perl-IO-Socket-SSL/IO-Socket-SSL-2.000-use-system-default-SSL-version.patch
Paul Howarth 0249c6324b Update to 2.000
- New upstream release 2.000
  - Consider SSL3.0 as broken because of POODLE and disable it by default
  - Skip live tests without asking if environment NO_NETWORK_TESTING is set
  - Skip tests that require fork on non-default windows setups without proper
    fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18)
- Note that this package still uses system-default cipher and SSL versions,
  which may have SSL3.0 enabled
2014-10-16 14:10:03 +01:00

37 lines
1.6 KiB
Diff

--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -83,7 +83,7 @@ my $algo2digest = do {
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+ SSL_version => '',
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2054,7 +2054,7 @@ WARN
my $ssl_op = Net::SSLeay::OP_ALL();
- my $ver;
+ my $ver = '';
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -910,11 +910,11 @@ protocol to the specified version.
All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
recent versions of Net::SSLeay and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
Indipendend from the handshake format you can limit to set of accepted SSL
versions by adding !version separated by ':'.
-
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
handshake format is compatible to SSL2.0 and higher, but that the successful
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
both of these versions have serious security issues and should not be used