From ffa8a34d793707a8a05652908b69fea7faeede7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 7 Aug 2014 10:36:40 +0200
Subject: [PATCH] Respect OpenSSL default ciphers and protocol versions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If application did not specified cipher or protocol version,
IO::Socket::SSL set them to 'ALL:!LOW' and 'SSLv23:!SSLv2'. This
undermined global cryptogphic setting.

This patch disables these defaults hard-coded into IO::Socket::SSL and
leves the decision on OpenSSL.

http://rt.cpan.org/Public/Bug/Display.html?id=97816
https://bugzilla.redhat.com/show_bug.cgi?id=1127322
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 lib/IO/Socket/SSL.pm | 13 +++++++------
 t/dhe.t              |  1 +
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index 3e02e8f..eb4bd05 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -34,13 +34,13 @@ use constant SSL_RECEIVED_SHUTDOWN => 2;
 # global defaults
 my %DEFAULT_SSL_ARGS = (
     SSL_check_crl => 0,
-    SSL_version => 'SSLv23:!SSLv2',
+    SSL_version => '',
     SSL_verify_callback => undef,
     SSL_verifycn_scheme => undef,  # don't verify cn
     SSL_verifycn_name => undef,    # use from PeerAddr/PeerHost
     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
     SSL_honor_cipher_order => 0,   # client order gets preference
-    SSL_cipher_list => 'ALL:!LOW',
+    SSL_cipher_list => undef,
 
     # default for SSL_verify_mode should be SSL_VERIFY_PEER for client
     # for now we keep the default of SSL_VERIFY_NONE but complain, if 
@@ -1579,7 +1579,7 @@ sub new {
 	return $ctx_object if ($ctx_object = ${*$ctx_object}{'_SSL_ctx'});
     }
 
-    my $ver;
+    my $ver='';
     my $disable_ver = 0;
     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i 
@@ -2049,7 +2049,8 @@ to the specified version. All values are case-insensitive.
 
 You can limit to set of supported protocols by adding !version separated by ':'.
 
-The default SSL_version is 'SSLv23:!SSLv2' which means, that SSLv2, SSLv3 and TLSv1 
+The default SSL_version is defined by underlying cryptographic library.
+E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1
 are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving 
 only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions
 1.1 and 1.2 while allowing TLS version 1.0.
@@ -2066,8 +2067,8 @@ given value, e.g. something like 'ALL:!LOW:!EXP:!ADH'. Look into the OpenSSL
 documentation (L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>)
 for more details.
 
-If this option is not set 'ALL:!LOW' will be used.
-To use OpenSSL builtin default (whatever this is) set it to ''.
+If this option is not set or is set to '', OpenSSL builtin default (whatever
+this is) will be used.
 
 =item SSL_honor_cipher_order
 
diff --git a/t/dhe.t b/t/dhe.t
index a2bf565..4010a26 100644
--- a/t/dhe.t
+++ b/t/dhe.t
@@ -55,6 +55,7 @@ if ( !defined $pid ) {
     close($server);
     my $to_server = IO::Socket::SSL->new( 
 	PeerAddr => $addr, 
+	SSL_cipher_list => 'ALL:RSA:!aRSA',
 	SSL_verify_mode => 0 ) || do {
     	notok( "connect failed: $SSL_ERROR" );
 	exit
-- 
1.9.3