We spoke in the past about making TLS 1.2 the default for RHEL6. We should do this now given the current environment and where the industry is moving. We will likely need some bugs to fix confused clients. I will let QE and dev file those.
Created attachment 1096374 [details] Enables TLS 1.2 by default
Comment on attachment 1096374 [details] Enables TLS 1.2 by default r+ rrelyea.
If you intend to change the default TLS version for libcurl-based applications too, we need to patch also the curl package as we did in RHEL-7 (bug #1170339).
(In reply to Kamil Dudka from comment #5) > If you intend to change the default TLS version for libcurl-based > applications too, we need to patch also the curl package as we did in > RHEL-7 (bug #1170339). I will (re)use bug #1289205 for this. Please vote for it in case you want to increase the chance of having it included in RHEL-7.3.
(In reply to Kamil Dudka from comment #6) > I will (re)use bug #1289205 for this. Please vote for it in case you want > to increase the chance of having it included in RHEL-7.3. I meant RHEL-6.8, of course...
*** Bug 1289124 has been marked as a duplicate of this bug. ***
Hi Elio, This bug was flagged as requiring a Release Note. Could you please fill out the Doc Text field? I'll edit it into a RN and make sure it gets published. Thank you.
Done, kept the explanation very concise.
PayPal are forcing TLS1.2 support from June 17th 2016. https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US Looking at RHEL release dates it's unclear as to whether or not 2.8 will be released in time. Is there any chance of having this released before then? Also linked are 1289205 and 1255920
Please note that this bug is only about NSS defaults. All versions of NSS package since 3.15.2 support both TLSv1.2 and TLSv1.2-specific AES-GCM ciphersuites. If you require ability to enable TLSv1.2 in PHP (as bug 1255920 would indicate), please contact customer support so that they work with you to provide the best solution available.
Sorry - I was not clear with my original post. I can get a 1.2 connection by forcing tls with cURL or PHP, but it won't connect by default. Forcing isn't a very clean option as I'd have to check against a whitelist of endpoints (i.e PayPal) to decide when to force it and when not to. This is because other services don't support 1.2. I do not have a large amount of knowledge regarding the connection between nss/curl/libcurl - so apologies if this is the wrong bug request to file this information.
(In reply to Mike Parkin from comment #30) > I can get a 1.2 connection by forcing tls with cURL or PHP, but it won't > connect by default. Forcing isn't a very clean option as I'd have to check > against a whitelist of endpoints (i.e PayPal) to decide when to force it and > when not to. This is because other services don't support 1.2. Then you should use the CURL_SSLVERSION_TLSv1 option of libcurl to negotiate the highest available TLS 1.x version: https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html If I am not mistaken, this is going to be the NSS default in RHEL-6.8 anyway.
Thanks Kamil, that works.
(In reply to Kamil Dudka from comment #31) > If I am not mistaken, this is going to be the NSS default in RHEL-6.8 anyway. I should have looked first. According to attachment #1096374 [details], NSS will allow SSL 3.0+ whereas CURL_SSLVERSION_TLSv1 means TLS 1.0+. Still I believe that TLS 1.0+ will work for you just fine without maintaining any whitelist.
Yes I think that TLS1.0+ should be widely supported enough, thank you.
Thanks for the Doc Text, Elio.
*** Bug 1320288 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0820.html