Bug 1042989

Summary: curl supports TLS 1.0 as the highest SSL/TLS version
Product: Red Hat Enterprise Linux 6 Reporter: David Jaša <djasa>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5CC: mmckinst
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-13 17:21:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1042946    

Description David Jaša 2013-12-13 17:06:52 UTC 
Description of problem:
curl CLI commands supports TLS 1.0 as a highest SSL/TLS version for HTTPS connections. Given its ubiquity and need to move to TLS 1.1 or better, TLS 1.2 in light of recent advances in cryptography, this issue should be resolved rather quickly...

Version-Release number of selected component (if applicable):
curl-7.19.7-37.el6_4.x86_64
nss-softokn-freebl-3.14.3-9.el6.x86_64
nss-util-3.15.1-3.el6.x86_64
nss-3.15.1-15.el6.x86_64
openssl-1.0.1e-16.el6_5.x86_64

How reproducible:
always

Steps to Reproduce:
1. start network capture on https
2. curl https://test.example.com/
3. look at ClientHello packet

Actual results:
ClientHello is of version TLS 1.0
HandshakeProtocol is of verion TLS 1.0

Expected results:
ClientHello version should be kept at TLS 1.0 to maintain backward compatibility
HandshakeProtocol version should be the maximum that the underlying library supports

Additional info:
Comment 1 Kamil Dudka 2013-12-13 17:21:40 UTC 

*** This bug has been marked as a duplicate of bug 1012136 ***
Comment 2 Mark McKinstry 2015-11-24 23:11:00 UTC 
Bug #1012136 isn't public so I don't know what discussion went on in there, but this bug report is about curl using TLSv1.2 by default instead of TLSv1.0. The changelog for curl on el6 only shows it got the --tlsv1.1 and --tlsv1.2 options for bug #1012136 which doesn't really address this bug.

Can someone comment on making curl use TLSv1.2 by default like el7 does (bug #1170339)?
Comment 3 Kamil Dudka 2015-11-25 08:41:44 UTC 
As far as I know, there is currently no plan to make curl use TLS 1.2 by default on RHEL-6.  You can either use the --tlsv1 option of curl to negotiate the highest version of TLS supported by both client and server,  or update to RHEL-7, where this behavior is used by default.