6d1cc77223
- New upstream release 2.054
- Small behavior fixes
- If SSL_fingerprint is used and matches, don't check for OCSP
- Utils::CERT_create: Small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- Update PublicSuffix
- Updates for documentation, especially regarding pitfalls with forking or
using non-blocking sockets, spelling fixes
- Test fixes and improvements
- Stability improvements for live tests
- Regenerate certificates in certs/ and make sure they are limited to the
correct purpose; check in program used to generate certificates
- Adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
37 lines
1.6 KiB
Diff
37 lines
1.6 KiB
Diff
--- lib/IO/Socket/SSL.pm
|
|
+++ lib/IO/Socket/SSL.pm
|
|
@@ -116,7 +116,7 @@ my $algo2digest = do {
|
|
# global defaults
|
|
my %DEFAULT_SSL_ARGS = (
|
|
SSL_check_crl => 0,
|
|
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
|
|
+ SSL_version => '',
|
|
SSL_verify_callback => undef,
|
|
SSL_verifycn_scheme => undef, # fallback cn verification
|
|
SSL_verifycn_publicsuffix => undef, # fallback default list verification
|
|
@@ -2267,7 +2267,7 @@ sub new {
|
|
|
|
my $ssl_op = $DEFAULT_SSL_OP;
|
|
|
|
- my $ver;
|
|
+ my $ver = '';
|
|
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
|
|
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
|
|
or croak("invalid SSL_version specified");
|
|
--- lib/IO/Socket/SSL.pod
|
|
+++ lib/IO/Socket/SSL.pod
|
|
@@ -993,11 +993,12 @@ protocol to the specified version.
|
|
All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
|
|
also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
|
|
recent versions of Net::SSLeay and openssl.
|
|
+The default SSL_version is defined by the underlying cryptographic library.
|
|
|
|
Independent from the handshake format you can limit to set of accepted SSL
|
|
versions by adding !version separated by ':'.
|
|
|
|
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
|
|
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
|
|
handshake format is compatible to SSL2.0 and higher, but that the successful
|
|
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
|
|
both of these versions have serious security issues and should not be used
|