1375525 – [RFE]allow IO::Socket::SSL to support TLSv1.1, TLSv1.2

Bug 1375525 - [RFE]allow IO::Socket::SSL to support TLSv1.1, TLSv1.2

Summary: [RFE]allow IO::Socket::SSL to support TLSv1.1, TLSv1.2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	perl-IO-Socket-SSL
Sub Component:
Version:	6.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jitka Plesnikova
QA Contact:	Matus Marhefka
Docs Contact:
URL:
Whiteboard:
Depends On:	1331037
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-13 10:19 UTC by Marcel Kolaja
Modified:	2020-12-14 07:44 UTC (History)
CC List:	10 users (show)
Fixed In Version:	perl-IO-Socket-SSL-1.31-3.el6_8.2
Doc Type:	Enhancement
Doc Text:	Feature: Net:SSLeay was updated to support explicitly specifying protocol versions TLSv1.1 or TLSv1.2. IO::Socket::SSL was updated to take advantage of this change. Reason: Restricting TLS to recent TLS version is necessary for tightening security. Result: When new IO::Socket::SSL object is creating, it's possible to restrict TLS version to 1.1/1.2 version by setting the option SSL_version to value TLSv1_1/TLSv1_2. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'.
Clone Of:	1331037
Environment:
Last Closed:	2016-11-15 20:48:11 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:2769	0	normal	SHIPPED_LIVE	perl-IO-Socket-SSL enhancement update	2016-11-16 01:47:27 UTC

Description Marcel Kolaja 2016-09-13 10:19:47 UTC

This bug has been copied from bug #1331037 and has been proposed
to be backported to 6.8 z-stream (EUS).

Comment 4 Jitka Plesnikova 2016-09-13 14:19:24 UTC

How to test:

(1) Start a TLS server that does not support TLS 1.2, e.g.:
$ openssl s_server -tls1 -key key -cert cert -www

(2) Run a IO::Socket::SSL Perl program that enforces TLS 1.2 by setting SSL_version = 'TLS12' when creates new object, e.g.:

perl -MIO::Socket::SSL -e 'my $cl = IO::Socket::SSL->new(PeerAddr => "localhost:4433", SSL_version => "TLSv12") or die $!; print $cl "GET / HTTP/1.0\r\n\r\n";print <$cl>;'

Before: The connection succeeds because OpenSSL in the client will fall back to TLS 1.0. With the s_server command, the client will print report this server's response:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
    Protocol  : TLSv1

After: The connection fails, the client reports this error:
IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number  ...propagated at -e line 1.


(3) Repeat the test for TLS 1.1 by setting SSL_version => "TLSv11".

Comment 6 Matus Marhefka 2016-09-26 11:09:37 UTC

Dependency on perl-Net-SSLeay-1.35-10.el6_8.1 needs to be included in Specfile.

Comment 9 errata-xmlrpc 2016-11-15 20:48:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2769.html

Note You need to log in before you can comment on or make changes to this bug.