How do I enable TLS 1.1 & TLS 1.2 on openssl?
I'd also like to change the Ephemeral DH key size to 4096 bits, it's currently at 1024.
I'm unsure how to do this.
OpenSSL does not support TLS 1.1 and TLS 1.2, so you cannot enable them. I think OpenSSL supprts TLS 1.1 in the development trunk, but I am not sure when that code will be released. Either way, most distributions are still using OpenSSL 0.9.x, and there you're stuck with TLS 1.0 as the best version.
As for EDH, that depends on the product (e.g., web server) -- what are you using?
I'm using Apache 2
I'm not surprised most people are still using the 0.9.x series because the 1.x series has horrible performance especially with AES cipher suites.
As for changing the DH parms there's a patch that can do it however I recommend not exceeding 2048-bits for the DH params otherwise you will run into a lot of compatibility issues.
TLS 1.1 and 1.2 are supported by openSSL version 1.0.1-stable that you can get from the "snapshot" section of the openSSL website.
Be aware that you will have to recompile apache, openssh and any other important system component if you do use it.
Retrieving data ...