) protocol was originally developed by Netscape Corporation to provide a mechanism for secure communication over the Internet. Subsequently, the protocol was adopted by the Internet Engineering Task Force (IETF) and renamed to Transport Layer Security (TLS).

The TLS protocol sits between an application protocol layer and a reliable transport layer, such as TCP/IP. It is independent of the application protocol and can thus be layered underneath many different protocols, for example: HTTP, FTP, SMTP, and so on.

Expand
Protocol versionUsage recommendation

SSL v2

Do not use. Has serious security vulnerabilities. Removed from the core cryptographic libraries since RHEL 7.

SSL v3

Do not use. Has serious security vulnerabilities. Removed from the core cryptographic libraries since RHEL 8.

TLS 1.0

Not recommended to use. Has known issues that cannot be mitigated in a way that guarantees interoperability, and does not support modern cipher suites. In RHEL 10, disabled in all cryptographic policies.

TLS 1.1

Use for interoperability purposes where needed. Does not support modern cipher suites. In RHEL 10, disabled in all cryptographic policies.

TLS 1.2

Uses the AEAD cipher suites. This version is enabled in all system-wide cryptographic policies. However, optional parts of this protocol contain vulnerabilities, and TLS 1.2 specification also includes support for outdated algorithms.

TLS 1.3

Recommended version. TLS 1.3 removes known problematic options, provides additional privacy by encrypting more of the negotiation handshake, and can be faster thanks to the usage of more efficient cryptographic algorithms. TLS 1.3 is also enabled in all system-wide cryptographic policies.

4.2. Security considerations for TLS in RHEL 10
Link kopieren

Review key security aspects when configuring TLS in RHEL. Understanding protocol selection, cipher suites, and key length helps you harden your cryptographic settings.

The default settings provided by libraries included in RHEL 10 are secure enough for most deployments. The TLS implementations use secure algorithms where possible while not preventing connections from or to legacy clients or servers.

Apply hardened settings in environments with strict security requirements where legacy clients or servers that do not support secure algorithms or protocols are not expected or allowed to connect.

In RHEL 10, TLS configuration is performed using the system-wide cryptographic policies mechanism. TLS versions below 1.2 are not supported anymore. DEFAULT, FUTURE, and LEGACY cryptographic policies allow only TLS 1.2 and 1.3. See the Using system-wide cryptographic policies chapter in the Security hardening document for more information.

The most straightforward way to harden your TLS configuration is switching the system-wide cryptographic policy level to FUTURE by using the update-crypto-policies --set FUTURE command.

Warning

Algorithms disabled for the LEGACY cryptographic policy do not conform to Red Hat’s vision of RHEL 10 security, and their security properties are not reliable. Consider moving away from using these algorithms instead of re-enabling them. If you do decide to re-enable them, for example for interoperability with old hardware, treat them as insecure and apply extra protection measures, such as isolating their network interactions to separate network segments. Do not use them across public networks.

If you decide to not follow RHEL system-wide cryptographic policies or create custom cryptographic policies tailored to your setup, use the following recommendations for preferred protocols, cipher suites, and key lengths on your custom configuration:

4.2.1. Protocols
Link kopieren

The latest version of TLS provides the best security mechanism. TLS 1.2 is now the minimum version even when using the LEGACY cryptographic policy. Re-enabling older protocol versions is possible through either opting out of cryptographic policies or providing a custom policy, but the resulting configuration will not be supported.

Note that even though that RHEL 10 supports TLS version 1.3, not all features of this protocol are fully supported by RHEL 10 components. For example, the 0-RTT (Zero Round Trip Time) feature, which reduces connection latency, is not yet fully supported by the Apache web server.

Warning

A RHEL 9.2 and later system running in FIPS mode enforces that any TLS 1.2 connection must use the Extended Master Secret (EMS) extension (RFC 7627) as requires the FIPS 140-3 standard. Thus, legacy clients not supporting EMS or TLS 1.3 cannot connect to RHEL 9 and 10 servers running in FIPS mode, RHEL 9 a 10 clients in FIPS mode cannot connect to servers that support only TLS 1.2 without EMS. See the TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2 Red Hat Knowledgebase solution for more information.

4.2.2. Cipher suites
Link kopieren

Modern, more secure cipher suites should be preferred to old, insecure ones. Always disable the use of eNULL and aNULL cipher suites, which do not offer any encryption or authentication at all. If at all possible, ciphers suites based on RC4 or HMAC-MD5, which have serious shortcomings, should also be disabled. The same applies to the so-called export cipher suites, which have been intentionally made weaker, and thus are easy to break.

While not immediately insecure, cipher suites that offer less than 128 bits of security should not be considered for their short useful life. Algorithms that use 128 bits of security or more can be expected to be unbreakable for at least several years, and are thus strongly recommended. Note that while 3DES ciphers advertise the use of 168 bits, they actually offer 112 bits of security.

Always prefer cipher suites that support (perfect) forward secrecy (PFS), which ensures the confidentiality of encrypted data even in case the server key is compromised. This rules out the fast RSA key exchange, but allows for the use of ECDHE and DHE. Of the two, ECDHE is the faster and therefore the preferred choice.

You should also prefer AEAD ciphers, such as AES-GCM, over CBC-mode ciphers as they are not vulnerable to padding oracle attacks. Additionally, in many cases, AES-GCM is faster than AES in CBC mode, especially when the hardware has cryptographic accelerators for AES.

Note also that when using the ECDHE key exchange with ECDSA certificates, the transaction is even faster than a pure RSA key exchange. To provide support for legacy clients, you can install two pairs of certificates and keys on a server: one with ECDSA keys (for new clients) and one with RSA keys (for legacy ones).

4.2.3. Public key length
Link kopieren

When using RSA keys, always prefer key lengths of at least 3072 bits signed by at least SHA-256, which is sufficiently large for true 128 bits of security.

Warning

The security of your system is only as strong as the weakest link in the chain. For example, a strong cipher alone does not guarantee good security. The keys and the certificates are just as important, as well as the hash functions and keys used by the Certification Authority (CA) to sign your keys.

4.3. TLS configuration hardening in applications
Link kopieren

If you want to harden your TLS-related configuration with your customized cryptographic settings, you can use the cryptographic configuration options and override the system-wide cryptographic policies in the minimum required amount.

RHEL system-wide cryptographic policies ensure that your applications that use cryptographic libraries comply with security standards by preventing the use of known insecure protocols, ciphers, or algorithms.

Regardless of the configuration you choose, always ensure that your server application enforces server-side cipher order, so that the cipher suite is determined by the order you configure. For more information, see the crypto-policies(7), config(5), and ciphers(1) man pages on your system.

4.3.1. TLS configuration of an Apache HTTP server
Link kopieren

The Apache HTTP Server is compatible with both the OpenSSL and NSS libraries for handling TLS requirements. RHEL 10 includes eponymous packages for the mod_ssl functionality. When you install the mod_ssl package, it creates the /etc/httpd/conf.d/ssl.conf configuration file, which you can use to modify the server’s TLS-related settings.

With the httpd-manual package, you obtain complete documentation for the Apache HTTP Server, including TLS configuration. The directives available in the /etc/httpd/conf.d/ssl.conf configuration file are described in detail in the /usr/share/httpd/manual/mod/mod_ssl.html file. Examples of various settings are described in the /usr/share/httpd/manual/ssl/ssl_howto.html file.

When modifying the settings in the /etc/httpd/conf.d/ssl.conf configuration file, be sure to consider the following three directives at a minimum:

SSLProtocol
Use this directive to specify the version of TLS or SSL you want to allow.
SSLCipherSuite
Use this directive to specify your preferred cipher suite or disable the ones you want to disallow.
SSLHonorCipherOrder
Uncomment and set this directive to on to ensure that the connecting clients adhere to the order of ciphers you specified.

For example, if you want to use only the TLS 1.2 and 1.3 protocols, add the line SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 to the configuration file.

See the Configuring TLS encryption on an Apache HTTP Server chapter in the Deploying web servers and reverse proxies document for more information.

4.3.2. TLS configuration of an Nginx HTTP and proxy server
Link kopieren

If you want to enable TLS 1.3 support in Nginx, add the TLSv1.3 value to the ssl_protocols option in the server section of the /etc/nginx/nginx.conf configuration file, for example: 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    …
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers
    …
}
Copy to Clipboard Toggle word wrap

See the Adding TLS encryption to an Nginx web server chapter in the Deploying web servers and reverse proxies document for more information.

4.3.3. TLS configuration of a Dovecot mail server
Link kopieren

To configure your installation of the Dovecot mail server to use TLS, modify the /etc/dovecot/conf.d/10-ssl.conf configuration file. You can find an explanation of some of the basic configuration directives available in that file in the /usr/share/doc/dovecot/wiki/SSL.DovecotConfiguration.txt file, which is installed along with the standard installation of Dovecot.

When modifying the settings in the /etc/dovecot/conf.d/10-ssl.conf configuration file, be sure to consider the following three directives at a minimum:

ssl_protocols
Use this directive to specify the version of TLS or SSL you want to allow or disable.
ssl_cipher_list
Use this directive to specify your preferred cipher suites or disable the ones you want to disallow.
ssl_prefer_server_ciphers
Uncomment and set this directive to yes to ensure that the connecting clients adhere to the order of ciphers you specified.

For example, the following line in /etc/dovecot/conf.d/10-ssl.conf allows only TLS 1.1 and later: 

ssl_protocols = !SSLv2 !SSLv3 !TLSv1
Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat