Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1038649

Summary: ssl clients using nss can not connect using tls 1.1 and tls 1.2
Product: Red Hat Enterprise Linux 6 Reporter: Christian Becker <dabecka>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: emaldona, hkario, kdudka, ksrot, rrelyea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-05 17:05:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1057564    

Description Christian Becker 2013-12-05 15:00:15 UTC 
Description of problem:
Upgraded some machines to 6.5 and changed a server to tls 1.1 and 1.2 only (nginx):

ssl_protocols                   TLSv1.1 TLSv1.2;

============================================================================
Now wget ist working:
wget -vO /dev/null https://mirror.becksrv.de/
--2013-12-05 15:54:10--  https://mirror.becksrv.de/
Resolving mirror.becksrv.de... 89.238.69.205, 2a00:1828:2000:781::1:205
Connecting to mirror.becksrv.de|89.238.69.205|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `/dev/null'

    [ <=>                                                                                                                                                                                  ] 264         --.-K/s   in 0s

2013-12-05 15:54:10 (89.5 MB/s) - `/dev/null' saved [264]

============================================================================
curl is broken:
curl -vo /dev/null https://mirror.becksrv.de/
* About to connect() to mirror.becksrv.de port 443 (#0)
*   Trying 89.238.69.205... connected
* Connected to mirror.becksrv.de (89.238.69.205) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961
* Closing connection #0
* SSL connect error

curl: (35) SSL connect error
============================================================================

Same for yum:
https://mirror.becksrv.de/[...]/repomd.xml: [Errno 14] problem making ssl connection

Version-Release number of selected component (if applicable):
nss-3.15.1-15.el6.x86_64
curl-7.19.7-37.el6_4.x86_64
libcurl-7.19.7-37.el6_4.x86_64
wget-1.12-1.8.el6.x86_64


Steps to Reproduce:
1. Start Webserver using TLSv1.1 and TLSv1.2 only
2. Use curl or another NSS enabled client to request something

Actual results:
SSL connect error

Expected results:
Content downloaded
Comment 1 Elio Maldonado Batiz 2013-12-06 17:57:59 UTC 
See also https://bugzilla.redhat.com/show_bug.cgi?id=1012136
Comment 2 Bob Relyea 2013-12-06 18:26:35 UTC 
Does libcurl turn on TLS 1.1 or 1.2? NSS doesn't enable it by default (never did).
Comment 3 Kamil Dudka 2013-12-07 12:17:09 UTC 
Bob, I guess the link Elio posted answers your question.  The latest curl in Fedora Rawhide provides an option to enable TLS > 1.0, but does not enable it by default.
Comment 5 Christian Becker 2013-12-20 10:05:35 UTC 
It´s nice if this is now possible in Rawhide, but i see this also as an urgent bug in RHEL.

Especially since OpenSSL already has TLS > 1 implemented, but unfortunately most of the tools on RHEL machines are using NSS - especially curl.

So it makes no sense to me that RHEL 6.5 includes support for TLS > 1 servers but only a couple of clients on RHEL machines can connect to this servers.
Comment 6 Kamil Dudka 2013-12-20 10:25:17 UTC 
(In reply to Christian Becker from comment #5)
> It´s nice if this is now possible in Rawhide, but i see this also as an
> urgent bug in RHEL.

If you want to increase the chance of having the enhancement included in RHEL, please contact the product support.  Bugzilla is only a bug tracking tool and RHEL updates are driven by customer requests.