rpms/perl-IO-Socket-SSL
6
0
Fork 0
Code Issues Pull Requests Releases Activity
23e698433c
perl-IO-Socket-SSL/IO-Socket-SSL-2.058-use-system-default-SSL-version.patch
Paul Howarth 23e698433c Update to 2.058 
- New upstream release 2.058
  - Fix memory leak that occured with explicit stop_SSL in connection with
    non-blocking sockets or timeout (CPAN RT#125867)
  - Fix redefine warnings in case Socket6 is installed but neither
    IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
  - IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
    number or callback to create serial number based on the original certificate
  - New function get_session_reused to check if a session got reused
  - IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
    value
  - Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
    expects the extKeyUsage of clientAuth in the client cert also to be allowed
    by the CA if CA uses extKeyUsage
2018-07-19 10:19:21 +01:00

37 lines
1.6 KiB
Diff
Raw Blame History

--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -116,7 +116,7 @@ my $algo2digest = do {
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+ SSL_version => '',
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2278,7 +2278,7 @@ sub new {
my $ssl_op = $DEFAULT_SSL_OP;
- my $ver;
+ my $ver = '';
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -993,11 +993,12 @@ protocol to the specified version.
All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
recent versions of Net::SSLeay and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
Independent from the handshake format you can limit to set of accepted SSL
versions by adding !version separated by ':'.
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
handshake format is compatible to SSL2.0 and higher, but that the successful
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
both of these versions have serious security issues and should not be used
Reference in New Issue View Git Blame Copy Permalink