In Live server we have perl version 5.6.1,recently we have enabled TLS 1.2 which resulted in a error "500 SSL Negotiation failed". Earlier we have TLS 1.0 we don't have any issues. Enabling TLS 1.2 is unavoidable which is mandatory. How to resolve this issue?
I have searched & found that SOAP-LITE module has to be installed in order to resolve the above issue but the version 5.6.1 does not support SOAP-LITE module. It is available in active perl 5.8 and above version. Is it adviseable to upgrade to 5.8 version inorder to install soap::Lite?
I have used the modules MSSQL::DBLIB and MSSQL::SQLLIB in this project, Will upgrade supports this module?
Given how old your version of Perl is it is very likely that your version of OpenSSL (which is used at the end for SSL connectivity in Perl) is as old too. Support for TLS 1.2 was added with OpenSSL 1.0.1 which was released 2012. Perl 5.6.1 was released in 2000 while in 2012 we already had Perl 5.14.
And it is not unlikely that the rest of your software is similar outdated and unsupported and likely insecure too.
How to resolve this issue?
Finally upgrade your long unsupported software stack. You can try to only update openssl and rebuild Crypt::SSLeay (likely no Net::SSLeay is used yet) to keep changes minimal but I'm not sure that this will work or even compile.
Related
After installing mongodb on CentOS 7 I ran into an issue with openssl versions. Version installed on the system is 1.0.2k-fips whereas during mongod startup 1.0.1e-fips is printed. How exactly is this possible and is there any way to tell mongo server to use 1.0.2 version ?
https://i.stack.imgur.com/KMbwt.png
This seems to be a RHEL peculiarity.
MongoDB is linked dynamically against OpenSSL, and should use the system OpenSSL library. You can verify this by running
ldd `which openssl`
ldd `which mongod`
The two commands should show references to the system-wide libssl and libcrypto.
What I think happened is RedHat updated OpenSSL from 1.0.1e to 1.0.2k, but retained the "1.0.1e" label for compatibility purposes in parts of the code.
So indeed, MongoDB is using system OpenSSL library, which can be verified with ldd.
The issue with version misinformation is because since a while ago (RHEL 6.x releases), RedHat changed SSLeay() function to report build time version as opposed to the run-time:
Because certain applications perform incorrect version check of the OpenSSL version, the actual runtime version of OpenSSL is masked and the build-time version is reported instead. Consequently, it is impossible to detect the currently running OpenSSL version using the SSLeay() function.
MongoDB uses this exact function to report OpenSSL version, here.
So when you use MongoDB packages and see 1.0.1e-fips while the system OpenSSL version is 1.0.2k-fips, this only means that the system where the package was built on had the older OpenSSL version, but the actual runtime version is your system one, 1.0.2k-fips.
I am a perl developer and have been working on a ServiceNow API to create change tickets. It has been working well until this past Friday when ServiceNow depreciated support for TLS 1.0 and 1.1. My version of Perl is 5.8 so it's quite old. Are there any quick Perl 5.8 fixes?
Here are the perl modules I'm using.
use MIME::Base64;
use HTTP::Proxy;
use JSON;
use REST::Client;
the new errors;
Response: 500 SSL negotiation failed:
Response status: 500 Header: Content-Type=text/plain Header: Client-Date=Fri, 10 Jan 2020 23:06:10 GMT Header: Client-Warning=Internal response 500 SSL negotiation failed:
If you have any say in this you should really, really, really, really, really update your Perl. I mean, really. 5.8 is ancient.
If you cannot do that, you must at least update the piece of code that handles the TLS to a version >= 1.2 (Good luck!). Rest::Client uses LWP::UserAgent which in turn uses either Net::SSL or IO::Socket::SSL (I think) for the SSL stuff. If both are present Net::SSL will be used.
So you must investigate which one(s) you have and update one of them. Net::SSL is probably your best bet, since it is just a wrapper around the c library openssl (apt!). The other one probably has a rats tail of dependencies, but I didn't look.
Perl 5.8.0 is from July 2002. Perl 5.8.8 (which is what I suspect you are actually using) is from January 2006. Both of these are ancient versions and I highly recommend not using them.
I realise that you're using a specific version of an operating system (I'd guess RHEL5) and that upgrading your OS is a project that your company aren't going to want to undertake. But this is why we don't use the system installed version of Perl.
You have a few options.
Install another version of Perl alongside the system Perl. Put it in /opt/perl or somewhere like that. Make it a recent version and install a completely new library of modules for it. perlbrew is one nice way to achieve this.
Use a virtual machine or, better, a Docker container to host your API. That can be a newer OS, running a newer version of Perl with a newer version of the system libraries (which you're probably going to need - as your older version of openssl probably doesn't support TLS 1.2).
Stop using legacy hardware to host your project and move it into a cloud provider like AWS.
You either need to be more agile about updating your OS (which very few companies are very good at) or you need to separate your application's runtime environment from the underlying OS. That second route is what switched-on projects have been doing for several years now.
UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.
I am using the SOAP::Lite module
SOAP::Lite is based on LWP. The https support in LWP is ultimately done by using the OpenSSL library. My guess is that you are using a very old OpenSSL library with no support for TLS 1.1 and TLS 1.2, typically either OpenSSL 0.9.8 or OpenSSL 1.0.0 since support for TLS 1.1 and TLS 1.2 was only added in OpenSSL 1.0.1. Such old OpenSSL libraries are typically installed on older systems but also on newer MacOS systems.
To fix the problem you need to upgrade both OpenSSL and the Perl-bindings for it (Net::SSLeay on newer systems or Crypt::SSLeay on older, depending on your version of LWP).
We've been using a shipping API via our Unix server, specifically SCO Openserver 5.0.7, for a little over a year.
Our system generates XML files, sends them to the server using the lwp-request command, receives the response, interprets it, and processes it as needed by our system.
The exact command we use is:
lwp-request -m POST https://url.com < REQUESTFILE.XML > RESPONSEFILE.XML
The shipping company is upgrading all servers to require TLS 1.2, and now I get
500 SSL negotiation failed:
as a response when using this command.
I'm not sure how to go about making our system compatible.
Do I need to update Perl? (Current version is v5.8.8 built for i586-pc-sco3.2v5.0). If so, what is the minimum version to use TLS 1.2?
Do I need to update LWP? I believe my LWP version is 5.805 (got this using perl -MLWP -le "print(LWP->VERSION)")
Do I need to go into the lwp-request script and manually modify it?
Or is there perhaps another command that does an equivalent job using TLS 1.2?
Given your very old version of Perl (5.8.8, where 5.8.9 was release 2008) and LWP (5.805, 5.806 was released 2007) on a very old OS (SCO OpenServer 5.0.7, last update around 2009) it is likely that you are also running a very old version of OpenSSL. TLS 1.2 was only specified in 2008 and got available in OpenSSL only with 1.0.1 which was released 03/2012, i.e. several years after any software updates to your system.
You can check it it with openssl version and my guess is that it says something about version 0.9.8, i.e. way too old.
To make TLS 1.2 work on this old system you would need to compile a newer version of OpenSSL (at least the latest 1.0.1) and rebuild the Perl modules interfacing with OpenSSL so that they use this new version. Depending on your setup this might be Crypt::SSLeay or Net::SSLeay. And given how old your system is it is not unlikely that you run in various problems with compiling simply because most don't expect that somebody tries to compile newer software on outdated systems. Thus it might just be easier to upgrade everything to a recent and supported OS instead of trying to fight with an old system.
I've got 64-bit Vista with ActiveState Perl "v5.10.0 built for MSWin32-x64-multi-thread" and I'm trying to get the Crypt::SSLeay package installed along with versions of libeay32.dll and ssleay32.dll.
I've done this before on a Win32 machine using the 'uwinnipeg' server, but I'm running into issues with my 64-bit system.
ppm install http://theoryx5.uwinnipeg.ca/ppms/Crypt-SSLeay.ppd
ppm install failed: The PPD does not provide code to install for this platform
I've tried a straight ppm install which seemed to work, but verification fails and I don't see any sign of the dll files?
C:\Perl64\bin>ppm install Crypt::SSLeay
Downloading ActiveState Package Repository packlist...done
Updating ActiveState Package Repository database...done
Syncing site PPM database with .packlists...done
No missing packages to install
C:\Perl64\bin>ppm verify Crypt::SSLeay
ppm verify failed: Package 'Crypt::SSLeay' is not installed
Does anyone know where/how I could get versions that are compatible with my PC?
There are a few issues here: First, AFAIK, you need OpenSSL v1.0.0 or greater for Windows 64. Second, until recently, Makefile.PL in Crypt-SSLeay did not detect correctly OpenSSL versions greater than 0.9.x.
I think you want to upgrade at the very least to Perl 5.10.1 as it fixed a number of crucial performance related bugs.
If you install mingw via ActiveState's ppm (I am assuming ppm install mingw would work even though I haven't tried it on a 64-bit system), you can use it to build OpenSSL 1.0.0a and Crypt-SSLeay.
Update: You probably don't need Crypt::SSLeay. See:
DO YOU NEED Crypt::SSLeay?
Does your code really depend on Crypt::SSLeay?
Don't declare a dependency on Crypt::SSLeay (or IO::Socket::SSL either).
Also useful:
Building OpenSSL 1.0.1g on 64-bit Windows Pro 8.1 with Windows SDK 7.1
Compile Vim and OpenSSL with Visual Studio 2013 Community Edition.
Sinan has very recently released a new version of Crypt::SSLeay which might clear up some Windows installation issues. I doubt it's made its way into a PPM yet.