| Summary: | Backport patches to allow Net::SSLeay to support TLSv1.1, TLSv1.2 | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Brian Hinz <bphinz> | ||||||||||||
| Component: | perl-Net-SSLeay | Assignee: | Petr Pisar <ppisar> | ||||||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||||||
| Severity: | medium | Docs Contact: | Lenka Špačková <lkuprova> | ||||||||||||
| Priority: | high | ||||||||||||||
| Version: | 6.7 | CC: | creynold, jorton, jreznik, ksrot, mkolaja, ppisar, psabata, salmy | ||||||||||||
| Target Milestone: | rc | Keywords: | FutureFeature, Patch, ZStream | ||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | Unspecified | ||||||||||||||
| OS: | Unspecified | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | perl-Net-SSLeay-1.35-11.el6 | Doc Type: | Release Note | ||||||||||||
| Doc Text: |
The *Net:SSLeay* Perl module now supports restricting of TLS version
The *Net:SSLeay* Perl module has been updated to support explicit specification of the TLS protocol version, which can be used for improving security. To restrict TLS version to 1.1 or 1.2, set the `Net::SSLeay::ssl_version` variable to `11` or `12`, respectively.
|
Story Points: | --- | ||||||||||||
| Clone Of: | |||||||||||||||
| : | 1335028 1375183 (view as bug list) | Environment: | |||||||||||||
| Last Closed: | 2017-05-24 14:37:30 UTC | Type: | Bug | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Bug Depends On: | |||||||||||||||
| Bug Blocks: | 1269194, 1331037, 1359263, 1375183 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Brian Hinz
2016-04-08 18:16:35 UTC
Please contact Red Hat support to evaluate your request properly. Created attachment 1148209 [details]
Proposed patches
Created attachment 1148210 [details]
Proposed patches (2/2)
Created attachment 1148211 [details]
Proposed patches (additional patch against IO::Socket::SSL)
This patch would be applied to perl-IO-Socket-SSL, just adding it here for reference. Will continue to work 1325407 through Red Hat support and based on that outcome, will open a second ticket for perl-IO-Socket-SSL.
Created attachment 1150468 [details]
Net-SSLeay 1st part (context methods)
Created attachment 1150469 [details]
Net-SSLeay 2nd part (Net::SSLeay::ssl_version values)
How to test:
(1) Start a TLS server that does not support TLS 1.2, e.g.:
$ openssl s_server -tls1 -key key -cert cert -www
(2) Run a Net::SSLey Perl program that enforces TLS 1.2 by setting $Net::SSLeay::ssl_version=12, e.g.:
perl -MNet::SSLeay -e '$Net::SSLeay::ssl_version=12; my ($response, $error) = Net::SSLeay::sslcat(q{localhost}, 4433, q{GET /}); if ($error) { die $error }; print $response'
Before: The connection succeeds because OpenSSL in the client will fall back to TLS 1.0. With the s_server command, the client will print report this server's response:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
After: The connection fails, the client reports this error:
SSL_connect 10092: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
(3) Repeat the test for TLS 1.1 by setting $Net::SSLeay::ssl_version=11.
|