Hide Forgot
Description of problem: perl-Net-SSLeay v1.35 that ships as a part of RHEL 6 does not support explicitly specifying protocol versions TLSv1.1 or TLSv1.2 via the SSL_version parameter. However, the following two upstream patches would be trivial to backport and would enable this functionality: https://github.com/toddr/Net-SSLeay/commit/1625fca43588ad4648db13a27e19f82361abe3fc https://github.com/toddr/Net-SSLeay/commit/3cb6863f124e55611b2094d230081eb3cee089cd Note that it's possible to get a TLSv1.2 context with the current version (by specifying TLSv1.*, which causes the case statement in the constructor to fall through and return a default context, which just happens to be TLSv1.2). It's not possible to get a TLSv1.1, or even enforce that the context is using TLSv1.2. Version-Release number of selected component (if applicable): 1.31-9.el6 How reproducible: 100% Steps to Reproduce: N/A - functionality isn't there. Actual results: Expected results: Additional info: IO::Socket::SSL should also be patched to take advantage of this change. Although there isn't a direct upstream patch that would apply cleanly, it also a simple change. If this request gets a favorable response, I'll file a follow-up enhancement request for perl-IO-Socket-SSL and attach a patch.
Please contact Red Hat support to evaluate your request properly.
Created attachment 1148209 [details] Proposed patches
Created attachment 1148210 [details] Proposed patches (2/2)
Created attachment 1148211 [details] Proposed patches (additional patch against IO::Socket::SSL) This patch would be applied to perl-IO-Socket-SSL, just adding it here for reference. Will continue to work 1325407 through Red Hat support and based on that outcome, will open a second ticket for perl-IO-Socket-SSL.
Created attachment 1150468 [details] Net-SSLeay 1st part (context methods)
Created attachment 1150469 [details] Net-SSLeay 2nd part (Net::SSLeay::ssl_version values)
How to test: (1) Start a TLS server that does not support TLS 1.2, e.g.: $ openssl s_server -tls1 -key key -cert cert -www (2) Run a Net::SSLey Perl program that enforces TLS 1.2 by setting $Net::SSLeay::ssl_version=12, e.g.: perl -MNet::SSLeay -e '$Net::SSLeay::ssl_version=12; my ($response, $error) = Net::SSLeay::sslcat(q{localhost}, 4433, q{GET /}); if ($error) { die $error }; print $response' Before: The connection succeeds because OpenSSL in the client will fall back to TLS 1.0. With the s_server command, the client will print report this server's response: New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA SSL-Session: Protocol : TLSv1 After: The connection fails, the client reports this error: SSL_connect 10092: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (3) Repeat the test for TLS 1.1 by setting $Net::SSLeay::ssl_version=11.