Attachment 924828 Details for Bug 1127322 – Fix for 1.94

[patch] Fix for 1.94

IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-version.patch (text/plain), 3.33 KB, created by Petr Pisar on 2014-08-07 09:26:46 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Petr Pisar

Created: 2014-08-07 09:26:46 UTC

Size: 3.33 KB

patch

obsolete

>From ffa8a34d793707a8a05652908b69fea7faeede7c Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
>Date: Thu, 7 Aug 2014 10:36:40 +0200
>Subject: [PATCH] Respect OpenSSL default ciphers and protocol versions
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>If application did not specified cipher or protocol version,
>IO::Socket::SSL set them to 'ALL:!LOW' and 'SSLv23:!SSLv2'. This
>undermined global cryptogphic setting.
>
>This patch disables these defaults hard-coded into IO::Socket::SSL and
>leves the decision on OpenSSL.
>
>http://rt.cpan.org/Public/Bug/Display.html?id=97816
>https://bugzilla.redhat.com/show_bug.cgi?id=1127322
>Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
>---
> lib/IO/Socket/SSL.pm | 13 +++++++------
> t/dhe.t              |  1 +
> 2 files changed, 8 insertions(+), 6 deletions(-)
>
>diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
>index 3e02e8f..eb4bd05 100644
>--- a/lib/IO/Socket/SSL.pm
>+++ b/lib/IO/Socket/SSL.pm
>@@ -34,13 +34,13 @@ use constant SSL_RECEIVED_SHUTDOWN => 2;
> # global defaults
> my %DEFAULT_SSL_ARGS = (
>     SSL_check_crl => 0,
>-    SSL_version => 'SSLv23:!SSLv2',
>+    SSL_version => '',
>     SSL_verify_callback => undef,
>     SSL_verifycn_scheme => undef,  # don't verify cn
>     SSL_verifycn_name => undef,    # use from PeerAddr/PeerHost
>     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
>     SSL_honor_cipher_order => 0,   # client order gets preference
>-    SSL_cipher_list => 'ALL:!LOW',
>+    SSL_cipher_list => undef,
> 
>     # default for SSL_verify_mode should be SSL_VERIFY_PEER for client
>     # for now we keep the default of SSL_VERIFY_NONE but complain, if 
>@@ -1579,7 +1579,7 @@ sub new {
> 	return $ctx_object if ($ctx_object = ${*$ctx_object}{'_SSL_ctx'});
>     }
> 
>-    my $ver;
>+    my $ver='';
>     my $disable_ver = 0;
>     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
> 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i 
>@@ -2049,7 +2049,8 @@ to the specified version. All values are case-insensitive.
> 
> You can limit to set of supported protocols by adding !version separated by ':'.
> 
>-The default SSL_version is 'SSLv23:!SSLv2' which means, that SSLv2, SSLv3 and TLSv1 
>+The default SSL_version is defined by underlying cryptographic library.
>+E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1
> are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving 
> only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions
> 1.1 and 1.2 while allowing TLS version 1.0.
>@@ -2066,8 +2067,8 @@ given value, e.g. something like 'ALL:!LOW:!EXP:!ADH'. Look into the OpenSSL
> documentation (L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>)
> for more details.
> 
>-If this option is not set 'ALL:!LOW' will be used.
>-To use OpenSSL builtin default (whatever this is) set it to ''.
>+If this option is not set or is set to '', OpenSSL builtin default (whatever
>+this is) will be used.
> 
> =item SSL_honor_cipher_order
> 
>diff --git a/t/dhe.t b/t/dhe.t
>index a2bf565..4010a26 100644
>--- a/t/dhe.t
>+++ b/t/dhe.t
>@@ -55,6 +55,7 @@ if ( !defined $pid ) {
>     close($server);
>     my $to_server = IO::Socket::SSL->new( 
> 	PeerAddr => $addr, 
>+	SSL_cipher_list => 'ALL:RSA:!aRSA',
> 	SSL_verify_mode => 0 ) || do {
>     	notok( "connect failed: $SSL_ERROR" );
> 	exit
>-- 
>1.9.3
>

Actions: View | Diff

Attachments on bug 1127322: 924828