<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">RHEL5 (and therefore CentOS5) won’t do TLSv1.1 or higher because the underlying openssl doesn’t support anything higher than TLS1.0.&nbsp;&nbsp; This means many curl
 processes you have will no longer work as nearly everyone is moving to TLS1.1 or higher.&nbsp;&nbsp; RedHat support confirmed they don’t intend to address this in RHEL5 as they view it as a “feature” rather than a “bug”.&nbsp;&nbsp; I’d posted about that some time back.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">More recently on a RHEL6 I ran into issues with doing a curl and web proxy for the higher TLSv1.2 which is supported there.&nbsp;&nbsp; My issue turned out to be the
 ciphers rather than the TLS version.&nbsp; Updating the nss package resolved that.&nbsp; <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Also earlier versions of curl didn’t have the flags –tlsv1.1 and –tlsv1.2 even though the openssl supports those so updating that package if you use it much
 would be a good idea.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">I haven’t run into this in relation to email authentication mainly because we don’t do that (yet) but if you’re doing it one or the other of the above may be
 relevant. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Have I mentioned that you REALLY need to get off of RHEL5/CentOS5 yet?&nbsp; Official end of support for the former is April 2017 and as suggested by the call about
 TLS I made to them the support you do get until then may be a bit lacking.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">Jeffrey C. Lightner</span></i><i><span style="font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">Sr. UNIX/Linux Administrator</span></i><i><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">DS Services of America, Inc.</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">2300 Windy Ridge Pkwy</span><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">Suite
<i>600 N</i></span><span style="font-size:11.0pt;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">Atlanta, GA&nbsp; 30339-8461</span><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">P:
<i>678-486-3516<o:p></o:p></i></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">C:
<i>678-772-0018</i></span><span lang="PT" style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">F:
<i>678-460-3603</i></span><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#1F497D">E:
</span><a href="mailto:jlightner@dsservices.com"><i><span lang="PT" style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">jlightner@dsservices.com</span></i></a><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> ale-bounces@ale.org [mailto:ale-bounces@ale.org]
<b>On Behalf Of </b>Jim Kinney<br>
<b>Sent:</b> Friday, August 26, 2016 5:41 PM<br>
<b>To:</b> Atlanta Linux Enthusiasts - Yes! We run Linux!<br>
<b>Subject:</b> Re: [ale] TLS handshake<o:p></o:p></span></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p>Maybe but my fuzzy, Friday brain is hinting that openssl pre v 1.0 won't do acceptable key size. Look for a different package for openssl like openssl2 or similar.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class="MsoNormal">On Aug 26, 2016 5:35 PM, &quot;Chris Fowler&quot; &lt;<a href="mailto:cfowler@outpostsentinel.com">cfowler@outpostsentinel.com</a>&gt; wrote:<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:black">
<hr size="3" width="100%" align="center">
</span></div>
<div>
<blockquote style="border:none;border-left:solid #1010FF 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><b><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">From:
</span></b><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">&quot;Jim Kinney&quot; &lt;</span><a href="mailto:jkinney@jimkinney.us" target="_blank"><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">jkinney@jimkinney.us</span></a><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">&gt;<br>
<b>To: </b>&quot;Atlanta Linux Enthusiasts&quot; &lt;</span><a href="mailto:ale@ale.org" target="_blank"><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">ale@ale.org</span></a><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">&gt;<br>
<b>Sent: </b>Friday, August 26, 2016 4:14:17 PM<br>
<b>Subject: </b>Re: [ale] TLS handshake<o:p></o:p></span></p>
</blockquote>
</div>
<div>
<blockquote style="border:none;border-left:solid #1010FF 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">Short answer, yes.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">There's a newer version that uses a substantially larger key in the process. Everything at work did an upgrade a while back and the DH key too small error was why.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></p>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:black">OpenSSL and sendmail ar both upgraded to the latest versions in the CentOS repository.&nbsp; Seems like I only need to regen dh key?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>