0

I am working on perl script that connects to server that supports TLSv1.2. At present I am not able to connect because perl is running on CentOS 5.4 with OpenSSL version 0.9.8e. I don't want to upgrade perl because it might break the script since there have been changes and latest version of perl is 5.26 which is way too latest. Now, I can run the script on different Windows box with no problems that is using perl 5.24. my question, can I use openssl 1.0.1 on CentOS 5.x and recompile perl modules and be still able to connect to TLV1.2? I have already installed modules mentioned in LWP::UserAgent and 500 SSL negotiation failed except openssl. I also followed https://miteshshah.github.io/linux/centos/how-to-enable-openssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/ to install openssl but when I do openssl version I still see the original version i.e. 0.9.9e.

In the above link it mentioned to use CPAN to update/install perl modules. Instead of that I got the rpm for perl modules and installed.

LWP on server is 5.834.

I know ideal way would be to go for CentOS 6 or later but is there a better approach to get this working?

goodyone
  • 13
  • 6
  • Tough luck, [plenv/perlbrew](https://weblog.bulknews.net/plenv-alternative-for-perlbrew-7b5bf00a419e) will not upgrade your openssl, and docker is available in Centos7... KVM to fire up newer centos? – mpapec Mar 08 '18 at 06:36

1 Answers1

1

... use CPAN to update/install perl modules. Instead of that I got the rpm for perl modules and installed.

I have no idea which rpm you've installed. But you need a version of the Net::SSLeay (or Crypt::SSLeay - whatever you've used) module which is linked against the newer version of OpenSSL. Just installing the default RPM will not help since it is linked against the older OpenSSL version.

This means you need to install the module manually and also take care that you link it against the newer OpenSSL library. For Net::SSLeay this means to set the correct OPENSSL_PREFIX to the new version of OpenSSL as documented in the README of Net::SSLeay.

I also recommend to use a newer version of LWP and IO::Socket::SSL because TLS 1.2 is usually not the only problem you face. Other problems might be that the server requires SNI. And, I advice against replacing your system Perl modules since this might cause problems with other programs. Instead use perlbrew or similar to install your own Perl different from system Perl and use this with updated modules for your specific needs.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I installed following RPMs perl-Net-SSLeay-1.30-4.fc6.x86_64.rpm, perl-Crypt-SSLeay-0.51-11.el5.x86_64.rpm, perl-Getopt-Long-2.38-1.el5.noarch.rpm and perl-IO-Socket-SSL-1.01-2.el5.noarch.rpm when I tried to manually install Net::SSLeay I got few warnings with make: *** [SSLeay.o] Error 1 I think I like idea of installing another version of perl but its CentOS 5.x so i don't know if i can go beyond perl 5.16. – goodyone Mar 08 '18 at 07:21
  • @goodyone: again, the default RPM link against the old OpenSSL and thus installation of these will not help. And both new and old Perl versions most likely can be installed with perlbrew on the older CentOS version. Note that you still need to specify the OpenSSL library to use if you use a perlbrewed Perl when installing Net::SSLeay. – Steffen Ullrich Mar 08 '18 at 07:27
  • I installed 5.18 using perlbrew. But when do perlbrew list it only shows 5.18 but not the existing one. Do you know why it would not list 5.8.8 ? I suspect there is a bug in perlbrew – goodyone Mar 08 '18 at 08:01
  • Never mind I was able to follow https://stackoverflow.com/questions/25188575/switching-to-the-system-perl-using-perlbrew. – goodyone Mar 08 '18 at 08:15
  • After installing I still get 500 SSL negotiation failed. I installed OPENSSL_PREFIX=/usr/local/openssl-1.0.2n/ perl Makefile.PL At the end of installation did receive everything passed. IO::Socket::SSL LWP::Protocol::https – goodyone Mar 09 '18 at 00:15
  • @goodyone: there can be various reasons for a failed SSL negotiation and it is impossible from the current information to find out what is the case. Please reduce your code to the bare minimum to reproduce the problem and run it with SSL debugging enabled, i.e. `perl -MIO::Socket::SSL=debug4 program.pl`. Please add both code and debug output to your question (and not a comment) or maybe even better create a new question since this is no longer about using a specific version of OpenSSL. – Steffen Ullrich Mar 09 '18 at 05:12
  • I am seeing connection is successful now after recompiling the Net::SSLeay with openssl 1.0.1n. I also installedl IO::Socket::SSL and LWP::Protocol::https. Somehow it is working now, Thank you for responding and providing great help. Earlier I was getting SSL negotiation failed (SSL3 alert write:fatal:handshake failure) and now I am seeing handshake is successful (DEBUG: .../IO/Socket/SSL.pm:860: ssl handshake done DEBUG: .../IO/Socket/SSL.pm:2845: free ctx 374956800 open=374956800 DEBUG: .../IO/Socket/SSL.pm:2856: OK free ctx 374956800 ) – goodyone Mar 09 '18 at 07:19