import perl-IO-Socket-SSL-2.073-1.el9

This commit is contained in:
CentOS Sources 2022-05-17 04:55:28 -04:00 committed by Stepan Oksanichenko
commit 7be32982e8
7 changed files with 1941 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/IO-Socket-SSL-2.073.tar.gz

View File

@ -0,0 +1 @@
442c23ee1d0476df788f8b0b0f5fe174f871d792 SOURCES/IO-Socket-SSL-2.073.tar.gz

View File

@ -0,0 +1,130 @@
From 6b05dc28e94e90ab4852c9977d7fbe66fec6cd48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 8 Feb 2019 14:50:32 +0100
Subject: [PATCH] Test client performs Post-Handshake-Authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This test uses openssl tool because PHA is not yet supported by
IO::Socket::SSL's server implementation. The openssl tool uses a fixed
port. So the test can fail.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
MANIFEST | 1 +
t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 91 insertions(+)
create mode 100755 t/pha_client.t
diff --git a/MANIFEST b/MANIFEST
index 20cddb6..2b8328d 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -57,6 +57,7 @@ t/mitm.t
t/multiple-cert-rsa-ecc.t
t/nonblock.t
t/npn.t
+t/pha_client.t
t/plain_upgrade_downgrade.t
t/protocol_version.t
t/public_suffix_lib_encode_idn.t
diff --git a/t/pha_client.t b/t/pha_client.t
new file mode 100755
index 0000000..2413588
--- /dev/null
+++ b/t/pha_client.t
@@ -0,0 +1,90 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run ();
+use IO::Socket::SSL ();
+use Net::SSLeay ();
+use IO::Select ();
+
+if (system('openssl', 'version')) {
+ plan skip_all => 'openssl tool is not available';
+} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) {
+ plan skip_all => 'Net::SSLeay does not expose PHA';
+} else {
+ plan tests => 5;
+}
+
+my $port = 2000;
+my $ca_cert = 'certs/test-ca.pem';
+
+diag 'Starting a server';
+my ($server, $input, $stdout, $stderr);
+eval {
+ $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
+ '-Verify', '1',
+ '-cert', 'certs/server-wildcard.pem',
+ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
+ \$input, \$stdout, \$stderr);
+ # subsequent \undef does not work
+ # <https://github.com/toddr/IPC-Run/issues/124>
+};
+if (!$server or $@) {
+ BAIL_OUT("Could not start a server: $@");
+}
+# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
+while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
+if ($stderr =~ /unable to bind socket/) {
+ $server->kill_kill;
+ BAIL_OUT("Could not start a server: $stderr");
+}
+ok($server, 'Server started');
+
+my $client = IO::Socket::SSL->new(
+ PeerHost => 'localhost',
+ PeerPort => $port,
+ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
+ SSL_verifycn_scheme => 'www',
+ SSL_verifycn_name => 'www.server.local',
+ SSL_ca_file => $ca_cert,
+ SSL_key_file => 'certs/client-key.pem',
+ SSL_cert_file => 'certs/client-cert.pem'
+);
+ok($client, 'Client connected');
+
+SKIP: {
+ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
+ unless $client;
+ $client->blocking(0);
+
+ SKIP: {
+ # Ask openssl s_server for PHA request and wait for the result.
+ $input .= "c\n";
+ while ($server->pumpable &&
+ $stderr !~ /SSL_verify_client_post_handshake/ &&
+ $stdout !~ /SSL_do_handshake -> 1/
+ ) {
+ # Push the PHA command to the server and read outputs.
+ $server->pump;
+
+ # Client also must perform I/O to process the PHA request.
+ my $select = IO::Select->new($client);
+ while ($select->can_read(1)) { # 1 second time-out because of
+ # blocking IPC::Run
+ my $retval = $client->read(my $buf, 1);
+ if (defined $buf and $buf eq 'c') {
+ skip 'openssl tool does not support PHA command', 1;
+ }
+ }
+ }
+ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
+ }
+
+ ok($client->close, 'Client disconnected');
+}
+
+eval {
+ $server->kill_kill;
+};
+ok(!$@, 'Server terminated');
+
--
2.20.1

View File

@ -0,0 +1,15 @@
--- Makefile.PL
+++ Makefile.PL
@@ -68,12 +68,6 @@ if (my $compiled = eval {
die sprintf("API-different OpenSSL versions compiled in (0x%08x) vs linked (0x%08x)",
$compiled,$linked);
}
-
- # OpenSSL 1.1.1e introduced behavior changes breaking various code
- # will likely be reverted in 1.1.1f - enforce to not use this version
- if ($linked == 0x1010105f) {
- die "detected OpenSSL 1.1.1e - please use a different version\n";
- }
}
# make sure that we have dualvar from the XS Version of Scalar::Util

View File

@ -0,0 +1,36 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+ SSL_version => '',
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2383,7 +2383,7 @@ sub new {
my $ssl_op = $DEFAULT_SSL_OP;
- my $ver;
+ my $ver = '';
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1043,11 +1043,12 @@ All values are case-insensitive. Instea
'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for
'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
Independent from the handshake format you can limit to set of accepted SSL
versions by adding !version separated by ':'.
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
handshake format is compatible to SSL2.0 and higher, but that the successful
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
both of these versions have serious security issues and should not be used

View File

@ -0,0 +1,101 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -202,77 +202,17 @@ my %DEFAULT_SSL_ARGS = (
SSL_npn_protocols => undef, # meaning depends whether on server or client side
SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
- # "Old backward compatibility" for best compatibility
- # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
- # slightly reordered to prefer AES since it is cheaper when hardware accelerated
- SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+ # Use system-wide default cipher list to support use of system-wide
+ # crypto policy (#1076390, #1127577, CPAN RT#97816)
+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy
+ SSL_cipher_list => 'PROFILE=SYSTEM',
);
my %DEFAULT_SSL_CLIENT_ARGS = (
%DEFAULT_SSL_ARGS,
SSL_verify_mode => SSL_VERIFY_PEER,
-
SSL_ca_file => undef,
SSL_ca_path => undef,
-
- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
- # Ubuntu worked around this by disabling TLSv1_2 on the client side for
- # a while. Later a padding extension was added to OpenSSL to work around
- # broken F5 but then IronPort croaked because it did not understand this
- # extension so it was disabled again :(
- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so
- # that packet stays small enough. We try the same here.
-
- SSL_cipher_list => join(" ",
-
- # SSLabs report for Chrome 48/OSX.
- # This also includes the fewer ciphers Firefox uses.
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-GCM-SHA256',
- 'ECDHE-ECDSA-CHACHA20-POLY1305',
- 'ECDHE-RSA-CHACHA20-POLY1305',
- 'ECDHE-ECDSA-AES256-SHA',
- 'ECDHE-RSA-AES256-SHA',
- 'DHE-RSA-AES256-SHA',
- 'ECDHE-ECDSA-AES128-SHA',
- 'ECDHE-RSA-AES128-SHA',
- 'DHE-RSA-AES128-SHA',
- 'AES128-GCM-SHA256',
- 'AES256-SHA',
- 'AES128-SHA',
- 'DES-CBC3-SHA',
-
- # IE11/Edge has some more ciphers, notably SHA384 and DSS
- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM
- # ciphers IE/Edge offers because they look like a large mismatch
- # between a very strong HMAC and a comparably weak (but sufficient)
- # encryption. Similar all browsers which do SHA384 can do ECDHE
- # so skip the DHE*SHA384 ciphers.
- 'ECDHE-RSA-AES256-GCM-SHA384',
- 'ECDHE-ECDSA-AES256-GCM-SHA384',
- # 'ECDHE-RSA-AES256-SHA384',
- # 'ECDHE-ECDSA-AES256-SHA384',
- # 'ECDHE-RSA-AES128-SHA256',
- # 'ECDHE-ECDSA-AES128-SHA256',
- # 'DHE-RSA-AES256-GCM-SHA384',
- # 'AES256-GCM-SHA384',
- 'AES256-SHA256',
- # 'AES128-SHA256',
- 'DHE-DSS-AES256-SHA256',
- # 'DHE-DSS-AES128-SHA256',
- 'DHE-DSS-AES256-SHA',
- 'DHE-DSS-AES128-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
-
- # Just to make sure, that we don't accidentally add bad ciphers above.
- # This includes dropping RC4 which is no longer supported by modern
- # browsers and also excluded in the SSL libraries of Python and Ruby.
- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP"
- )
);
# set values inside _init to work with perlcc, RT#95452
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1069,12 +1069,8 @@ documentation (L<https://www.openssl.org
for more details.
Unless you fail to contact your peer because of no shared ciphers it is
-recommended to leave this option at the default setting. The default setting
-prefers ciphers with forward secrecy, disables anonymous authentication and
-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
-at the tests of SSL Labs.
-To use the less secure OpenSSL builtin default (whatever this is) set
-SSL_cipher_list to ''.
+recommended to leave this option at the default setting, which honors the
+system-wide PROFILE=SYSTEM cipher list.
In case different cipher lists are needed for different SNI hosts a hash can be
given with the host as key and the cipher suite as value, similar to

File diff suppressed because it is too large Load Diff