As title.
There are plenty of security holes with SSL 3.0/TLS 1.0.

RedHat still using TLS 1.0 and many other distro too.

Servers generally doesn't upgrade to newer TLS yet,
why?

I like to use the official repo for the OpenSSL rpm,
the latest RPM from RedHat/CentOS support TLS 1.0 and not the newer one.

Should I warry about that?
May I sleep quiet knowing that my server is using TLS1.0?

Most distros, especially those common on servers, try to avoid upgrading upgrading stuff between releases. They want to avoid doing anything to compromise stability.

If they do provide upgrades, it's usually "backported" security fixes -- in other words, they take security fixes from newer versions of the software in question and they adapt it to the older version that they currently provide. There is much less risk to stability that way.

Usually you have to wait for the next release of your distro to get newer versions of the software you use -- either that, or find a 3rd party repository with a newer version. You really need to be careful with those, sometimes they work really well and sometimes they cause great pain.

_________________
Kris the Piki Geeker

I know what you saied but the question in the initial post is different.
How can be possible that one of the most important security module (OpenSSL) isn't upgraded yet with the security holes fixed?

TLS 1.0 is old and with many security holes, why "server distros" doesn't upgraded yet with the new TLS 1.2 or backported the security patched to 1.0?

Because there are still a ton of mainstream browsers that do not support TLS 1.1 or 1.2, yet:

http://en.wikipedia.org/wiki/Transport_ ... b_browsers

TL;DR: Chrome and Safari are the only browsers whose current stable release supports anything newer than TLS 1.0 out of the box. IE/Firefox/Opera don't.

Servers sadly still need TLS 1.0, but what about SSL 3.0? The TLS 1.0 column on swaj's link is all-green except for IE 6.

_________________
Matt Nordhoff (aka Peng on IRC)

we are talking about servers not browser.
one things is sure, a server may offer TLS 1.0, 1.1 and 1.2 and a browser can use the latest protocol it supports.

if servers doesn't starts supporting newer TLS, browsers have no reason to push the accelerator on implementing this support.

To be honest, I was surprised to hear you say that any servers don't support TLS 1.1 and 1.2. Ubuntu 12.04 -- over a year old -- does and I assumed every other distro would also have caught up.

_________________
Matt Nordhoff (aka Peng on IRC)

where I saied ANY?
In any case I'm talking about server distros not the development one that obviously has the latest feature.

Ubuntu 12.04 LTS is (or can be used as) a server distro, not a development one. 12.10/13.04/13.10 would certainly qualify as development distros, but there are many servers out there relying on Ubuntu Server LTS releases. The majority of Linodes do, for that matter.

Enterprises prefer fixed release cycles (Ubuntu) over rolling release cycles (Debian). Developers tend to be the reverse.

For what it's worth, lighttpd 1.4.28 on Ubuntu 12.04 LTS supports up to TLS 1.2:

Protocols
TLS 1.2   Yes
TLS 1.1    Yes
TLS 1.0    Yes
SSL 3.0   Yes
SSL 2.0   No

Source: https://www.ssllabs.com/ssltest/analyze.html?d=rocwiki.org

_________________

/* TODO: need to add signature to posts */

ok ubuntu rocks.
Why RedHat doesn't rocks too?

RedHat 5 and RedHat 6 are a lot older than Ubuntu 12.04LTS (RH6 was released in 2010; Ubuntu in 2012). Newer TLS versions came in with OpenSSL 1.0.x; RedHat still uses 0.9.x versions.

Current Fedora released and the upcoming RedHat 7 (expected this year) will have TLS1.2

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

CentOS/RHEL 6.4 uses OpenSSL 1.0.0 not 0.9.x and TLS 1.2 has been implemented in 1.0.1 not in 1.0.x, 1.0.x means also 1.0.0