perl-IO-Socket-SSL/IO-Socket-SSL-2.068-use-system-default-SSL-version.patch

--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
 # global defaults
 my %DEFAULT_SSL_ARGS = (
     SSL_check_crl => 0,
-    SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+    SSL_version => '',
     SSL_verify_callback => undef,
     SSL_verifycn_scheme => undef,  # fallback cn verification
     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
@@ -2383,7 +2383,7 @@ sub new {
 
     my $ssl_op = $DEFAULT_SSL_OP;
 
-    my $ver;
+    my $ver = '';
     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
 	or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1043,11 +1043,12 @@ All values are case-insensitive.  Instea
 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
 and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
 
 Independent from the handshake format you can limit to set of accepted SSL
 versions by adding !version separated by ':'.
 
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
 handshake format is compatible to SSL2.0 and higher, but that the successful
 handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
 both of these versions have serious security issues and should not be used
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`--- lib/IO/Socket/SSL.pm`
			`+++ lib/IO/Socket/SSL.pm`
Update to 2.068 - New upstream release 2.068 - Treat OpenSSL 1.1.1e as broken and refuse to build with it in order to prevent follow-up problems in tests and user code https://github.com/noxxi/p5-io-socket-ssl/issues/93 https://github.com/openssl/openssl/issues/11388 https://github.com/openssl/openssl/issues/11378 - Update PublicSuffix with latest data from publicsuffix.org - Patch out the refusal to build with OpenSSL 1.1.1e as the OpenSSL package in Fedora has had the problematic EOF-handling change reverted 2020-03-31 10:34:02 +00:00			`@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`# global defaults`
			`my %DEFAULT_SSL_ARGS = (`
			`SSL_check_crl => 0,`
			`- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken`
			`+ SSL_version => '',`
			`SSL_verify_callback => undef,`
			`SSL_verifycn_scheme => undef, # fallback cn verification`
			`SSL_verifycn_publicsuffix => undef, # fallback default list verification`
Update to 2.068 - New upstream release 2.068 - Treat OpenSSL 1.1.1e as broken and refuse to build with it in order to prevent follow-up problems in tests and user code https://github.com/noxxi/p5-io-socket-ssl/issues/93 https://github.com/openssl/openssl/issues/11388 https://github.com/openssl/openssl/issues/11378 - Update PublicSuffix with latest data from publicsuffix.org - Patch out the refusal to build with OpenSSL 1.1.1e as the OpenSSL package in Fedora has had the problematic EOF-handling change reverted 2020-03-31 10:34:02 +00:00			`@@ -2383,7 +2383,7 @@ sub new {`
Update to 2.033 - New upstream release 2.033 - Support for session ticket reuse over multiple contexts and processes (if supported by Net::SSLeay) - Small optimizations, like saving various Net::SSLeay constants into variables and access variables instead of calling the constant sub all the time - Make t/dhe.t work with openssl 1.1.0 - Update patches as needed 2016-07-16 12:40:15 +00:00
			`my $ssl_op = $DEFAULT_SSL_OP;`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00
			`- my $ver;`
			`+ my $ver = '';`
			`for (split(/\s:\s/,$arg_hash->{SSL_version})) {`
Update to 2.060 - New upstream release 2.060 - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too); see also CPAN RT#126899 - TLS 1.3 support is not complete yet for session resume 2018-09-17 14:59:10 +00:00			`m{^(!?)(?:(SSL(?:v2\|v3\|v23\|v2/3))\|(TLSv1(?:_?[123])?))$}i`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`or croak("invalid SSL_version specified");`
			`--- lib/IO/Socket/SSL.pod`
			`+++ lib/IO/Socket/SSL.pod`
Update to 2.067 - New upstream release 2.067 - Fix memory leak on incomplete handshake (GH#92) - Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this can decrease memory usage at the costs of more allocations (CPAN RT#129463) - More detailed error messages when loading of certificate file failed (GH#89) - Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384) - Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1 - Fix warning when no ecdh support is available - Documentation update regarding use of select and TLS 1.3 - Various fixes in documentation (GH#81, GH#87, GH#90, GH#91) - Stability fix for t/core.t 2020-02-15 15:11:21 +00:00			`@@ -1043,11 +1043,12 @@ All values are case-insensitive. Instea`
Update to 2.061 - New upstream release 2.061 - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that the previous (and undocumented) API for the session cache has been changed - Support for multiple curves, automatic setting of curves and setting of supported curves in client (needs Net::SSLeay ≥ 1.86) - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when client certificates are provided (needs Net::SSLeay ≥ 1.86) 2019-02-23 12:45:00 +00:00			`'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for`
			`'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay`
			`and openssl.`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`+The default SSL_version is defined by the underlying cryptographic library.`

Update to 2.006 - New upstream release 2.006 - Make SSLv3 available even if the SSL library disables it by default in SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3 so this will be only done when setting SSL_version explicitly - Fix possible segmentation fault when trying to use an invalid certificate - Use only the ICANN part of the default public suffix list and not the private domains; this makes existing exceptions for s3.amazonaws.com and googleapis.com obsolete - Fix t/protocol_version.t to deal with OpenSSL installations that are compiled without SSLv3 support - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of EAGAIN; while this is the same on UNIX it is different on Windows and socket operations return there (WSA)EWOULDBLOCK and not EAGAIN - Enable non-blocking tests on Windows too - Make PublicSuffix::_default_data thread safe - Update PublicSuffix with latest list from publicsuffix.org - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled - Classify buildreqs by usage 2014-11-23 14:55:09 +00:00			`Independent from the handshake format you can limit to set of accepted SSL`
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`versions by adding !version separated by ':'.`
Update to 2.001 - New upstream release 2.001 - Add SSL_OP_SINGLE_(DH\|ECDH)_USE to default options to increase PFS security - Update external tests with currently expected fingerprints of hosts - Some fixes to make it still work on 5.8.1 2014-10-21 14:27:58 +00:00
Update to 2.000 - New upstream release 2.000 - Consider SSL3.0 as broken because of POODLE and disable it by default - Skip live tests without asking if environment NO_NETWORK_TESTING is set - Skip tests that require fork on non-default windows setups without proper fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18) - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled 2014-10-16 13:10:03 +00:00			`-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the`
			`+For example, 'SSLv23:!SSLv3:!SSLv2' means that the`
			`handshake format is compatible to SSL2.0 and higher, but that the successful`
			`handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because`
			`both of these versions have serious security issues and should not be used`