Is it possible to run TLSv1.2 on old Apache and Debian version

Question

After some really extensive search, i am not able to find out if it is even possible to run TLSv1.2 on the following configuration:

• Debian GNU/Linux 4.0 (32bit)
• Apache/1.3.34 (Debian)
• OpenSSL 0.9.8zf

We are hosting a really old application with critical importance which has been setup many years ago by employees which are no longer in the company. So, we are kind of stuck in the current situation.

As mentioned above, the OS is Debian GNU/Linux 4.0 with apache 1.3.34. The openssl version is 0.9.8zf. I know that OpenSSL of at least 1.0.1 is required to run TLSv1.2, which we can install. But apache is already really old and it is compiled with libssl.so.0.9.8.

Do we need to upgrade apache? If yes, what is the minimum version required (could not find an answer on this online). Can we compile apache 1.3.34 with openssl 1.0.1?

I know that everything is already ancient, but at the moment we cannot just migrate the application to a more recent setup. We just need a way if possible to run TLS1.2 with the least amount of changes.

• openssl version - OpenSSL 0.9.8zf 19 Mar 2015
• apache -v - Apache/1.3.34 (Debian)
• cat /etc/issue - Debian GNU/Linux 4.0
• ldd mod_ssl.so - libssl.so.0.9.8

Thanks.

Answer 1

Set up a second computer with a new Debian version and new mod_ssl, copy the application and test it. This is the best advice.

Without knowing the machine and the application, I can tell you that there should be no problems upgrading 1.3.3x to 2.2. I remember doing this about 10 years ago and it wasn't a problem at all. You can do it in two steps: first update to 1.3.42 and then to 2.2

However, TLS 1.2 was defined in RFC 5246 in August 2008. It is 2 years older than Apache 1.3.42, but was implemented in OpenSSl version 1.0.1 on March 14, 2012.

You could probably even compile Openssl 1.01 in Apache 1.3.34, but there are so many OTHER unresolved vulnerabilities in Apache 1.3.34 that I think it's a VERY BAD idea.