Hide Forgot
Description of problem: Upgraded some machines to 6.5 and changed a server to tls 1.1 and 1.2 only (nginx): ssl_protocols TLSv1.1 TLSv1.2; ============================================================================ Now wget ist working: wget -vO /dev/null https://mirror.becksrv.de/ --2013-12-05 15:54:10-- https://mirror.becksrv.de/ Resolving mirror.becksrv.de... 89.238.69.205, 2a00:1828:2000:781::1:205 Connecting to mirror.becksrv.de|89.238.69.205|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: `/dev/null' [ <=> ] 264 --.-K/s in 0s 2013-12-05 15:54:10 (89.5 MB/s) - `/dev/null' saved [264] ============================================================================ curl is broken: curl -vo /dev/null https://mirror.becksrv.de/ * About to connect() to mirror.becksrv.de port 443 (#0) * Trying 89.238.69.205... connected * Connected to mirror.becksrv.de (89.238.69.205) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5961 * Closing connection #0 * SSL connect error curl: (35) SSL connect error ============================================================================ Same for yum: https://mirror.becksrv.de/[...]/repomd.xml: [Errno 14] problem making ssl connection Version-Release number of selected component (if applicable): nss-3.15.1-15.el6.x86_64 curl-7.19.7-37.el6_4.x86_64 libcurl-7.19.7-37.el6_4.x86_64 wget-1.12-1.8.el6.x86_64 Steps to Reproduce: 1. Start Webserver using TLSv1.1 and TLSv1.2 only 2. Use curl or another NSS enabled client to request something Actual results: SSL connect error Expected results: Content downloaded
See also https://bugzilla.redhat.com/show_bug.cgi?id=1012136
Does libcurl turn on TLS 1.1 or 1.2? NSS doesn't enable it by default (never did).
Bob, I guess the link Elio posted answers your question. The latest curl in Fedora Rawhide provides an option to enable TLS > 1.0, but does not enable it by default.
It´s nice if this is now possible in Rawhide, but i see this also as an urgent bug in RHEL. Especially since OpenSSL already has TLS > 1 implemented, but unfortunately most of the tools on RHEL machines are using NSS - especially curl. So it makes no sense to me that RHEL 6.5 includes support for TLS > 1 servers but only a couple of clients on RHEL machines can connect to this servers.
(In reply to Christian Becker from comment #5) > It´s nice if this is now possible in Rawhide, but i see this also as an > urgent bug in RHEL. If you want to increase the chance of having the enhancement included in RHEL, please contact the product support. Bugzilla is only a bug tracking tool and RHEL updates are driven by customer requests.