The Perl API to ServiceNow stopped supporting TLS 1.0 and 1.1. Are there any quick Perl 5.8 fixes?

Question

I am a perl developer and have been working on a ServiceNow API to create change tickets. It has been working well until this past Friday when ServiceNow depreciated support for TLS 1.0 and 1.1. My version of Perl is 5.8 so it's quite old. Are there any quick Perl 5.8 fixes? Here are the perl modules I'm using.

use MIME::Base64;
use HTTP::Proxy;
use JSON;
use REST::Client;

the new errors;

Response: 500 SSL negotiation failed:

Response status: 500 Header: Content-Type=text/plain Header: Client-Date=Fri, 10 Jan 2020 23:06:10 GMT Header: Client-Warning=Internal response 500 SSL negotiation failed:

Answer 1

Perl 5.8.0 is from July 2002. Perl 5.8.8 (which is what I suspect you are actually using) is from January 2006. Both of these are ancient versions and I highly recommend not using them.

I realise that you're using a specific version of an operating system (I'd guess RHEL5) and that upgrading your OS is a project that your company aren't going to want to undertake. But this is why we don't use the system installed version of Perl.

You have a few options.

• Install another version of Perl alongside the system Perl. Put it in /opt/perl or somewhere like that. Make it a recent version and install a completely new library of modules for it. perlbrew is one nice way to achieve this.
• Use a virtual machine or, better, a Docker container to host your API. That can be a newer OS, running a newer version of Perl with a newer version of the system libraries (which you're probably going to need - as your older version of openssl probably doesn't support TLS 1.2).
• Stop using legacy hardware to host your project and move it into a cloud provider like AWS.

You either need to be more agile about updating your OS (which very few companies are very good at) or you need to separate your application's runtime environment from the underlying OS. That second route is what switched-on projects have been doing for several years now.

Answer 2

If you have any say in this you should really, really, really, really, really update your Perl. I mean, really. 5.8 is ancient.

If you cannot do that, you must at least update the piece of code that handles the TLS to a version >= 1.2 (Good luck!). Rest::Client uses LWP::UserAgent which in turn uses either Net::SSL or IO::Socket::SSL (I think) for the SSL stuff. If both are present Net::SSL will be used.

So you must investigate which one(s) you have and update one of them. Net::SSL is probably your best bet, since it is just a wrapper around the c library openssl (apt!). The other one probably has a rats tail of dependencies, but I didn't look.