This bug has been copied from bug #1331037 and has been proposed
to be backported to 6.8 z-stream (EUS).
How to test:
(1) Start a TLS server that does not support TLS 1.2, e.g.:
$ openssl s_server -tls1 -key key -cert cert -www
(2) Run a IO::Socket::SSL Perl program that enforces TLS 1.2 by setting SSL_version = 'TLS12' when creates new object, e.g.:
perl -MIO::Socket::SSL -e 'my $cl = IO::Socket::SSL->new(PeerAddr => "localhost:4433", SSL_version => "TLSv12") or die $!; print $cl "GET / HTTP/1.0\r\n\r\n";print <$cl>;'
Before: The connection succeeds because OpenSSL in the client will fall back to TLS 1.0. With the s_server command, the client will print report this server's response:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Protocol : TLSv1
After: The connection fails, the client reports this error:
IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number ...propagated at -e line 1.
(3) Repeat the test for TLS 1.1 by setting SSL_version => "TLSv11".
Dependency on perl-Net-SSLeay-1.35-10.el6_8.1 needs to be included in Specfile.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.