[ale] TLS handshake

Lightner, Jeffrey JLightner at dsservices.com
Fri Aug 26 18:51:33 EDT 2016


RHEL5 (and therefore CentOS5) won’t do TLSv1.1 or higher because the underlying openssl doesn’t support anything higher than TLS1.0.   This means many curl processes you have will no longer work as nearly everyone is moving to TLS1.1 or higher.   RedHat support confirmed they don’t intend to address this in RHEL5 as they view it as a “feature” rather than a “bug”.   I’d posted about that some time back.

More recently on a RHEL6 I ran into issues with doing a curl and web proxy for the higher TLSv1.2 which is supported there.   My issue turned out to be the ciphers rather than the TLS version.  Updating the nss package resolved that.

Also earlier versions of curl didn’t have the flags –tlsv1.1 and –tlsv1.2 even though the openssl supports those so updating that package if you use it much would be a good idea.

I haven’t run into this in relation to email authentication mainly because we don’t do that (yet) but if you’re doing it one or the other of the above may be relevant.

Have I mentioned that you REALLY need to get off of RHEL5/CentOS5 yet?  Official end of support for the former is April 2017 and as suggested by the call about TLS I made to them the support you do get until then may be a bit lacking.

Jeffrey C. Lightner
Sr. UNIX/Linux Administrator

DS Services of America, Inc.
2300 Windy Ridge Pkwy
Suite 600 N
Atlanta, GA  30339-8461

P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlightner at dsservices.com<mailto:jlightner at dsservices.com>

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim Kinney
Sent: Friday, August 26, 2016 5:41 PM
To: Atlanta Linux Enthusiasts - Yes! We run Linux!
Subject: Re: [ale] TLS handshake


Maybe but my fuzzy, Friday brain is hinting that openssl pre v 1.0 won't do acceptable key size. Look for a different package for openssl like openssl2 or similar.

On Aug 26, 2016 5:35 PM, "Chris Fowler" <cfowler at outpostsentinel.com<mailto:cfowler at outpostsentinel.com>> wrote:


________________________________
From: "Jim Kinney" <jkinney at jimkinney.us<mailto:jkinney at jimkinney.us>>
To: "Atlanta Linux Enthusiasts" <ale at ale.org<mailto:ale at ale.org>>
Sent: Friday, August 26, 2016 4:14:17 PM
Subject: Re: [ale] TLS handshake
Short answer, yes.

There's a newer version that uses a substantially larger key in the process. Everything at work did an upgrade a while back and the DH key too small error was why.


OpenSSL and sendmail ar both upgraded to the latest versions in the CentOS repository.  Seems like I only need to regen dh key?


_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160826/3297843b/attachment.html>


More information about the Ale mailing list