diff --git a/SOURCES/IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch b/SOURCES/IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch new file mode 100644 index 0000000..6e2643a --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch @@ -0,0 +1,148 @@ +From 70d5c2746afee9c2b6112246ab1640aa0ebb34c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 6 Oct 2016 14:51:26 +0200 +Subject: [PATCH 2/2] The new syntax for the protocols is TLSv1_1 instead of + TLSv11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is a part of these commits ported to 1.94: + +commit 5c2151176da6a37e7dd16fd2ffc39809f58f6035 +Author: Steffen Ullrich +Date: Wed Jan 15 12:33:49 2014 +0100 + + 1.964: get_sslversion* function, disabling TLS1_1 fixed + + - Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets + the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc + - The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches + the syntax from OpenSSL. The old syntax continues to work in SSL_version. + - New functions get_sslversion and get_sslversion_int which get the SSL version + of the establish session as string or int. + - disable t/io-socket-inet6.t if Acme::Override::INET is installed + +commit bd49a91f755e5027ba5aa1656f32f86486f5c0fd +Author: Steffen Ullrich +Date: Tue Jan 21 17:53:15 2014 +0100 + + 1.966 + - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no + longer with + specifying !TLSv12, only !TLSv1_2 worked + - fixed leak of session objects in SessionCache, if another + session + replaced an existing session (introduced in 1.965) + +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 62 ++++++++++++++++++++++++++++------------------------ + 1 file changed, 34 insertions(+), 28 deletions(-) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index a30ffb1..4720606 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -61,6 +61,15 @@ BEGIN{ + if $@; + } + ++# get constants for SSL_OP_NO_* now, instead calling the releated functions ++# everytime we setup a connection ++my %SSL_OP_NO; ++for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) { ++ my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_); ++ my $sub = "Net::SSLeay::OP_NO_$op"; ++ $SSL_OP_NO{$k} = eval { no strict 'refs'; &$sub } || 0; ++} ++ + our $DEBUG; + use vars qw(@ISA $SSL_ERROR @EXPORT ); + +@@ -1582,32 +1591,27 @@ sub new { + my $ver=''; + my $disable_ver = 0; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { +- m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i ++ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i + or croak("invalid SSL_version specified"); + my $not = $1; + ( my $v = lc($2||$3) ) =~s{^(...)}{\U$1}; +- $v =~s{/}{}; # interpret SSLv2/3 as SSLv23 + if ( $not ) { +- $disable_ver |= +- $v eq 'SSLv2' ? 0x01000000 : # SSL_OP_NO_SSLv2 +- $v eq 'SSLv3' ? 0x02000000 : # SSL_OP_NO_SSLv3 +- $v eq 'TLSv1' ? 0x04000000 : # SSL_OP_NO_TLSv1 +- $v eq 'TLSv11' ? 0x00000400 : # SSL_OP_NO_TLSv1_1 +- $v eq 'TLSv12' ? 0x08000000 : # SSL_OP_NO_TLSv1_2 +- croak("cannot disable version $_"); ++ $disable_ver |= $SSL_OP_NO{$v}; + } else { + croak("cannot set multiple SSL protocols in SSL_version") + if $ver && $v ne $ver; + $ver = $v; ++ $ver =~s{/}{}; # interpret SSLv2/3 as SSLv23 ++ $ver =~s{(TLSv1)(\d)}{$1\_$2}; # TLSv1_1 + } + } + + my $ctx_new_sub = UNIVERSAL::can( 'Net::SSLeay', +- $ver eq 'SSLv2' ? 'CTX_v2_new' : +- $ver eq 'SSLv3' ? 'CTX_v3_new' : +- $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : +- $ver eq 'TLSv11' ? 'CTX_tlsv1_1_new' : +- $ver eq 'TLSv12' ? 'CTX_tlsv1_2_new' : ++ $ver eq 'SSLv2' ? 'CTX_v2_new' : ++ $ver eq 'SSLv3' ? 'CTX_v3_new' : ++ $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : ++ $ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' : ++ $ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' : + 'CTX_new' + ) or return IO::Socket::SSL->error("SSL Version $ver not supported"); + my $ctx = $ctx_new_sub->() or return +@@ -2064,24 +2068,26 @@ See section "SNI Support" for details of SNI the support. + + =item SSL_version + +-Sets the version of the SSL protocol used to transmit data. 'SSLv23' auto-negotiates +-between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv11' or 'TLSv12' +-restrict the protocol to the specified version. All values are case-insensitive. +-Support for 'TLSv11' and 'TLSv12' requires recent versions of Net::SSLeay +-and openssl. ++Sets the version of the SSL protocol used to transmit data. ++'SSLv23' auto-negotiates between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', ++'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict the protocol to the specified version. ++All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can ++also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires ++recent versions of Net::SSLeay and openssl. + + You can limit to set of supported protocols by adding !version separated by ':'. + + The default SSL_version is defined by underlying cryptographic library. +-E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1 +-are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving +-only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions +-1.1 and 1.2 while allowing TLS version 1.0. +- +-Setting the version instead to 'TLSv1' will probably break interaction with lots of +-clients which start with SSLv2 and then upgrade to TLSv1. On the other side some +-clients just close the connection when they receive a TLS version 1.1 request. In this +-case setting the version to 'SSLv23:!SSLv2:!TLSv11:!TLSv12' might help. ++E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and ++TLSv1 are supported for initial protocol handshakes, but SSLv2 will not be ++accepted, leaving only SSLv3 and TLSv1. You can also use !TLSv1_1 and !TLSv1_2 ++to disable TLS versions 1.1 and 1.2 while allowing TLS version 1.0. ++ ++Setting the version instead to 'TLSv1' will probably break interaction with ++lots of clients which start with SSLv2 and then upgrade to TLSv1. On the other ++side some clients just close the connection when they receive a TLS version 1.1 ++request. In this case setting the version to 'SSLv23:!SSLv2:!TLSv1_1:!TLSv1_2' ++might help. + + =item SSL_cipher_list + +-- +2.7.4 + diff --git a/SOURCES/IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch b/SOURCES/IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch new file mode 100644 index 0000000..36be05d --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch @@ -0,0 +1,48 @@ +From f606a25a80a37d5565fed6fc1ce1d8d241dab6c7 Mon Sep 17 00:00:00 2001 +From: Steffen Ullrich +Date: Mon, 14 Oct 2013 14:13:39 +0200 +Subject: [PATCH 1/2] support for handshake protocol TLSv11, TLSv12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index 3279391..a30ffb1 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -1603,9 +1603,11 @@ sub new { + } + + my $ctx_new_sub = UNIVERSAL::can( 'Net::SSLeay', +- $ver eq 'SSLv2' ? 'CTX_v2_new' : +- $ver eq 'SSLv3' ? 'CTX_v3_new' : +- $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : ++ $ver eq 'SSLv2' ? 'CTX_v2_new' : ++ $ver eq 'SSLv3' ? 'CTX_v3_new' : ++ $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : ++ $ver eq 'TLSv11' ? 'CTX_tlsv1_1_new' : ++ $ver eq 'TLSv12' ? 'CTX_tlsv1_2_new' : + 'CTX_new' + ) or return IO::Socket::SSL->error("SSL Version $ver not supported"); + my $ctx = $ctx_new_sub->() or return +@@ -2063,8 +2065,10 @@ See section "SNI Support" for details of SNI the support. + =item SSL_version + + Sets the version of the SSL protocol used to transmit data. 'SSLv23' auto-negotiates +-between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3' or 'TLSv1' restrict the protocol +-to the specified version. All values are case-insensitive. ++between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv11' or 'TLSv12' ++restrict the protocol to the specified version. All values are case-insensitive. ++Support for 'TLSv11' and 'TLSv12' requires recent versions of Net::SSLeay ++and openssl. + + You can limit to set of supported protocols by adding !version separated by ':'. + +-- +2.7.4 + diff --git a/SPECS/perl-IO-Socket-SSL.spec b/SPECS/perl-IO-Socket-SSL.spec index 231921a..e81feb1 100644 --- a/SPECS/perl-IO-Socket-SSL.spec +++ b/SPECS/perl-IO-Socket-SSL.spec @@ -1,6 +1,6 @@ Name: perl-IO-Socket-SSL Version: 1.94 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Perl library for transparent SSL Group: Development/Libraries License: GPL+ or Artistic @@ -14,6 +14,12 @@ Patch1: IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol- Patch2: IO-Socket-SSL-1.94-Fix-typo-key-free.patch # Add support for ECDH key exchange, in upstream 1.955, bug #1316377 Patch3: IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch +# Add support for handshake protocol TLSv11, TLSv12, bug #1335035, +# in upstream 1.955 +Patch4: IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch +# The new syntax for the protocols is TLSv1_1 instead of TLSv11, bug #1335035, +# in upstream 1.966 +Patch5: IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch BuildArch: noarch BuildRequires: openssl >= 0.9.8 BuildRequires: perl @@ -41,6 +47,7 @@ Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) Requires: perl(IO::Socket::IP) >= 0.20 Requires: perl(Socket) >= 1.95 Requires: perl(Net::LibIDN) +Requires: perl-Net-SSLeay >= 1.55-5 Requires: openssl >= 0.9.8 %description @@ -58,6 +65,8 @@ mod_perl. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -79,6 +88,9 @@ make test %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Thu Oct 06 2016 Petr Pisar - 1.94-6 +- Add support for TLSv1.1, TLSv1.2 (bug #1335035) + * Thu Mar 10 2016 Jitka Plesnikova - 1.94-5 - Add support for ECDH key exchange (bug #1316377)