|
 |
60da88 |
From 9a0188335ea83a5e0078d21624e8bb134ef21687 Mon Sep 17 00:00:00 2001
|
|
|
60da88 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
60da88 |
Date: Thu, 24 Apr 2014 15:51:01 +0200
|
|
|
60da88 |
Subject: [PATCH 1/2] Do not set SSL_ciphers to ALL by default
|
|
|
60da88 |
MIME-Version: 1.0
|
|
|
60da88 |
Content-Type: text/plain; charset=UTF-8
|
|
|
60da88 |
Content-Transfer-Encoding: 8bit
|
|
|
60da88 |
|
|
|
60da88 |
'ALL' cipher list is not the same as OpenSSL default. The 'ALL'
|
|
|
60da88 |
contains more ciphers. Some of them are too weak, some of them
|
|
|
60da88 |
prevents from using SSLv3 protocol. Then used SSLv2 protocol does not
|
|
|
60da88 |
support elliptic curve parameter negotion which can cause
|
|
|
60da88 |
interoperability issues when server picks a curve not supported by the
|
|
|
60da88 |
client.
|
|
|
60da88 |
|
|
|
60da88 |
IO-Socket-SSL-1.955 supports special value '' (empty string) to
|
|
|
60da88 |
designed the OpenSSL default. However older IO-Socket-SSL recommends
|
|
|
60da88 |
not to set the option at all.
|
|
|
60da88 |
|
|
|
60da88 |
Thus this patch sets SSL_ciphers only if Net::LDAP application passes
|
|
|
60da88 |
the ciphers option.
|
|
|
60da88 |
|
|
|
60da88 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
60da88 |
---
|
|
|
60da88 |
lib/Net/LDAP.pm | 3 ++-
|
|
|
60da88 |
lib/Net/LDAP.pod | 4 ++--
|
|
|
60da88 |
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
60da88 |
|
|
|
60da88 |
diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
|
|
|
60da88 |
index 03eb23f..99d227a 100644
|
|
|
60da88 |
--- a/lib/Net/LDAP.pm
|
|
|
60da88 |
+++ b/lib/Net/LDAP.pm
|
|
|
60da88 |
@@ -243,7 +243,8 @@ sub _SSL_context_init_args {
|
|
|
60da88 |
}
|
|
|
60da88 |
|
|
|
60da88 |
(
|
|
|
60da88 |
- SSL_cipher_list => defined $arg->{ciphers} ? $arg->{ciphers} : 'ALL',
|
|
|
60da88 |
+ defined $arg->{ciphers} ?
|
|
|
60da88 |
+ ( SSL_cipher_list => defined $arg->{ciphers}) : (),
|
|
|
60da88 |
SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '',
|
|
|
60da88 |
SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '',
|
|
|
60da88 |
SSL_key_file => $clientcert ? $clientkey : undef,
|
|
|
60da88 |
diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod
|
|
|
60da88 |
index 77a8400..c35508a 100644
|
|
|
60da88 |
--- a/lib/Net/LDAP.pod
|
|
|
60da88 |
+++ b/lib/Net/LDAP.pod
|
|
|
60da88 |
@@ -779,8 +779,8 @@ B<'tlsv1'>.
|
|
|
60da88 |
|
|
|
60da88 |
Specify which subset of cipher suites are permissible for this
|
|
|
60da88 |
connection, using the standard OpenSSL string format. The default
|
|
|
60da88 |
-value is B<'ALL'>, which permits all ciphers, even those that don't
|
|
|
60da88 |
-encrypt.
|
|
|
60da88 |
+behavior is to keep the decision on the underlying cryptographic
|
|
|
60da88 |
+library.
|
|
|
60da88 |
|
|
|
60da88 |
=item clientcert =E<gt> '/path/to/cert.pem'
|
|
|
60da88 |
|
|
|
60da88 |
--
|
|
|
60da88 |
1.9.3
|
|
|
60da88 |
|