Bug 1375525 - [RFE]allow IO::Socket::SSL to support TLSv1.1, TLSv1.2
Summary: [RFE]allow IO::Socket::SSL to support TLSv1.1, TLSv1.2
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: perl-IO-Socket-SSL
Version: 6.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jitka Plesnikova
QA Contact: Matus Marhefka
Depends On: 1331037
TreeView+ depends on / blocked
Reported: 2016-09-13 10:19 UTC by Marcel Kolaja
Modified: 2016-11-15 20:48 UTC (History)
10 users (show)

Fixed In Version: perl-IO-Socket-SSL-1.31-3.el6_8.2
Doc Type: Enhancement
Doc Text:
Feature: Net:SSLeay was updated to support explicitly specifying protocol versions TLSv1.1 or TLSv1.2. IO::Socket::SSL was updated to take advantage of this change. Reason: Restricting TLS to recent TLS version is necessary for tightening security. Result: When new IO::Socket::SSL object is creating, it's possible to restrict TLS version to 1.1/1.2 version by setting the option SSL_version to value TLSv1_1/TLSv1_2. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'.
Clone Of: 1331037
Last Closed: 2016-11-15 20:48:11 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2769 normal SHIPPED_LIVE perl-IO-Socket-SSL enhancement update 2016-11-16 01:47:27 UTC

Description Marcel Kolaja 2016-09-13 10:19:47 UTC
This bug has been copied from bug #1331037 and has been proposed
to be backported to 6.8 z-stream (EUS).

Comment 4 Jitka Plesnikova 2016-09-13 14:19:24 UTC
How to test:

(1) Start a TLS server that does not support TLS 1.2, e.g.:
$ openssl s_server -tls1 -key key -cert cert -www

(2) Run a IO::Socket::SSL Perl program that enforces TLS 1.2 by setting SSL_version = 'TLS12' when creates new object, e.g.:

perl -MIO::Socket::SSL -e 'my $cl = IO::Socket::SSL->new(PeerAddr => "localhost:4433", SSL_version => "TLSv12") or die $!; print $cl "GET / HTTP/1.0\r\n\r\n";print <$cl>;'

Before: The connection succeeds because OpenSSL in the client will fall back to TLS 1.0. With the s_server command, the client will print report this server's response:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Protocol  : TLSv1

After: The connection fails, the client reports this error:
IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number  ...propagated at -e line 1.

(3) Repeat the test for TLS 1.1 by setting SSL_version => "TLSv11".

Comment 6 Matus Marhefka 2016-09-26 11:09:37 UTC
Dependency on perl-Net-SSLeay-1.35-10.el6_8.1 needs to be included in Specfile.

Comment 9 errata-xmlrpc 2016-11-15 20:48:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.