Bug 1375525
Summary: | [RFE]allow IO::Socket::SSL to support TLSv1.1, TLSv1.2 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Marcel Kolaja <mkolaja> |
Component: | perl-IO-Socket-SSL | Assignee: | Jitka Plesnikova <jplesnik> |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.7 | CC: | bphinz, creynold, cww, jorton, jplesnik, mmarhefk, perl-maint-list, ppisar, psabata, salmy |
Target Milestone: | rc | Keywords: | FutureFeature, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | perl-IO-Socket-SSL-1.31-3.el6_8.2 | Doc Type: | Enhancement |
Doc Text: |
Feature:
Net:SSLeay was updated to support explicitly specifying
protocol versions TLSv1.1 or TLSv1.2. IO::Socket::SSL
was updated to take advantage of this change.
Reason:
Restricting TLS to recent TLS version is necessary for
tightening security.
Result:
When new IO::Socket::SSL object is creating, it's
possible to restrict TLS version to 1.1/1.2 version by
setting the option SSL_version to value TLSv1_1/TLSv1_2.
All values are case-insensitive. Instead of 'TLSv1_1'
and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'.
|
Story Points: | --- |
Clone Of: | 1331037 | Environment: | |
Last Closed: | 2016-11-15 20:48:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1331037 | ||
Bug Blocks: |
Description
Marcel Kolaja
2016-09-13 10:19:47 UTC
How to test: (1) Start a TLS server that does not support TLS 1.2, e.g.: $ openssl s_server -tls1 -key key -cert cert -www (2) Run a IO::Socket::SSL Perl program that enforces TLS 1.2 by setting SSL_version = 'TLS12' when creates new object, e.g.: perl -MIO::Socket::SSL -e 'my $cl = IO::Socket::SSL->new(PeerAddr => "localhost:4433", SSL_version => "TLSv12") or die $!; print $cl "GET / HTTP/1.0\r\n\r\n";print <$cl>;' Before: The connection succeeds because OpenSSL in the client will fall back to TLS 1.0. With the s_server command, the client will print report this server's response: New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA SSL-Session: Protocol : TLSv1 After: The connection fails, the client reports this error: IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number ...propagated at -e line 1. (3) Repeat the test for TLS 1.1 by setting SSL_version => "TLSv11". Dependency on perl-Net-SSLeay-1.35-10.el6_8.1 needs to be included in Specfile. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2769.html |