Blob Blame History Raw
From 9a0188335ea83a5e0078d21624e8bb134ef21687 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 24 Apr 2014 15:51:01 +0200
Subject: [PATCH 1/2] Do not set SSL_ciphers to ALL by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

'ALL' cipher list is not the same as OpenSSL default. The 'ALL'
contains more ciphers. Some of them are too weak, some of them
prevents from using SSLv3 protocol. Then used SSLv2 protocol does not
support elliptic curve parameter negotion which can cause
interoperability issues when server picks a curve not supported by the
client.

IO-Socket-SSL-1.955 supports special value '' (empty string) to
designed the OpenSSL default. However older IO-Socket-SSL recommends
not to set the option at all.

Thus this patch sets SSL_ciphers only if Net::LDAP application passes
the ciphers option.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 lib/Net/LDAP.pm  | 3 ++-
 lib/Net/LDAP.pod | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
index 03eb23f..99d227a 100644
--- a/lib/Net/LDAP.pm
+++ b/lib/Net/LDAP.pm
@@ -243,7 +243,8 @@ sub _SSL_context_init_args {
   }
 
   (
-    SSL_cipher_list     => defined $arg->{ciphers} ? $arg->{ciphers} : 'ALL',
+    defined $arg->{ciphers} ?
+        ( SSL_cipher_list     => defined $arg->{ciphers}) : (),
     SSL_ca_file         => exists  $arg->{cafile}  ? $arg->{cafile}  : '',
     SSL_ca_path         => exists  $arg->{capath}  ? $arg->{capath}  : '',
     SSL_key_file        => $clientcert ? $clientkey : undef,
diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod
index 77a8400..c35508a 100644
--- a/lib/Net/LDAP.pod
+++ b/lib/Net/LDAP.pod
@@ -779,8 +779,8 @@ B<'tlsv1'>.
 
 Specify which subset of cipher suites are permissible for this
 connection, using the standard OpenSSL string format. The default
-value is B<'ALL'>, which permits all ciphers, even those that don't
-encrypt.
+behavior is to keep the decision on the underlying cryptographic
+library.
 
 =item clientcert =E<gt> '/path/to/cert.pem'
 
-- 
1.9.3