Blame SOURCES/IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch

7b6549
From 70d5c2746afee9c2b6112246ab1640aa0ebb34c5 Mon Sep 17 00:00:00 2001
7b6549
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
7b6549
Date: Thu, 6 Oct 2016 14:51:26 +0200
7b6549
Subject: [PATCH 2/2] The new syntax for the protocols is TLSv1_1 instead of
7b6549
 TLSv11
7b6549
MIME-Version: 1.0
7b6549
Content-Type: text/plain; charset=UTF-8
7b6549
Content-Transfer-Encoding: 8bit
7b6549
7b6549
This is a part of these commits ported to 1.94:
7b6549
7b6549
commit 5c2151176da6a37e7dd16fd2ffc39809f58f6035
7b6549
Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
7b6549
Date:   Wed Jan 15 12:33:49 2014 +0100
7b6549
7b6549
    1.964: get_sslversion* function, disabling TLS1_1 fixed
7b6549
7b6549
    - Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets
7b6549
      the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc
7b6549
    - The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches
7b6549
      the syntax from OpenSSL. The old syntax continues to work in SSL_version.
7b6549
    - New functions get_sslversion and get_sslversion_int which get the SSL version
7b6549
      of the establish session as string or int.
7b6549
    - disable t/io-socket-inet6.t if Acme::Override::INET is installed
7b6549
7b6549
commit bd49a91f755e5027ba5aa1656f32f86486f5c0fd
7b6549
Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
7b6549
Date:   Tue Jan 21 17:53:15 2014 +0100
7b6549
7b6549
    1.966
7b6549
    - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no
7b6549
      longer with
7b6549
      specifying !TLSv12, only !TLSv1_2 worked
7b6549
    - fixed leak of session objects in SessionCache, if another
7b6549
      session
7b6549
      replaced an existing session (introduced in 1.965)
7b6549
7b6549
Signed-off-by: Petr Písař <ppisar@redhat.com>
7b6549
---
7b6549
 lib/IO/Socket/SSL.pm | 62 ++++++++++++++++++++++++++++------------------------
7b6549
 1 file changed, 34 insertions(+), 28 deletions(-)
7b6549
7b6549
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
7b6549
index a30ffb1..4720606 100644
7b6549
--- a/lib/IO/Socket/SSL.pm
7b6549
+++ b/lib/IO/Socket/SSL.pm
7b6549
@@ -61,6 +61,15 @@ BEGIN{
7b6549
 	if $@;
7b6549
 }
7b6549
 
7b6549
+# get constants for SSL_OP_NO_* now, instead calling the releated functions
7b6549
+# everytime we setup a connection
7b6549
+my %SSL_OP_NO;
7b6549
+for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) {
7b6549
+    my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_);
7b6549
+    my $sub = "Net::SSLeay::OP_NO_$op";
7b6549
+    $SSL_OP_NO{$k} = eval { no strict 'refs'; &$sub } || 0;
7b6549
+}
7b6549
+
7b6549
 our $DEBUG;
7b6549
 use vars qw(@ISA $SSL_ERROR @EXPORT );
7b6549
 
7b6549
@@ -1582,32 +1591,27 @@ sub new {
7b6549
     my $ver='';
7b6549
     my $disable_ver = 0;
7b6549
     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
7b6549
-	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i 
7b6549
+	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
7b6549
 	or croak("invalid SSL_version specified");
7b6549
 	my $not = $1;
7b6549
 	( my $v = lc($2||$3) ) =~s{^(...)}{\U$1};
7b6549
-	$v =~s{/}{}; # interpret SSLv2/3 as SSLv23
7b6549
 	if ( $not ) {
7b6549
-	    $disable_ver |= 
7b6549
-		$v eq 'SSLv2'  ? 0x01000000 : # SSL_OP_NO_SSLv2 
7b6549
-		$v eq 'SSLv3'  ? 0x02000000 : # SSL_OP_NO_SSLv3 
7b6549
-		$v eq 'TLSv1'  ? 0x04000000 : # SSL_OP_NO_TLSv1
7b6549
-		$v eq 'TLSv11' ? 0x00000400 : # SSL_OP_NO_TLSv1_1
7b6549
-		$v eq 'TLSv12' ? 0x08000000 : # SSL_OP_NO_TLSv1_2
7b6549
-		croak("cannot disable version $_");
7b6549
+	    $disable_ver |= $SSL_OP_NO{$v};
7b6549
 	} else {
7b6549
 	    croak("cannot set multiple SSL protocols in SSL_version")
7b6549
 		if $ver && $v ne $ver;
7b6549
 	    $ver = $v;
7b6549
+	    $ver =~s{/}{}; # interpret SSLv2/3 as SSLv23
7b6549
+	    $ver =~s{(TLSv1)(\d)}{$1\_$2}; # TLSv1_1
7b6549
 	}
7b6549
     }
7b6549
 
7b6549
     my $ctx_new_sub =  UNIVERSAL::can( 'Net::SSLeay',
7b6549
-	$ver eq 'SSLv2'  ? 'CTX_v2_new' :
7b6549
-	$ver eq 'SSLv3'  ? 'CTX_v3_new' :
7b6549
-	$ver eq 'TLSv1'  ? 'CTX_tlsv1_new' :
7b6549
-	$ver eq 'TLSv11' ? 'CTX_tlsv1_1_new' :
7b6549
-	$ver eq 'TLSv12' ? 'CTX_tlsv1_2_new' :
7b6549
+	$ver eq 'SSLv2'   ? 'CTX_v2_new' :
7b6549
+	$ver eq 'SSLv3'   ? 'CTX_v3_new' :
7b6549
+	$ver eq 'TLSv1'   ? 'CTX_tlsv1_new' :
7b6549
+	$ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' :
7b6549
+	$ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' :
7b6549
 	'CTX_new'
7b6549
     ) or return IO::Socket::SSL->error("SSL Version $ver not supported");
7b6549
     my $ctx = $ctx_new_sub->() or return 
7b6549
@@ -2064,24 +2068,26 @@ See section "SNI Support" for details of SNI the support.
7b6549
 
7b6549
 =item SSL_version
7b6549
 
7b6549
-Sets the version of the SSL protocol used to transmit data. 'SSLv23' auto-negotiates 
7b6549
-between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv11' or 'TLSv12'
7b6549
-restrict the protocol to the specified version. All values are case-insensitive.
7b6549
-Support for 'TLSv11' and 'TLSv12' requires recent versions of Net::SSLeay
7b6549
-and openssl.
7b6549
+Sets the version of the SSL protocol used to transmit data. 
7b6549
+'SSLv23' auto-negotiates between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3',
7b6549
+'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict the protocol to the specified version.
7b6549
+All values are case-insensitive.  Instead of 'TLSv1_1' and 'TLSv1_2' one can
7b6549
+also use 'TLSv11' and 'TLSv12'.  Support for 'TLSv1_1' and 'TLSv1_2' requires
7b6549
+recent versions of Net::SSLeay and openssl.
7b6549
 
7b6549
 You can limit to set of supported protocols by adding !version separated by ':'.
7b6549
 
7b6549
 The default SSL_version is defined by underlying cryptographic library.
7b6549
-E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1
7b6549
-are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving 
7b6549
-only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions
7b6549
-1.1 and 1.2 while allowing TLS version 1.0.
7b6549
-
7b6549
-Setting the version instead to 'TLSv1' will probably break interaction with lots of
7b6549
-clients which start with SSLv2 and then upgrade to TLSv1. On the other side some
7b6549
-clients just close the connection when they receive a TLS version 1.1 request. In this 
7b6549
-case setting the version to 'SSLv23:!SSLv2:!TLSv11:!TLSv12' might help.
7b6549
+E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and
7b6549
+TLSv1 are supported for initial protocol handshakes, but SSLv2 will not be
7b6549
+accepted, leaving only SSLv3 and TLSv1. You can also use !TLSv1_1 and !TLSv1_2
7b6549
+to disable TLS versions 1.1 and 1.2 while allowing TLS version 1.0.
7b6549
+
7b6549
+Setting the version instead to 'TLSv1' will probably break interaction with
7b6549
+lots of clients which start with SSLv2 and then upgrade to TLSv1. On the other
7b6549
+side some clients just close the connection when they receive a TLS version 1.1
7b6549
+request. In this case setting the version to 'SSLv23:!SSLv2:!TLSv1_1:!TLSv1_2'
7b6549
+might help.
7b6549
 
7b6549
 =item SSL_cipher_list
7b6549
 
7b6549
-- 
7b6549
2.7.4
7b6549