5

I'm running an old Debian server that once a day fetches a webpage through a Perl script. Since yesterday, the script fails with a "500 SSL negotiation failed" error.

use strict;
use LWP::UserAgent;

my $browserObj = LWP::UserAgent->new();

$response = $browserObj->get( "https://www.domain.tld" );
print $response->status_line . "\n" if( ! $response->is_success );

Like I said, it's an old server running old versions of everything:

  • Perl: 5.8.8
  • OpenSSL: 0.9.8c
  • LWP: 5.805
  • Crypt::SSLeay: 0.57

I made a snapshot of the server so I could try all kinds of solutions and return to the snapshot if it fails. Which is exactly what I did after each test, return to the original server state.

Test 1: First thing I tried was updating OpenSSL to 1.0.2d. That did not help, I still got the "SSL negotiation failed" error. I then updated Crypt:SSLeay. That broke SSL altogether (caused the server to be unable to connect to any secure server).

Test 2: Updated Crypt::SSLeay without updating OpenSSL. Caused the server to unable to connect to secure servers again.

Test 3: Updated OpenSSL to 1.0.2d. Updated LWP. Made no difference. Still got "500 SSL negotiation failed"

Is there anything else I could try?

PS: For several reasons I'm unable to update Debian itself.

jww
  • 97,681
  • 90
  • 411
  • 885
Zippy1970
  • 601
  • 6
  • 20
  • I would _guess_ your remote server no longer supports older versions of SSL. There's a bunch of older SSL versions that are dangerously insecure, so sites are starting to deprecate them. E.g. something like this: http://security.stackexchange.com/questions/71457/how-can-i-verify-that-sslv3-protocol-is-disabled – Sobrique Sep 15 '15 at 09:31
  • Yes, that was my guess also. – Zippy1970 Sep 15 '15 at 11:33
  • In which case I'm not really sure how you'd test it - verify with wget maybe? – Sobrique Sep 15 '15 at 13:55
  • wget also gives an error on that site: (SSL handshake failed. Unable to establish SSL connection). – Zippy1970 Sep 15 '15 at 14:27
  • So, your problem isn't a perl one, it's a bit more fundamental than that. – Sobrique Sep 15 '15 at 15:08
  • Did your certificate expire? – stark Sep 15 '15 at 19:26
  • I think wget fails because it's an older version as well. I don't think there's a single solution that will make both Perl and wget work. They probably both require their own solution. – Zippy1970 Sep 15 '15 at 19:41
  • Please post the exact URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it. – jww Sep 15 '15 at 19:51
  • Possible duplicate of [500 SSL negotiation failed with perl](http://stackoverflow.com/q/28940024/608639). – jww Sep 15 '15 at 19:54

1 Answers1

1

I got it to work for Perl. As I suspected, each program on the server that uses SSL needs to be patched seperately. But this was the solution for Perl:

1) Update OpenSSL (to version 1.0.2d)

This is a necessary step for every program that uses SSL! On my Debian system, I used the instructions found here.

2) Update Net::SSLeay

This was necessary otherwise step 4) would fail.

$ cpan Net::SSLeay

3) Update Getopt::Long

Again, this step was necessary otherwise step 4) would fail.

$ cpan Getopt::Long

4) Update Crypt::SSLeay

Note that this will also update LWP.

$ cpan Crypt::SSLeay
Zippy1970
  • 601
  • 6
  • 20
  • In fact, updating `Crypt::SSLeay` will install `LWP::Protocol::https` which will pull in `IO::Socket::SSL` and `Net::SSLeay`. Unless specific manual steps are taken to override this, it will then cause `Crypt::SSLeay` not to be used at all, but it will have served the purpose of transitioning the user to `Net::SSLeay`. – Sinan Ünür May 18 '17 at 19:33