Bug 1375525

Summary: [RFE]allow IO::Socket::SSL to support TLSv1.1, TLSv1.2
Product: Red Hat Enterprise Linux 6 Reporter: Marcel Kolaja <mkolaja>
Component: perl-IO-Socket-SSLAssignee: Jitka Plesnikova <jplesnik>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: high Docs Contact:
Priority: high    
Version: 6.7CC: bphinz, creynold, cww, jorton, jplesnik, mmarhefk, perl-maint-list, ppisar, psabata, salmy
Target Milestone: rcKeywords: FutureFeature, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: perl-IO-Socket-SSL-1.31-3.el6_8.2 Doc Type: Enhancement
Doc Text:
Feature: Net:SSLeay was updated to support explicitly specifying protocol versions TLSv1.1 or TLSv1.2. IO::Socket::SSL was updated to take advantage of this change. Reason: Restricting TLS to recent TLS version is necessary for tightening security. Result: When new IO::Socket::SSL object is creating, it's possible to restrict TLS version to 1.1/1.2 version by setting the option SSL_version to value TLSv1_1/TLSv1_2. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'.
Story Points: ---
Clone Of: 1331037 Environment:
Last Closed: 2016-11-15 20:48:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1331037    
Bug Blocks:    

Description Marcel Kolaja 2016-09-13 10:19:47 UTC
This bug has been copied from bug #1331037 and has been proposed
to be backported to 6.8 z-stream (EUS).

Comment 4 Jitka Plesnikova 2016-09-13 14:19:24 UTC
How to test:

(1) Start a TLS server that does not support TLS 1.2, e.g.:
$ openssl s_server -tls1 -key key -cert cert -www

(2) Run a IO::Socket::SSL Perl program that enforces TLS 1.2 by setting SSL_version = 'TLS12' when creates new object, e.g.:

perl -MIO::Socket::SSL -e 'my $cl = IO::Socket::SSL->new(PeerAddr => "localhost:4433", SSL_version => "TLSv12") or die $!; print $cl "GET / HTTP/1.0\r\n\r\n";print <$cl>;'

Before: The connection succeeds because OpenSSL in the client will fall back to TLS 1.0. With the s_server command, the client will print report this server's response:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
    Protocol  : TLSv1

After: The connection fails, the client reports this error:
IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number  ...propagated at -e line 1.


(3) Repeat the test for TLS 1.1 by setting SSL_version => "TLSv11".

Comment 6 Matus Marhefka 2016-09-26 11:09:37 UTC
Dependency on perl-Net-SSLeay-1.35-10.el6_8.1 needs to be included in Specfile.

Comment 9 errata-xmlrpc 2016-11-15 20:48:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2769.html