https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #1 from Paul Howarth <paul(a)city-fan.org> ---
The problem here is that the target server doesn't support newer SSL
protocols/ciphers, and the ones it does support are below the standard required
by the system-wide crypto policy (see
https://fedoraproject.org/wiki/Changes/CryptoPolicy), which is implemented in
Fedora's perl-IO-Socket-SSL package (this is why your use of raw Net::SSLeay
works, and IO::Socket::SSL doesn't).
I can make it work by changing the IO::Socket::SSL->new() invocation to this:
my $cl = IO::Socket::SSL->new(
PeerHost => $ARGV[0],
PeerPort => 'https',
SSL_cipher_list => 'DES-CBC3-SHA'
);
A useful debugging tool for this is analyze-ssl.pl, which you can get from
https://github.com/noxxi/p5-ssl-tools (this is from the upstream maintainer of
IO::Socket::SSL).
Example output:
$ perl analyze-ssl.pl
www.halstead.com:443
--
www.halstead.com port 443
! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey
City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority'
! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey
City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority'
* maximum SSL version : TLSv1 (SSLv23)
* supported SSL versions with handshake used and preferred cipher(s):
* handshake protocols ciphers
* SSLv23 TLSv1 DES-CBC3-SHA
* TLSv1_2 FAILED: SSL connect attempt failed error:1417110A:SSL
routines:tls_process_server_hello:wrong ssl version SSL connect attempt failed
* TLSv1_1 FAILED: SSL connect attempt failed error:1417110A:SSL
routines:tls_process_server_hello:wrong ssl version
* TLSv1 TLSv1 DES-CBC3-SHA
* SSLv3 SSLv3 DES-CBC3-SHA
* cipher order by : unknown
* SNI supported : ok
* certificate verified : ok
* chain on 209.173.134.149
* [0/0] bits=2048,
ocsp_uri=http://ocsp.netsolssl.com,
/C=US/postalCode=10065/ST=NY/L=New York/street=770 Lexington Ave/O=Halstead
Property/OU=Web/OU=Secure Link SSL
Wildcard/CN=*.halstead.com
SAN=DNS:*.halstead.com,DNS:halstead.com
* [1/1] bits=2048,
ocsp_uri=http://ocsp.usertrust.com,
/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions OV Server
CA 2
* [2/-] bits=4096,
ocsp_uri=http://ocsp.usertrust.com, /C=US/ST=New
Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification
Authority
* [-/2] bits=4096, ocsp_uri=, /C=US/ST=New Jersey/L=Jersey City/O=The
USERTRUST Network/CN=USERTrust RSA Certification Authority
* OCSP stapling : no stapled response
* OCSP status : good (soft error:
http://ocsp.usertrust.com: OCSP
response failed: internalerror; subject: /C=US/ST=VA/L=Herndon/O=Network
Solutions L.L.C./CN=Network Solutions OV Server CA 2; /C=US/ST=New
Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Au
thority)
--
You are receiving this mail because:
You are on the CC list for the bug.