|
|
7b6549 |
From 70d5c2746afee9c2b6112246ab1640aa0ebb34c5 Mon Sep 17 00:00:00 2001
|
|
|
7b6549 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
7b6549 |
Date: Thu, 6 Oct 2016 14:51:26 +0200
|
|
|
7b6549 |
Subject: [PATCH 2/2] The new syntax for the protocols is TLSv1_1 instead of
|
|
|
7b6549 |
TLSv11
|
|
|
7b6549 |
MIME-Version: 1.0
|
|
|
7b6549 |
Content-Type: text/plain; charset=UTF-8
|
|
|
7b6549 |
Content-Transfer-Encoding: 8bit
|
|
|
7b6549 |
|
|
|
7b6549 |
This is a part of these commits ported to 1.94:
|
|
|
7b6549 |
|
|
|
7b6549 |
commit 5c2151176da6a37e7dd16fd2ffc39809f58f6035
|
|
|
7b6549 |
Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
|
|
|
7b6549 |
Date: Wed Jan 15 12:33:49 2014 +0100
|
|
|
7b6549 |
|
|
|
7b6549 |
1.964: get_sslversion* function, disabling TLS1_1 fixed
|
|
|
7b6549 |
|
|
|
7b6549 |
- Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets
|
|
|
7b6549 |
the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc
|
|
|
7b6549 |
- The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches
|
|
|
7b6549 |
the syntax from OpenSSL. The old syntax continues to work in SSL_version.
|
|
|
7b6549 |
- New functions get_sslversion and get_sslversion_int which get the SSL version
|
|
|
7b6549 |
of the establish session as string or int.
|
|
|
7b6549 |
- disable t/io-socket-inet6.t if Acme::Override::INET is installed
|
|
|
7b6549 |
|
|
|
7b6549 |
commit bd49a91f755e5027ba5aa1656f32f86486f5c0fd
|
|
|
7b6549 |
Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
|
|
|
7b6549 |
Date: Tue Jan 21 17:53:15 2014 +0100
|
|
|
7b6549 |
|
|
|
7b6549 |
1.966
|
|
|
7b6549 |
- fixed bug introduced in 1.964 - disabling TLSv1_2 worked no
|
|
|
7b6549 |
longer with
|
|
|
7b6549 |
specifying !TLSv12, only !TLSv1_2 worked
|
|
|
7b6549 |
- fixed leak of session objects in SessionCache, if another
|
|
|
7b6549 |
session
|
|
|
7b6549 |
replaced an existing session (introduced in 1.965)
|
|
|
7b6549 |
|
|
|
7b6549 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
7b6549 |
---
|
|
|
7b6549 |
lib/IO/Socket/SSL.pm | 62 ++++++++++++++++++++++++++++------------------------
|
|
|
7b6549 |
1 file changed, 34 insertions(+), 28 deletions(-)
|
|
|
7b6549 |
|
|
|
7b6549 |
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
|
|
|
7b6549 |
index a30ffb1..4720606 100644
|
|
|
7b6549 |
--- a/lib/IO/Socket/SSL.pm
|
|
|
7b6549 |
+++ b/lib/IO/Socket/SSL.pm
|
|
|
7b6549 |
@@ -61,6 +61,15 @@ BEGIN{
|
|
|
7b6549 |
if $@;
|
|
|
7b6549 |
}
|
|
|
7b6549 |
|
|
|
7b6549 |
+# get constants for SSL_OP_NO_* now, instead calling the releated functions
|
|
|
7b6549 |
+# everytime we setup a connection
|
|
|
7b6549 |
+my %SSL_OP_NO;
|
|
|
7b6549 |
+for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) {
|
|
|
7b6549 |
+ my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_);
|
|
|
7b6549 |
+ my $sub = "Net::SSLeay::OP_NO_$op";
|
|
|
7b6549 |
+ $SSL_OP_NO{$k} = eval { no strict 'refs'; &$sub } || 0;
|
|
|
7b6549 |
+}
|
|
|
7b6549 |
+
|
|
|
7b6549 |
our $DEBUG;
|
|
|
7b6549 |
use vars qw(@ISA $SSL_ERROR @EXPORT );
|
|
|
7b6549 |
|
|
|
7b6549 |
@@ -1582,32 +1591,27 @@ sub new {
|
|
|
7b6549 |
my $ver='';
|
|
|
7b6549 |
my $disable_ver = 0;
|
|
|
7b6549 |
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
|
|
|
7b6549 |
- m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i
|
|
|
7b6549 |
+ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
|
|
|
7b6549 |
or croak("invalid SSL_version specified");
|
|
|
7b6549 |
my $not = $1;
|
|
|
7b6549 |
( my $v = lc($2||$3) ) =~s{^(...)}{\U$1};
|
|
|
7b6549 |
- $v =~s{/}{}; # interpret SSLv2/3 as SSLv23
|
|
|
7b6549 |
if ( $not ) {
|
|
|
7b6549 |
- $disable_ver |=
|
|
|
7b6549 |
- $v eq 'SSLv2' ? 0x01000000 : # SSL_OP_NO_SSLv2
|
|
|
7b6549 |
- $v eq 'SSLv3' ? 0x02000000 : # SSL_OP_NO_SSLv3
|
|
|
7b6549 |
- $v eq 'TLSv1' ? 0x04000000 : # SSL_OP_NO_TLSv1
|
|
|
7b6549 |
- $v eq 'TLSv11' ? 0x00000400 : # SSL_OP_NO_TLSv1_1
|
|
|
7b6549 |
- $v eq 'TLSv12' ? 0x08000000 : # SSL_OP_NO_TLSv1_2
|
|
|
7b6549 |
- croak("cannot disable version $_");
|
|
|
7b6549 |
+ $disable_ver |= $SSL_OP_NO{$v};
|
|
|
7b6549 |
} else {
|
|
|
7b6549 |
croak("cannot set multiple SSL protocols in SSL_version")
|
|
|
7b6549 |
if $ver && $v ne $ver;
|
|
|
7b6549 |
$ver = $v;
|
|
|
7b6549 |
+ $ver =~s{/}{}; # interpret SSLv2/3 as SSLv23
|
|
|
7b6549 |
+ $ver =~s{(TLSv1)(\d)}{$1\_$2}; # TLSv1_1
|
|
|
7b6549 |
}
|
|
|
7b6549 |
}
|
|
|
7b6549 |
|
|
|
7b6549 |
my $ctx_new_sub = UNIVERSAL::can( 'Net::SSLeay',
|
|
|
7b6549 |
- $ver eq 'SSLv2' ? 'CTX_v2_new' :
|
|
|
7b6549 |
- $ver eq 'SSLv3' ? 'CTX_v3_new' :
|
|
|
7b6549 |
- $ver eq 'TLSv1' ? 'CTX_tlsv1_new' :
|
|
|
7b6549 |
- $ver eq 'TLSv11' ? 'CTX_tlsv1_1_new' :
|
|
|
7b6549 |
- $ver eq 'TLSv12' ? 'CTX_tlsv1_2_new' :
|
|
|
7b6549 |
+ $ver eq 'SSLv2' ? 'CTX_v2_new' :
|
|
|
7b6549 |
+ $ver eq 'SSLv3' ? 'CTX_v3_new' :
|
|
|
7b6549 |
+ $ver eq 'TLSv1' ? 'CTX_tlsv1_new' :
|
|
|
7b6549 |
+ $ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' :
|
|
|
7b6549 |
+ $ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' :
|
|
|
7b6549 |
'CTX_new'
|
|
|
7b6549 |
) or return IO::Socket::SSL->error("SSL Version $ver not supported");
|
|
|
7b6549 |
my $ctx = $ctx_new_sub->() or return
|
|
|
7b6549 |
@@ -2064,24 +2068,26 @@ See section "SNI Support" for details of SNI the support.
|
|
|
7b6549 |
|
|
|
7b6549 |
=item SSL_version
|
|
|
7b6549 |
|
|
|
7b6549 |
-Sets the version of the SSL protocol used to transmit data. 'SSLv23' auto-negotiates
|
|
|
7b6549 |
-between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv11' or 'TLSv12'
|
|
|
7b6549 |
-restrict the protocol to the specified version. All values are case-insensitive.
|
|
|
7b6549 |
-Support for 'TLSv11' and 'TLSv12' requires recent versions of Net::SSLeay
|
|
|
7b6549 |
-and openssl.
|
|
|
7b6549 |
+Sets the version of the SSL protocol used to transmit data.
|
|
|
7b6549 |
+'SSLv23' auto-negotiates between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3',
|
|
|
7b6549 |
+'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict the protocol to the specified version.
|
|
|
7b6549 |
+All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can
|
|
|
7b6549 |
+also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires
|
|
|
7b6549 |
+recent versions of Net::SSLeay and openssl.
|
|
|
7b6549 |
|
|
|
7b6549 |
You can limit to set of supported protocols by adding !version separated by ':'.
|
|
|
7b6549 |
|
|
|
7b6549 |
The default SSL_version is defined by underlying cryptographic library.
|
|
|
7b6549 |
-E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1
|
|
|
7b6549 |
-are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving
|
|
|
7b6549 |
-only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions
|
|
|
7b6549 |
-1.1 and 1.2 while allowing TLS version 1.0.
|
|
|
7b6549 |
-
|
|
|
7b6549 |
-Setting the version instead to 'TLSv1' will probably break interaction with lots of
|
|
|
7b6549 |
-clients which start with SSLv2 and then upgrade to TLSv1. On the other side some
|
|
|
7b6549 |
-clients just close the connection when they receive a TLS version 1.1 request. In this
|
|
|
7b6549 |
-case setting the version to 'SSLv23:!SSLv2:!TLSv11:!TLSv12' might help.
|
|
|
7b6549 |
+E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and
|
|
|
7b6549 |
+TLSv1 are supported for initial protocol handshakes, but SSLv2 will not be
|
|
|
7b6549 |
+accepted, leaving only SSLv3 and TLSv1. You can also use !TLSv1_1 and !TLSv1_2
|
|
|
7b6549 |
+to disable TLS versions 1.1 and 1.2 while allowing TLS version 1.0.
|
|
|
7b6549 |
+
|
|
|
7b6549 |
+Setting the version instead to 'TLSv1' will probably break interaction with
|
|
|
7b6549 |
+lots of clients which start with SSLv2 and then upgrade to TLSv1. On the other
|
|
|
7b6549 |
+side some clients just close the connection when they receive a TLS version 1.1
|
|
|
7b6549 |
+request. In this case setting the version to 'SSLv23:!SSLv2:!TLSv1_1:!TLSv1_2'
|
|
|
7b6549 |
+might help.
|
|
|
7b6549 |
|
|
|
7b6549 |
=item SSL_cipher_list
|
|
|
7b6549 |
|
|
|
7b6549 |
--
|
|
|
7b6549 |
2.7.4
|
|
|
7b6549 |
|