Search code examples
perlunixtls1.2lwp

Perl "lwp-request" giving error 500 using TLS 1.2

We've been using a shipping API via our Unix server, specifically SCO Openserver 5.0.7, for a little over a year.

Our system generates XML files, sends them to the server using the lwp-request command, receives the response, interprets it, and processes it as needed by our system.

The exact command we use is:

lwp-request -m POST https://url.com < REQUESTFILE.XML > RESPONSEFILE.XML

The shipping company is upgrading all servers to require TLS 1.2, and now I get

500 SSL negotiation failed:

as a response when using this command.

I'm not sure how to go about making our system compatible.

  • Do I need to update Perl? (Current version is v5.8.8 built for i586-pc-sco3.2v5.0). If so, what is the minimum version to use TLS 1.2?

  • Do I need to update LWP? I believe my LWP version is 5.805 (got this using perl -MLWP -le "print(LWP->VERSION)")

  • Do I need to go into the lwp-request script and manually modify it?

  • Or is there perhaps another command that does an equivalent job using TLS 1.2?

Solution

  • Given your very old version of Perl (5.8.8, where 5.8.9 was release 2008) and LWP (5.805, 5.806 was released 2007) on a very old OS (SCO OpenServer 5.0.7, last update around 2009) it is likely that you are also running a very old version of OpenSSL. TLS 1.2 was only specified in 2008 and got available in OpenSSL only with 1.0.1 which was released 03/2012, i.e. several years after any software updates to your system.

    You can check it it with openssl version and my guess is that it says something about version 0.9.8, i.e. way too old.

    To make TLS 1.2 work on this old system you would need to compile a newer version of OpenSSL (at least the latest 1.0.1) and rebuild the Perl modules interfacing with OpenSSL so that they use this new version. Depending on your setup this might be Crypt::SSLeay or Net::SSLeay. And given how old your system is it is not unlikely that you run in various problems with compiling simply because most don't expect that somebody tries to compile newer software on outdated systems. Thus it might just be easier to upgrade everything to a recent and supported OS instead of trying to fight with an old system.