From 9a0188335ea83a5e0078d21624e8bb134ef21687 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 24 Apr 2014 15:51:01 +0200 Subject: [PATCH 1/2] Do not set SSL_ciphers to ALL by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'ALL' cipher list is not the same as OpenSSL default. The 'ALL' contains more ciphers. Some of them are too weak, some of them prevents from using SSLv3 protocol. Then used SSLv2 protocol does not support elliptic curve parameter negotion which can cause interoperability issues when server picks a curve not supported by the client. IO-Socket-SSL-1.955 supports special value '' (empty string) to designed the OpenSSL default. However older IO-Socket-SSL recommends not to set the option at all. Thus this patch sets SSL_ciphers only if Net::LDAP application passes the ciphers option. Signed-off-by: Petr Písař --- lib/Net/LDAP.pm | 3 ++- lib/Net/LDAP.pod | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm index 03eb23f..99d227a 100644 --- a/lib/Net/LDAP.pm +++ b/lib/Net/LDAP.pm @@ -243,7 +243,8 @@ sub _SSL_context_init_args { } ( - SSL_cipher_list => defined $arg->{ciphers} ? $arg->{ciphers} : 'ALL', + defined $arg->{ciphers} ? + ( SSL_cipher_list => defined $arg->{ciphers}) : (), SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '', SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '', SSL_key_file => $clientcert ? $clientkey : undef, diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod index 77a8400..c35508a 100644 --- a/lib/Net/LDAP.pod +++ b/lib/Net/LDAP.pod @@ -779,8 +779,8 @@ B<'tlsv1'>. Specify which subset of cipher suites are permissible for this connection, using the standard OpenSSL string format. The default -value is B<'ALL'>, which permits all ciphers, even those that don't -encrypt. +behavior is to keep the decision on the underlying cryptographic +library. =item clientcert =E '/path/to/cert.pem' -- 1.9.3