rpms/perl-IO-Socket-SSL
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Import rpm: c8s

Browse Source
This commit is contained in:
Mohan Boddu 2023-04-04 16:29:37 +00:00
parent be883679c0
commit 1f3de24475
6 changed files with 1 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/IO-Socket-SSL-2.066.tar.gz
/IO-Socket-SSL-2.066.tar.gz

15
IO-Socket-SSL-2.068-openssl-1.1.1e.patch
View File

@ -1,15 +0,0 @@
--- Makefile.PL
+++ Makefile.PL
@@ -68,12 +68,6 @@ if (my $compiled = eval {
die sprintf("API-different OpenSSL versions compiled in (0x%08x) vs linked (0x%08x)",
$compiled,$linked);
}
-
- # OpenSSL 1.1.1e introduced behavior changes breaking various code
- # will likely be reverted in 1.1.1f - enforce to not use this version
- if ($linked == 0x1010105f) {
- die "detected OpenSSL 1.1.1e - please use a different version\n";
- }
}
# make sure that we have dualvar from the XS Version of Scalar::Util

36
IO-Socket-SSL-2.068-use-system-default-SSL-version.patch
View File

@ -1,36 +0,0 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+ SSL_version => '',
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2383,7 +2383,7 @@ sub new {
my $ssl_op = $DEFAULT_SSL_OP;
- my $ver;
+ my $ver = '';
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1043,11 +1043,12 @@ All values are case-insensitive. Instea
'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for
'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
Independent from the handshake format you can limit to set of accepted SSL
versions by adding !version separated by ':'.
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
handshake format is compatible to SSL2.0 and higher, but that the successful
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
both of these versions have serious security issues and should not be used

101
IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
View File

@ -1,101 +0,0 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -202,77 +202,17 @@ my %DEFAULT_SSL_ARGS = (
SSL_npn_protocols => undef, # meaning depends whether on server or client side
SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
- # "Old backward compatibility" for best compatibility
- # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
- # slightly reordered to prefer AES since it is cheaper when hardware accelerated
- SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+ # Use system-wide default cipher list to support use of system-wide
+ # crypto policy (#1076390, #1127577, CPAN RT#97816)
+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy
+ SSL_cipher_list => 'PROFILE=SYSTEM',
);
my %DEFAULT_SSL_CLIENT_ARGS = (
%DEFAULT_SSL_ARGS,
SSL_verify_mode => SSL_VERIFY_PEER,
-
SSL_ca_file => undef,
SSL_ca_path => undef,
-
- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
- # Ubuntu worked around this by disabling TLSv1_2 on the client side for
- # a while. Later a padding extension was added to OpenSSL to work around
- # broken F5 but then IronPort croaked because it did not understand this
- # extension so it was disabled again :(
- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so
- # that packet stays small enough. We try the same here.
-
- SSL_cipher_list => join(" ",
-
- # SSLabs report for Chrome 48/OSX.
- # This also includes the fewer ciphers Firefox uses.
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-GCM-SHA256',
- 'ECDHE-ECDSA-CHACHA20-POLY1305',
- 'ECDHE-RSA-CHACHA20-POLY1305',
- 'ECDHE-ECDSA-AES256-SHA',
- 'ECDHE-RSA-AES256-SHA',
- 'DHE-RSA-AES256-SHA',
- 'ECDHE-ECDSA-AES128-SHA',
- 'ECDHE-RSA-AES128-SHA',
- 'DHE-RSA-AES128-SHA',
- 'AES128-GCM-SHA256',
- 'AES256-SHA',
- 'AES128-SHA',
- 'DES-CBC3-SHA',
-
- # IE11/Edge has some more ciphers, notably SHA384 and DSS
- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM
- # ciphers IE/Edge offers because they look like a large mismatch
- # between a very strong HMAC and a comparably weak (but sufficient)
- # encryption. Similar all browsers which do SHA384 can do ECDHE
- # so skip the DHE*SHA384 ciphers.
- 'ECDHE-RSA-AES256-GCM-SHA384',
- 'ECDHE-ECDSA-AES256-GCM-SHA384',
- # 'ECDHE-RSA-AES256-SHA384',
- # 'ECDHE-ECDSA-AES256-SHA384',
- # 'ECDHE-RSA-AES128-SHA256',
- # 'ECDHE-ECDSA-AES128-SHA256',
- # 'DHE-RSA-AES256-GCM-SHA384',
- # 'AES256-GCM-SHA384',
- 'AES256-SHA256',
- # 'AES128-SHA256',
- 'DHE-DSS-AES256-SHA256',
- # 'DHE-DSS-AES128-SHA256',
- 'DHE-DSS-AES256-SHA',
- 'DHE-DSS-AES128-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
-
- # Just to make sure, that we don't accidentally add bad ciphers above.
- # This includes dropping RC4 which is no longer supported by modern
- # browsers and also excluded in the SSL libraries of Python and Ruby.
- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP"
- )
);
# set values inside _init to work with perlcc, RT#95452
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1069,12 +1069,8 @@ documentation (L<https://www.openssl.org
for more details.
Unless you fail to contact your peer because of no shared ciphers it is
-recommended to leave this option at the default setting. The default setting
-prefers ciphers with forward secrecy, disables anonymous authentication and
-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
-at the tests of SSL Labs.
-To use the less secure OpenSSL builtin default (whatever this is) set
-SSL_cipher_list to ''.
+recommended to leave this option at the default setting, which honors the
+system-wide PROFILE=SYSTEM cipher list.
In case different cipher lists are needed for different SNI hosts a hash can be
given with the host as key and the cipher suite as value, similar to

6
gating.yaml
View File

@ -1,6 +0,0 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

4
perl-IO-Socket-SSL.rpmlintrc
View File

@ -1,4 +0,0 @@
from Config import *
# Documentation/test certs
addFilter("pem-certificate /usr/share/doc/perl-IO-Socket-SSL.*/certs/.*\.pem");