perl-IO-Socket-SSL/IO-Socket-SSL-2.024-use-system-default-SSL-version.patch

--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -85,7 +85,7 @@ my $algo2digest = do {
 # global defaults
 my %DEFAULT_SSL_ARGS = (
     SSL_check_crl => 0,
-    SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+    SSL_version => '',
     SSL_verify_callback => undef,
     SSL_verifycn_scheme => undef,  # fallback cn verification
     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
@@ -2179,7 +2179,7 @@ sub new {
     $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE;
     $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh;
 
-    my $ver;
+    my $ver = '';
     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
 	or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -942,11 +942,12 @@ protocol to the specified version.
 All values are case-insensitive.  Instead of 'TLSv1_1' and 'TLSv1_2' one can
 also use 'TLSv11' and 'TLSv12'.  Support for 'TLSv1_1' and 'TLSv1_2' requires
 recent versions of Net::SSLeay and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
 
 Independent from the handshake format you can limit to set of accepted SSL
 versions by adding !version separated by ':'.
 
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
 handshake format is compatible to SSL2.0 and higher, but that the successful
 handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
 both of these versions have serious security issues and should not be used
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`--- lib/IO/Socket/SSL.pm`
			`+++ lib/IO/Socket/SSL.pm`
Update to 2.009 - New upstream release 2.009 - Remove util/analyze.pl; this tool is now together with other SSL tools at https://github.com/noxxi/p5-ssl-tools - Added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) (CPAN RT#101452) 2015-01-12 13:28:46 +00:00			`@@ -85,7 +85,7 @@ my $algo2digest = do {`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`# global defaults`
			`my %DEFAULT_SSL_ARGS = (`
			`SSL_check_crl => 0,`
			`- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken`
			`+ SSL_version => '',`
			`SSL_verify_callback => undef,`
			`SSL_verifycn_scheme => undef, # fallback cn verification`
			`SSL_verifycn_publicsuffix => undef, # fallback default list verification`
Update to 2.024 - New upstream release 2.024 - Work around issue where the connect fails on systems having only a loopback interface and where IO::Socket::IP is used as super class (default when available) - Update patches as needed 2016-02-07 16:11:20 +00:00			`@@ -2179,7 +2179,7 @@ sub new {`
Update to 2.001 - New upstream release 2.001 - Add SSL_OP_SINGLE_(DH\|ECDH)_USE to default options to increase PFS security - Update external tests with currently expected fingerprints of hosts - Some fixes to make it still work on 5.8.1 2014-10-21 14:27:58 +00:00			`$ssl_op \|= &Net::SSLeay::OP_SINGLE_DH_USE;`
			`$ssl_op \|= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh;`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00
			`- my $ver;`
			`+ my $ver = '';`
			`for (split(/\s:\s/,$arg_hash->{SSL_version})) {`
			`m{^(!?)(?:(SSL(?:v2\|v3\|v23\|v2/3))\|(TLSv1(?:_?[12])?))$}i`
			`or croak("invalid SSL_version specified");`
			`--- lib/IO/Socket/SSL.pod`
			`+++ lib/IO/Socket/SSL.pod`
Update to 2.021 - New upstream release 2.021 - Fixes for documentation and typos - Update PublicSuffix with latest version from publicsuffix.org - Update patches as needed 2015-12-03 13:55:07 +00:00			`@@ -942,11 +942,12 @@ protocol to the specified version.`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can`
			`also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires`
			`recent versions of Net::SSLeay and openssl.`
			`+The default SSL_version is defined by the underlying cryptographic library.`

Update to 2.006 - New upstream release 2.006 - Make SSLv3 available even if the SSL library disables it by default in SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3 so this will be only done when setting SSL_version explicitly - Fix possible segmentation fault when trying to use an invalid certificate - Use only the ICANN part of the default public suffix list and not the private domains; this makes existing exceptions for s3.amazonaws.com and googleapis.com obsolete - Fix t/protocol_version.t to deal with OpenSSL installations that are compiled without SSLv3 support - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of EAGAIN; while this is the same on UNIX it is different on Windows and socket operations return there (WSA)EWOULDBLOCK and not EAGAIN - Enable non-blocking tests on Windows too - Make PublicSuffix::_default_data thread safe - Update PublicSuffix with latest list from publicsuffix.org - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled - Classify buildreqs by usage 2014-11-23 14:55:09 +00:00			`Independent from the handshake format you can limit to set of accepted SSL`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`versions by adding !version separated by ':'.`
Update to 2.001 - New upstream release 2.001 - Add SSL_OP_SINGLE_(DH\|ECDH)_USE to default options to increase PFS security - Update external tests with currently expected fingerprints of hosts - Some fixes to make it still work on 5.8.1 2014-10-21 14:27:58 +00:00
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the`
			`+For example, 'SSLv23:!SSLv3:!SSLv2' means that the`
			`handshake format is compatible to SSL2.0 and higher, but that the successful`
			`handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because`
			`both of these versions have serious security issues and should not be used`