CentOS 6 and TLS1.2

Recently it has come to our attention that some CentOS 6 clients, while technically supporting TLS 1.1 and TLS 1.2, still default to TLS 1.0.

This can be remedied by running the following command, which will update the respective packages to the most recently available versions.

$ sudo yum update libcurl curl nss

The following bugs, which were reported in 2015, are addressed by applying the yum update.

https://bugzilla.redhat.com/show_bug.cgi?id=1289205
https://bugzilla.redhat.com/show_bug.cgi?id=1272504

Doing so will ensure YubiCloud clients on CentOS will default, and support, TLS1.2.

This update is strongly recommended to avoid issues on 2019-02-04, when non TLS1.2 connections will be completely rejected, as mentioned in our earlier blog post.

The commands below demonstrate the issue, how the fix is applied, and finally establishing a connection with a TLS1.2-only host. Lines starting with ! denote a comment.

[vagrant@localhost ~]$ cat /etc/centos-release 
CentOS release 6.6 (Final)

! default packages included in official CentOS 6.6 release
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-37.el6_5.3
libcurl.x86_64 7.19.7-37.el6_5.3
nss.x86_64 3.16.1-14.el6 @anaconda-CentOS-201410241409.x86_64/6.6

! fails to negotiate TLS handshake (host supports TLS1.2 only)
[vagrant@localhost ~]$ curl -q -v https://developers.yubico.com

! updating to most recently available
[vagrant@localhost ~]$ sudo yum update libcurl curl nss

! packages are upgraded; curl from -37 -> -53 and nss from 3.16 to 3.36.
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-53.el6_9 @base 
libcurl.x86_64 7.19.7-53.el6_9 @base 
nss.x86_64 3.36.0-9.el6_10 @updates

! works successfully
[vagrant@localhost ~] $ curl -q -v -o/dev/null https://developers.yubico.com

For further information about CentOS, please check the forums at https://www.centos.org/forums/