diff --git a/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch new file mode 100644 index 0000000..fef3e86 --- /dev/null +++ b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch @@ -0,0 +1,61 @@ +From 22d4a8728799fd978c358c9b8f7726170f14a1e4 Mon Sep 17 00:00:00 2001 +From: Peter Marschall +Date: Sun, 23 Nov 2014 19:35:02 +0100 +Subject: [PATCH] LDAP.pm: do not set default sslversion for LDAPS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of setting a default sslversion for LDAPS, rely on the default +value used by IO::Socket::SSL. + +Petr Písař: Ported to 0.56. + +Signed-off-by: Petr Písař +--- + lib/Net/LDAP.pm | 4 ++-- + lib/Net/LDAP.pod | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm +index fc5649a..5969785 100644 +--- a/lib/Net/LDAP.pm ++++ b/lib/Net/LDAP.pm +@@ -247,6 +247,8 @@ sub _SSL_context_init_args { + ( + defined $arg->{ciphers} ? + ( SSL_cipher_list => $arg->{ciphers} ) : (), ++ defined $arg->{sslversion} ? ++ ( SSL_version => $arg->{sslversion} ) : (), + SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '', + SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '', + SSL_key_file => $clientcert ? $clientkey : undef, +@@ -255,8 +257,6 @@ sub _SSL_context_init_args { + SSL_use_cert => $clientcert ? 1 : 0, + SSL_cert_file => $clientcert, + SSL_verify_mode => $verify, +- SSL_version => defined $arg->{sslversion} ? $arg->{sslversion} : +- 'sslv23', + %verifycn_ctx, + ); + } +diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod +index 1a3bcca..06bab70 100644 +--- a/lib/Net/LDAP.pod ++++ b/lib/Net/LDAP.pod +@@ -186,9 +186,9 @@ B + $ldap = Net::LDAP->new( 'remote.host', async => 1 ); + + LDAPS connections have some extra valid options, see the +-L method for details. Note the default value for +-'sslversion' for LDAPS is 'sslv23', and the default port for LDAPS +-is 636. ++L method for details. Note the default port ++for LDAPS is 636, and the default value for 'sslversion' is the ++value used as default by L. + + For LDAPI connections, HOST is actually the location of a UNIX domain + socket to connect to. The default location is '/var/run/ldapi'. +-- +2.13.6 + diff --git a/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch new file mode 100644 index 0000000..686dd67 --- /dev/null +++ b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch @@ -0,0 +1,55 @@ +From 0edc4099455173649bf23ce25c20679c198287f7 Mon Sep 17 00:00:00 2001 +From: Peter Marschall +Date: Thu, 2 Apr 2015 14:20:50 +0200 +Subject: [PATCH] LDAP.pm: do not set default sslversion for start_tls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of setting a default sslversion for start_tls, rely on the default +value used by IO::Socket::SSL. +In addition, extend documentation slightly. + +Petr Písař: Ported to 0.56. + +Signed-off-by: Petr Písař +--- + lib/Net/LDAP.pm | 1 - + lib/Net/LDAP.pod | 8 +++++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm +index 5969785..afa3620 100644 +--- a/lib/Net/LDAP.pm ++++ b/lib/Net/LDAP.pm +@@ -1079,7 +1079,6 @@ sub start_tls { + + delete $ldap->{net_ldap_root_dse}; + +- $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion}; + $arg->{sslserver} = $ldap->{net_ldap_host} unless defined $arg->{sslserver}; + + my $sock_class = ref($sock); +diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod +index 06bab70..c819e24 100644 +--- a/lib/Net/LDAP.pod ++++ b/lib/Net/LDAP.pod +@@ -770,10 +770,12 @@ The server must provide a certificate, and it must be valid. + If you set verify to optional or require, you must also set either + cafile or capath. The most secure option is B. + +-=item sslversion =E 'sslv2' | 'sslv3' | 'sslv23' | 'tlsv1' ++=item sslversion =E 'sslv2' | 'sslv3' | 'sslv23' | 'tlsv1' | 'tlsv1_1' | 'tlsv1_2' + +-This defines the version of the SSL/TLS protocol to use. Defaults to +-B<'tlsv1'>. ++This defines the version of the SSL/TLS protocol to use. ++Default is to use the value that L uses as default. ++ ++See L for more details. + + =item ciphers =E CIPHERS + +-- +2.13.6 + diff --git a/SPECS/perl-LDAP.spec b/SPECS/perl-LDAP.spec index 934c83e..d8a10a7 100644 --- a/SPECS/perl-LDAP.spec +++ b/SPECS/perl-LDAP.spec @@ -1,6 +1,6 @@ Name: perl-LDAP Version: 0.56 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 Summary: LDAP Perl module Group: Development/Libraries @@ -20,6 +20,10 @@ Patch2: perl-ldap-0.56-RT-96203-LDAP.pm-use-correct-length-for-syswrite. Patch3: perl-ldap-0.56-Make-LDAP-work-after-LDAP-start_tls.patch # Fix typo in man pages, bug #1286921 Patch4: perl-ldap-0.56-Fix-typos-in-man-pages.patch +# 1/2 Do not set default SSL version, bug #1520364, fixed in 0.65 +Patch5: perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch +# 2/2 Do not set default SSL version, bug #1520364, fixed in 0.65 +Patch6: perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch BuildArch: noarch BuildRequires: perl BuildRequires: perl(inc::Module::Install) @@ -86,6 +90,8 @@ maintenance functions such as adding, deleting or modifying entries. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 chmod -c 644 bin/* contrib/* lib/Net/LDAP/DSML.pm perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' contrib/* # Remove bundled libraries @@ -114,6 +120,9 @@ make test %{_mandir}/man3/*.3pm* %changelog +* Mon Dec 04 2017 Petr Pisar - 1:0.56-6 +- Do not set default SSL version (bug #1520364) + * Mon Mar 07 2016 Jitka Plesnikova - 1:0.56-5 - Update patch to cleanup patch leftover