af52f67378
- New upstream release 2.006
- Make SSLv3 available even if the SSL library disables it by default in
SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3
so this will be only done when setting SSL_version explicitly
- Fix possible segmentation fault when trying to use an invalid certificate
- Use only the ICANN part of the default public suffix list and not the
private domains; this makes existing exceptions for s3.amazonaws.com and
googleapis.com obsolete
- Fix t/protocol_version.t to deal with OpenSSL installations that are
compiled without SSLv3 support
- Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead
of EAGAIN; while this is the same on UNIX it is different on Windows and
socket operations return there (WSA)EWOULDBLOCK and not EAGAIN
- Enable non-blocking tests on Windows too
- Make PublicSuffix::_default_data thread safe
- Update PublicSuffix with latest list from publicsuffix.org
- Note that this package still uses system-default cipher and SSL versions,
which may have SSL3.0 enabled
- Classify buildreqs by usage
37 lines
1.6 KiB
Diff
37 lines
1.6 KiB
Diff
--- lib/IO/Socket/SSL.pm
|
|
+++ lib/IO/Socket/SSL.pm
|
|
@@ -83,7 +83,7 @@ my $algo2digest = do {
|
|
# global defaults
|
|
my %DEFAULT_SSL_ARGS = (
|
|
SSL_check_crl => 0,
|
|
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
|
|
+ SSL_version => '',
|
|
SSL_verify_callback => undef,
|
|
SSL_verifycn_scheme => undef, # fallback cn verification
|
|
SSL_verifycn_publicsuffix => undef, # fallback default list verification
|
|
@@ -2068,7 +2068,7 @@ WARN
|
|
$ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE;
|
|
$ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh;
|
|
|
|
- my $ver;
|
|
+ my $ver = '';
|
|
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
|
|
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
|
|
or croak("invalid SSL_version specified");
|
|
--- lib/IO/Socket/SSL.pod
|
|
+++ lib/IO/Socket/SSL.pod
|
|
@@ -911,11 +911,12 @@ protocol to the specified version.
|
|
All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
|
|
also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
|
|
recent versions of Net::SSLeay and openssl.
|
|
+The default SSL_version is defined by the underlying cryptographic library.
|
|
|
|
Independent from the handshake format you can limit to set of accepted SSL
|
|
versions by adding !version separated by ':'.
|
|
|
|
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
|
|
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
|
|
handshake format is compatible to SSL2.0 and higher, but that the successful
|
|
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
|
|
both of these versions have serious security issues and should not be used
|