Use system-wide default cipher list from OpenSSL
Use system-wide default cipher list to support use of system-wide crypto policy (#1076390, #1127577, CPAN RT#97816) https://fedoraproject.org/wiki/Changes/CryptoPolicy
This commit is contained in:
Paul Howarth
parent
bd0d612e4e
commit
223f2f3a2c
73
IO-Socket-SSL-1.997-use-system-default-cipher-list.patch
Normal file
73
IO-Socket-SSL-1.997-use-system-default-cipher-list.patch
Normal file
@ -0,0 +1,73 @@
|
||||
--- lib/IO/Socket/SSL.pm
|
||||
+++ lib/IO/Socket/SSL.pm
|
||||
@@ -89,9 +89,7 @@ my %DEFAULT_SSL_ARGS = (
|
||||
SSL_verifycn_publicsuffix => undef, # fallback default list verification
|
||||
#SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
|
||||
SSL_npn_protocols => undef, # meaning depends whether on server or client side
|
||||
- SSL_cipher_list =>
|
||||
- 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
|
||||
- 'EDH ALL +SHA +3DES +RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
|
||||
+ SSL_cipher_list => 'DEFAULT',
|
||||
);
|
||||
|
||||
my %DEFAULT_SSL_CLIENT_ARGS = (
|
||||
@@ -101,42 +99,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
|
||||
SSL_ca_file => undef,
|
||||
SSL_ca_path => undef,
|
||||
|
||||
- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
|
||||
- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
|
||||
- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
|
||||
- # Debian works around this by disabling TLSv1_2 on the client side
|
||||
- # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
|
||||
- # stays small enough
|
||||
- # The following list is taken from IE11, except that we don't do RC4-MD5,
|
||||
- # RC4-SHA is already bad enough. Also, we have a different sort order
|
||||
- # compared to IE11, because we put ciphers supporting forward secrecy on top
|
||||
-
|
||||
- SSL_cipher_list => join(" ",
|
||||
- qw(
|
||||
- ECDHE-ECDSA-AES128-GCM-SHA256
|
||||
- ECDHE-ECDSA-AES128-SHA256
|
||||
- ECDHE-ECDSA-AES256-GCM-SHA384
|
||||
- ECDHE-ECDSA-AES256-SHA384
|
||||
- ECDHE-ECDSA-AES128-SHA
|
||||
- ECDHE-ECDSA-AES256-SHA
|
||||
- ECDHE-RSA-AES128-SHA256
|
||||
- ECDHE-RSA-AES128-SHA
|
||||
- ECDHE-RSA-AES256-SHA
|
||||
- DHE-DSS-AES128-SHA256
|
||||
- DHE-DSS-AES128-SHA
|
||||
- DHE-DSS-AES256-SHA256
|
||||
- DHE-DSS-AES256-SHA
|
||||
- AES128-SHA256
|
||||
- AES128-SHA
|
||||
- AES256-SHA256
|
||||
- AES256-SHA
|
||||
- EDH-DSS-DES-CBC3-SHA
|
||||
- DES-CBC3-SHA
|
||||
- RC4-SHA
|
||||
- ),
|
||||
- # just to make sure, that we don't accidentely add bad ciphers above
|
||||
- "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
|
||||
- )
|
||||
);
|
||||
|
||||
# set values inside _init to work with perlcc, RT#95452
|
||||
--- lib/IO/Socket/SSL.pod
|
||||
+++ lib/IO/Socket/SSL.pod
|
||||
@@ -929,12 +929,8 @@ documentation (L<http://www.openssl.org/
|
||||
for more details.
|
||||
|
||||
Unless you fail to contact your peer because of no shared ciphers it is
|
||||
-recommended to leave this option at the default setting. The default setting
|
||||
-prefers ciphers with forward secrecy, disables anonymous authentication and
|
||||
-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
|
||||
-at the tests of SSL Labs.
|
||||
-To use the less secure OpenSSL builtin default (whatever this is) set
|
||||
-SSL_cipher_list to ''.
|
||||
+recommended to leave this option at the default setting, which honors the
|
||||
+system-wide DEFAULT cipher list.
|
||||
|
||||
=item SSL_honor_cipher_order
|
||||
|
||||
@ -1,11 +1,12 @@
|
||||
Name: perl-IO-Socket-SSL
|
||||
Version: 1.997
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Perl library for transparent SSL
|
||||
Group: Development/Libraries
|
||||
License: GPL+ or Artistic
|
||||
URL: http://search.cpan.org/dist/IO-Socket-SSL/
|
||||
Source0: http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version}.tar.gz
|
||||
Patch0: IO-Socket-SSL-1.997-use-system-default-cipher-list.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
|
||||
BuildArch: noarch
|
||||
BuildRequires: openssl >= 0.9.8
|
||||
@ -61,6 +62,11 @@ mod_perl.
|
||||
%prep
|
||||
%setup -q -n IO-Socket-SSL-%{version}
|
||||
|
||||
# Use system-wide default cipher list to support use of system-wide
|
||||
# crypto policy (#1076390, #1127577, CPAN RT#97816)
|
||||
# https://fedoraproject.org/wiki/Changes/CryptoPolicy
|
||||
%patch0
|
||||
|
||||
%build
|
||||
echo n | perl Makefile.PL INSTALLDIRS=vendor
|
||||
make %{?_smp_mflags}
|
||||
@ -90,6 +96,11 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man3/IO::Socket::SSL::Utils.3*
|
||||
|
||||
%changelog
|
||||
* Thu Aug 7 2014 Paul Howarth <paul@city-fan.org> - 1.997-2
|
||||
- Use system-wide default cipher list to support use of system-wide
|
||||
crypto policy (#1076390, #1127577, CPAN RT#97816)
|
||||
https://fedoraproject.org/wiki/Changes/CryptoPolicy
|
||||
|
||||
* Mon Jul 14 2014 Paul Howarth <paul@city-fan.org> - 1.997-1
|
||||
- Update to 1.997
|
||||
- Fix initialization and creation of OpenSSL-internals for perlcc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user