Hide Forgot
Description of problem: curl CLI commands supports TLS 1.0 as a highest SSL/TLS version for HTTPS connections. Given its ubiquity and need to move to TLS 1.1 or better, TLS 1.2 in light of recent advances in cryptography, this issue should be resolved rather quickly... Version-Release number of selected component (if applicable): curl-7.19.7-37.el6_4.x86_64 nss-softokn-freebl-3.14.3-9.el6.x86_64 nss-util-3.15.1-3.el6.x86_64 nss-3.15.1-15.el6.x86_64 openssl-1.0.1e-16.el6_5.x86_64 How reproducible: always Steps to Reproduce: 1. start network capture on https 2. curl https://test.example.com/ 3. look at ClientHello packet Actual results: ClientHello is of version TLS 1.0 HandshakeProtocol is of verion TLS 1.0 Expected results: ClientHello version should be kept at TLS 1.0 to maintain backward compatibility HandshakeProtocol version should be the maximum that the underlying library supports Additional info:
*** This bug has been marked as a duplicate of bug 1012136 ***
Bug #1012136 isn't public so I don't know what discussion went on in there, but this bug report is about curl using TLSv1.2 by default instead of TLSv1.0. The changelog for curl on el6 only shows it got the --tlsv1.1 and --tlsv1.2 options for bug #1012136 which doesn't really address this bug. Can someone comment on making curl use TLSv1.2 by default like el7 does (bug #1170339)?
As far as I know, there is currently no plan to make curl use TLS 1.2 by default on RHEL-6. You can either use the --tlsv1 option of curl to negotiate the highest version of TLS supported by both client and server, or update to RHEL-7, where this behavior is used by default.