|
|
7b6549 |
From ffa8a34d793707a8a05652908b69fea7faeede7c Mon Sep 17 00:00:00 2001
|
|
|
7b6549 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
7b6549 |
Date: Thu, 7 Aug 2014 10:36:40 +0200
|
|
|
7b6549 |
Subject: [PATCH] Respect OpenSSL default ciphers and protocol versions
|
|
|
7b6549 |
MIME-Version: 1.0
|
|
|
7b6549 |
Content-Type: text/plain; charset=UTF-8
|
|
|
7b6549 |
Content-Transfer-Encoding: 8bit
|
|
|
7b6549 |
|
|
|
7b6549 |
If application did not specified cipher or protocol version,
|
|
|
7b6549 |
IO::Socket::SSL set them to 'ALL:!LOW' and 'SSLv23:!SSLv2'. This
|
|
|
7b6549 |
undermined global cryptogphic setting.
|
|
|
7b6549 |
|
|
|
7b6549 |
This patch disables these defaults hard-coded into IO::Socket::SSL and
|
|
|
7b6549 |
leves the decision on OpenSSL.
|
|
|
7b6549 |
|
|
|
7b6549 |
http://rt.cpan.org/Public/Bug/Display.html?id=97816
|
|
|
7b6549 |
https://bugzilla.redhat.com/show_bug.cgi?id=1127322
|
|
|
7b6549 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
7b6549 |
---
|
|
|
7b6549 |
lib/IO/Socket/SSL.pm | 13 +++++++------
|
|
|
7b6549 |
t/dhe.t | 1 +
|
|
|
7b6549 |
2 files changed, 8 insertions(+), 6 deletions(-)
|
|
|
7b6549 |
|
|
|
7b6549 |
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
|
|
|
7b6549 |
index 3e02e8f..eb4bd05 100644
|
|
|
7b6549 |
--- a/lib/IO/Socket/SSL.pm
|
|
|
7b6549 |
+++ b/lib/IO/Socket/SSL.pm
|
|
|
7b6549 |
@@ -34,13 +34,13 @@ use constant SSL_RECEIVED_SHUTDOWN => 2;
|
|
|
7b6549 |
# global defaults
|
|
|
7b6549 |
my %DEFAULT_SSL_ARGS = (
|
|
|
7b6549 |
SSL_check_crl => 0,
|
|
|
7b6549 |
- SSL_version => 'SSLv23:!SSLv2',
|
|
|
7b6549 |
+ SSL_version => '',
|
|
|
7b6549 |
SSL_verify_callback => undef,
|
|
|
7b6549 |
SSL_verifycn_scheme => undef, # don't verify cn
|
|
|
7b6549 |
SSL_verifycn_name => undef, # use from PeerAddr/PeerHost
|
|
|
7b6549 |
SSL_npn_protocols => undef, # meaning depends whether on server or client side
|
|
|
7b6549 |
SSL_honor_cipher_order => 0, # client order gets preference
|
|
|
7b6549 |
- SSL_cipher_list => 'ALL:!LOW',
|
|
|
7b6549 |
+ SSL_cipher_list => undef,
|
|
|
7b6549 |
|
|
|
7b6549 |
# default for SSL_verify_mode should be SSL_VERIFY_PEER for client
|
|
|
7b6549 |
# for now we keep the default of SSL_VERIFY_NONE but complain, if
|
|
|
7b6549 |
@@ -1579,7 +1579,7 @@ sub new {
|
|
|
7b6549 |
return $ctx_object if ($ctx_object = ${*$ctx_object}{'_SSL_ctx'});
|
|
|
7b6549 |
}
|
|
|
7b6549 |
|
|
|
7b6549 |
- my $ver;
|
|
|
7b6549 |
+ my $ver='';
|
|
|
7b6549 |
my $disable_ver = 0;
|
|
|
7b6549 |
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
|
|
|
7b6549 |
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i
|
|
|
7b6549 |
@@ -2049,7 +2049,8 @@ to the specified version. All values are case-insensitive.
|
|
|
7b6549 |
|
|
|
7b6549 |
You can limit to set of supported protocols by adding !version separated by ':'.
|
|
|
7b6549 |
|
|
|
7b6549 |
-The default SSL_version is 'SSLv23:!SSLv2' which means, that SSLv2, SSLv3 and TLSv1
|
|
|
7b6549 |
+The default SSL_version is defined by underlying cryptographic library.
|
|
|
7b6549 |
+E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1
|
|
|
7b6549 |
are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving
|
|
|
7b6549 |
only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions
|
|
|
7b6549 |
1.1 and 1.2 while allowing TLS version 1.0.
|
|
|
7b6549 |
@@ -2066,8 +2067,8 @@ given value, e.g. something like 'ALL:!LOW:!EXP:!ADH'. Look into the OpenSSL
|
|
|
7b6549 |
documentation (L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>)
|
|
|
7b6549 |
for more details.
|
|
|
7b6549 |
|
|
|
7b6549 |
-If this option is not set 'ALL:!LOW' will be used.
|
|
|
7b6549 |
-To use OpenSSL builtin default (whatever this is) set it to ''.
|
|
|
7b6549 |
+If this option is not set or is set to '', OpenSSL builtin default (whatever
|
|
|
7b6549 |
+this is) will be used.
|
|
|
7b6549 |
|
|
|
7b6549 |
=item SSL_honor_cipher_order
|
|
|
7b6549 |
|
|
|
7b6549 |
diff --git a/t/dhe.t b/t/dhe.t
|
|
|
7b6549 |
index a2bf565..4010a26 100644
|
|
|
7b6549 |
--- a/t/dhe.t
|
|
|
7b6549 |
+++ b/t/dhe.t
|
|
|
7b6549 |
@@ -55,6 +55,7 @@ if ( !defined $pid ) {
|
|
|
7b6549 |
close($server);
|
|
|
7b6549 |
my $to_server = IO::Socket::SSL->new(
|
|
|
7b6549 |
PeerAddr => $addr,
|
|
|
7b6549 |
+ SSL_cipher_list => 'ALL:RSA:!aRSA',
|
|
|
7b6549 |
SSL_verify_mode => 0 ) || do {
|
|
|
7b6549 |
notok( "connect failed: $SSL_ERROR" );
|
|
|
7b6549 |
exit
|
|
|
7b6549 |
--
|
|
|
7b6549 |
1.9.3
|
|
|
7b6549 |
|