How to not send TLS 1.0 on https soap call

davew has asked for the wisdom of the Perl Monks concerning the following question:

I had a perl app to query some data via SOAP, and it was working up until yesterday. Now I just get the error:

LWP::Protocol::https::Socket: SSL connect attempt failed at /usr/lib/perl5/site_perl/5.8.8/LWP/Protocol/http.pm line 47.

Someone from the server team told me they just upgraded to no longer support TLS 1.0. I've tried a few things (including upgrading my openssl library from 0.9.8 to 1.0.1), and still can't get it working.

Here is the snippet of what was working before:

 
#!/usr/bin/perl

use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;

my $ua = LWP::UserAgent->new();
$ua->ssl_opts(
  SSL_ca_file => '/var/www/cgi-bin/sz/api/apisb-fullrootchain.crt',
  SSL_verifycn_scheme => 'http',
  SSL_verifycn_name => 'apisandbox.zuora.com'
);

my $req = HTTP::Request->new(POST => 'https://apisandbox.zuora.com/app
+s/services/a/68.0');
$req->header(
  'Content-Type' => 'text/xml; charset=utf-8',
  'SOAPAction'   => 'login'
);
$req->content($xml_content);
my $resp = $ua->request($req);
[download]

In addition to upgrading openssl library, I also tried adding the SSL_version param to ssl_opts call (trying all kinds of permutations of the version string such as tlsv1_1, tlsv11, etc).

 
$ua->ssl_opts(
  SSL_version => '!TLSv1',
  SSL_ca_file => '/var/www/cgi-bin/sz/api/apisb-fullrootchain.crt',
  SSL_verifycn_scheme => 'http',
  SSL_verifycn_name => 'apisandbox.zuora.com'
);
[download]

Also, I tried this with similar permutations:

 
my $context = new IO::Socket::SSL::SSL_Context(
  SSL_version => '!tlsv1',
  );
IO::Socket::SSL::set_default_context($context);
[download]

Here are my specifics:

 
[root@one-commerce-vm.cs.qai install]# perl -MIO::Socket::SSL -e 'prin
+t "$IO::Socket::SSL::VERSION\n"'
2.023
[root@one-commerce-vm.cs.qai install]# perl -MNet::SSLeay -e 'print "$
+Net::SSLeay::VERSION\n"'
1.72
[root@one-commerce-vm.cs.qai install]# perl -MNet::HTTP -e 'print "$Ne
+t::HTTP::VERSION\n"'
6.09
[root@one-commerce-vm.cs.qai install]# perl -MLWP::UserAgent -e 'print
+ "$LWP::UserAgent::VERSION\n"'
6.15

[root@one-commerce-vm.cs.qai install]# openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Fri Feb  5 09:19:23 PST 2016
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfi
+sh(idx) 
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_
+H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32
+_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_G
+F2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_
+ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl"
[download]

Any suggestions appreciated!

Comment on How to not send TLS 1.0 on https soap call Select or Download Code

Replies are listed 'Best First'.
Re: How to not send TLS 1.0 on https soap call by noxxi (Pilgrim) on Feb 05, 2016 at 21:31 UTC
Just because you've upgraded the openssl binary does not meant that you've also upgraded the OpenSSL library within Perl. It might be linked against the old version of OpenSSL which still might be on your system. What does `print Net::SSLeay::OPENSSL_VERSION_NUMBER()` give?	[reply]
Re^2: How to not send TLS 1.0 on https soap call by Anonymous Monk on Feb 06, 2016 at 00:01 UTC
Yes, you are dead-on. I've been spending all afternoon trying to install the openssl-devel 1.0.1, which is not going well based on dependencies.	[reply]
Re^2: How to not send TLS 1.0 on https soap call by Anonymous Monk on Dec 19, 2019 at 13:42 UTC
I am also facing the same issue for Solaris systems	[reply]
Re^3: How to not send TLS 1.0 on https soap call by marto (Cardinal) on Dec 19, 2019 at 13:47 UTC
This thread is several years old. Does this resolve your problem?	[reply]