From 09845b5f117cedb6f5b8fa2e66f163ab32547e20 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:16:29 +0000 Subject: import perl-IO-Socket-SSL-1.94-7.el7 --- diff --git a/SOURCES/IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch b/SOURCES/IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch new file mode 100644 index 0000000..a7da922 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch @@ -0,0 +1,149 @@ +From acf455911cd0b97e247bcd06e365a3fea0ba208c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 8 Dec 2016 13:49:11 +0100 +Subject: [PATCH] Default SSL_ca_file to system-wide store +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch provides a default value for a file with CA certificates. +Similar idea was implemented in upstream version 1.968. + +This patch also decouples default values for CA and client +certificates. This allows to specify SSL_cert_file and SSL_key_file +while not specifying SSL_ca_path and SSL_ca_file to still use +default values for them. + +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 65 +++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 44 insertions(+), 21 deletions(-) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index 4720606..2ea454b 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -326,7 +326,7 @@ sub configure_SSL { + "*******************************************************************\n". + " Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client\n". + " is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER\n". +- " together with SSL_ca_file|SSL_ca_path for verification.\n". ++ " possibly with SSL_ca_file|SSL_ca_path for verification.\n". + " If you really don't want to verify the certificate and keep the\n". + " connection open to Man-In-The-Middle attacks please set\n". + " SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.\n". +@@ -339,24 +339,54 @@ sub configure_SSL { + %$arg_hash = ( %default_args, %$arg_hash ); + + # use default path to certs and ca unless another one was given +- # don't mix default path with user specified path, either we use all +- # or no defaults ++ # don't mix default paths with user specified paths for CA or client ++ # certificates, either we use all from the grup or no defaults + { +- my $use_default = 1; +- for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file SSL_ca_file SSL_ca_path )) { ++ my $use_default_ca = 1; ++ my $dont_use_system_ca_file = (exists $arg_hash->{SSL_ca_file} and ++ not defined($arg_hash->{SSL_ca_file})); ++ for (qw( SSL_ca_file SSL_ca_path )) { + next if ! defined $arg_hash->{$_}; + # some apps set keys '' to signal that it is not set, replace with undef + if ( $arg_hash->{$_} eq '' ) { + $arg_hash->{$_} = undef; + next; + } +- $use_default = 0; ++ $use_default_ca = 0; + } +- if ( $use_default ) { ++ my $use_default_client = 1; ++ for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file )) { ++ next if ! defined $arg_hash->{$_}; ++ # some apps set keys '' to signal that it is not set, replace with undef ++ if ( $arg_hash->{$_} eq '' ) { ++ $arg_hash->{$_} = undef; ++ next; ++ } ++ $use_default_client = 0; ++ } ++ if ( $use_default_ca ) { + my %ca = + -f 'certs/my-ca.pem' ? ( SSL_ca_file => 'certs/my-ca.pem' ) : + -d 'ca/' ? ( SSL_ca_path => 'ca/' ) : + (); ++ if (! %ca and !$dont_use_system_ca_file) { ++ require Mozilla::CA; ++ %ca = ( SSL_ca_file => Mozilla::CA::SSL_ca_file() ); ++ } ++ %$arg_hash = ( %$arg_hash, %ca ); ++ } else { ++ if ( defined( my $f = $arg_hash->{SSL_ca_file} )) { ++ die "SSL_ca_file $f does not exist" if ! -f $f; ++ die "SSL_ca_file $f is not accessable" if ! -r _; ++ } ++ if ( defined( my $d = $arg_hash->{SSL_ca_path} )) { ++ die "only SSL_ca_path or SSL_ca_file should be given" ++ if defined $arg_hash->{SSL_ca_file}; ++ die "SSL_ca_path $d does not exist" if ! -d $d; ++ die "SSL_ca_path $d is not accessable" if ! -r _; ++ } ++ } ++ if ( $use_default_client ) { + my %certs = $is_server ? ( + SSL_key_file => 'certs/server-key.pem', + SSL_cert_file => 'certs/server-cert.pem', +@@ -364,7 +394,7 @@ sub configure_SSL { + SSL_key_file => 'certs/client-key.pem', + SSL_cert_file => 'certs/client-cert.pem', + ); +- %$arg_hash = ( %$arg_hash, %ca, %certs ); ++ %$arg_hash = ( %$arg_hash, %certs ); + } else { + for(qw(SSL_cert_file SSL_key_file)) { + defined( my $file = $arg_hash->{$_} ) or next; +@@ -373,16 +403,6 @@ sub configure_SSL { + die "$_ $f is not accessable" if ! -r _; + } + } +- if ( defined( my $f = $arg_hash->{SSL_ca_file} )) { +- die "SSL_ca_file $f does not exist" if ! -f $f; +- die "SSL_ca_file $f is not accessable" if ! -r _; +- } +- if ( defined( my $d = $arg_hash->{SSL_ca_path} )) { +- die "only SSL_ca_path or SSL_ca_file should be given" +- if defined $arg_hash->{SSL_ca_file}; +- die "SSL_ca_path $d does not exist" if ! -d $d; +- die "SSL_ca_path $d is not accessable" if ! -r _; +- } + } + } + +@@ -1937,8 +1957,11 @@ IO::Socket::SSL -- SSL sockets with IO::Socket interface + + # certificate verification + SSL_verify_mode => SSL_VERIFY_PEER, ++ ++ # location of CA store ++ # need only be given if default store should not be used + SSL_ca_path => '/etc/ssl/certs', # typical CA path on Linux +- # on OpenBSD instead: SSL_ca_file => '/etc/ssl/cert.pem' ++ SSL_ca_file => '/etc/ssl/cert.pem', # typical CA file on BSD + + # easy hostname verification + SSL_verifycn_name => 'foo.bar', # defaults to PeerHost +@@ -2210,9 +2233,9 @@ password required to decrypt your private key. + =item SSL_ca_file + + If you want to verify that the peer certificate has been signed by a reputable +-certificate authority, then you should use this option to locate the file ++certificate authority, then you can use this option to locate the file + containing the certificateZ<>(s) of the reputable certificate authorities if it is +-not already in the file F. ++not already in the file F or in a system-wide certificate authority certificates store. + If you definitely want no SSL_ca_file used you should set it to undef. + + =item SSL_ca_path +-- +2.7.4 + diff --git a/SPECS/perl-IO-Socket-SSL.spec b/SPECS/perl-IO-Socket-SSL.spec index e81feb1..b34edc0 100644 --- a/SPECS/perl-IO-Socket-SSL.spec +++ b/SPECS/perl-IO-Socket-SSL.spec @@ -1,6 +1,6 @@ Name: perl-IO-Socket-SSL Version: 1.94 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Perl library for transparent SSL Group: Development/Libraries License: GPL+ or Artistic @@ -20,6 +20,8 @@ Patch4: IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12. # The new syntax for the protocols is TLSv1_1 instead of TLSv11, bug #1335035, # in upstream 1.966 Patch5: IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch +# Default to system wide CA certificate store, bug #1402588, in upstream 1.968 +Patch6: IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch BuildArch: noarch BuildRequires: openssl >= 0.9.8 BuildRequires: perl @@ -33,6 +35,7 @@ BuildRequires: perl(IO::Socket) BuildRequires: perl(IO::Socket::INET) #BuildRequires: perl(IO::Socket::INET6) ???? BuildRequires: perl(IO::Socket::IP) >= 0.20 +# Mozilla::CA not used at tests BuildRequires: perl(Net::LibIDN) BuildRequires: perl(Net::SSLeay) >= 1.46 BuildRequires: perl(Scalar::Util) @@ -46,6 +49,7 @@ BuildRequires: procps Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) Requires: perl(IO::Socket::IP) >= 0.20 Requires: perl(Socket) >= 1.95 +Requires: perl(Mozilla::CA) Requires: perl(Net::LibIDN) Requires: perl-Net-SSLeay >= 1.55-5 Requires: openssl >= 0.9.8 @@ -67,6 +71,7 @@ mod_perl. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -88,6 +93,9 @@ make test %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Wed Aug 30 2017 Petr Pisar - 1.94-7 +- Default to system wide CA certificate store (bug #1402588) + * Thu Oct 06 2016 Petr Pisar - 1.94-6 - Add support for TLSv1.1, TLSv1.2 (bug #1335035)