Securing Applications with TLS in RHEL

Updated -

Red Hat Insights can detect this issue

Proactively detect and remediate issues impacting your systems.
View matching systems and remediation

This is the index page for a set of articles that describe how to configure applications that use cryptography. The aim is to present the recommended configurations and solutions that account for the currently known state of the security landscape.

Due to the fact that both protocol-level and implementation-levels flaws are exposed on a frequent basis both the recommended configurations and package versions are liable to change. It is a simple fact that anybody who runs a system that expects to maintain a reasonably high level of security should expect to have to update and adapt promptly in the face of new issues. Systems cannot simply be frozen at a given state and hope to remain secure.

Cryptographic Toolkits In Use

Crypto Toolkit RHEL8 RHEL7 RHEL6 RHEL5 RHEL4
openssl v1.1.1 v1.0.1e / v1.0.2k v1.0.0 / v1.0.1e v0.9.8e v0.9.7a
NSS v3.41.0 v3.15.4 - v3.36.0 v3.12.10 - v3.28.4 v3.11.5 - v3.21.3 v3.11.99 - v3.12.10
gnutls v3.6.5 v3.1.19 - v3.3.29 v2.8.5 - v2.12.23 v1.4.1 v1.0.20

Application Setup

Application Using Crypto Toolkit RHEL8 RHEL7 RHEL6 RHEL5
Apache with mod_ssl openssl 2.4.37 v2.4.6 v2.2.15 v2.2.3
Apache with mod_nss NSS N/A v1.0.14 v1.0.10 v1.0.8
sendmail openssl v8.15.2 v8.14.7 v8.14.4 v8.13.8
postfix openssl coming soon v2.10.1 v2.6.6 v.2.3.3
dovecot openssl coming soon v2.2.36 v2.0.9 v1.0.7
cyrus-imapd openssl coming soon v2.4.17 v2.3.16 v2.3.7
mysql/mariadb server openssl coming soon v5.5.56-v5.5.60 v5.1.73 v5.0.95
mysql/mariadb client openssl coming soon v5.5.56-v.5.5.60 v5.1.73 v5.0.95
postgresql server openssl coming soon v9.2.23-v9.2.24 v8.4.20 v8.1.23
postgresql clients openssl coming soon v9.2.23-v9.2.24 v8.4.20 v8.1.23
openldap server openssl/NSS N/A v2.4.44 v2.4.40 v2.3.43
openldap client openssl/NSS coming soon v2.4.44 v2.4.40 v2.3.43
libvirtd (libvirt/libvirt-daemon) gnutls coming soon v3.2.0- v3.9.0 v0.10.2 NA

Testing Your Secured Connection

Some details on how to test the particular configuration of a secured service can be found on the Testing Secured Connections web page.

Additional Resources: Securing Identity Management

See Configuring TLS 1.2 for Identity Management in RHEL 6.9.


When a scanner is run on port 389/636 on our RHDS 9 server, it finds EDH-RSA-DES-CBC-SHA. We tried unsuccessfully to update nsSSLCiphers with-tls_dhe_rsa_with_des_cbc_sha. The error indicated that an unknown cipher suite was requested. We were hoping this article would include the current recommendations for RHDS.

Would it be possible to get a RHEL 8 update for this page, please ?

Could we get RHEL 8 updates for this page and possibly add information for Redis 6? It would also be nice to add information for sssd and probably Red Hat Directory Server since openldap-server is no longer shipped in RHEL 8.


Would it be possible to update this page for RHEL 8 Family please

Can this be updated for RHEL 9?