diff --git a/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch
new file mode 100644
index 0000000..fef3e86
--- /dev/null
+++ b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch
@@ -0,0 +1,61 @@
+From 22d4a8728799fd978c358c9b8f7726170f14a1e4 Mon Sep 17 00:00:00 2001
+From: Peter Marschall <peter@adpm.de>
+Date: Sun, 23 Nov 2014 19:35:02 +0100
+Subject: [PATCH] LDAP.pm: do not set default sslversion for LDAPS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of setting a default sslversion for LDAPS, rely on the default
+value used by IO::Socket::SSL.
+
+Petr Písař: Ported to 0.56.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/Net/LDAP.pm | 4 ++--
+ lib/Net/LDAP.pod | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
+index fc5649a..5969785 100644
+--- a/lib/Net/LDAP.pm
++++ b/lib/Net/LDAP.pm
+@@ -247,6 +247,8 @@ sub _SSL_context_init_args {
+ (
+ defined $arg->{ciphers} ?
+ ( SSL_cipher_list => $arg->{ciphers} ) : (),
++ defined $arg->{sslversion} ?
++ ( SSL_version => $arg->{sslversion} ) : (),
+ SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '',
+ SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '',
+ SSL_key_file => $clientcert ? $clientkey : undef,
+@@ -255,8 +257,6 @@ sub _SSL_context_init_args {
+ SSL_use_cert => $clientcert ? 1 : 0,
+ SSL_cert_file => $clientcert,
+ SSL_verify_mode => $verify,
+- SSL_version => defined $arg->{sslversion} ? $arg->{sslversion} :
+- 'sslv23',
+ %verifycn_ctx,
+ );
+ }
+diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod
+index 1a3bcca..06bab70 100644
+--- a/lib/Net/LDAP.pod
++++ b/lib/Net/LDAP.pod
+@@ -186,9 +186,9 @@ B<Example>
+ $ldap = Net::LDAP->new( 'remote.host', async => 1 );
+
+ LDAPS connections have some extra valid options, see the
+-L<start_tls|/start_tls> method for details. Note the default value for
+-'sslversion' for LDAPS is 'sslv23', and the default port for LDAPS
+-is 636.
++L<start_tls|/start_tls> method for details. Note the default port
++for LDAPS is 636, and the default value for 'sslversion' is the
++value used as default by L<IO::Socket::SSL>.
+
+ For LDAPI connections, HOST is actually the location of a UNIX domain
+ socket to connect to. The default location is '/var/run/ldapi'.
+--
+2.13.6
+
diff --git a/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch
new file mode 100644
index 0000000..686dd67
--- /dev/null
+++ b/SOURCES/perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch
@@ -0,0 +1,55 @@
+From 0edc4099455173649bf23ce25c20679c198287f7 Mon Sep 17 00:00:00 2001
+From: Peter Marschall <peter@adpm.de>
+Date: Thu, 2 Apr 2015 14:20:50 +0200
+Subject: [PATCH] LDAP.pm: do not set default sslversion for start_tls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of setting a default sslversion for start_tls, rely on the default
+value used by IO::Socket::SSL.
+In addition, extend documentation slightly.
+
+Petr Písař: Ported to 0.56.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/Net/LDAP.pm | 1 -
+ lib/Net/LDAP.pod | 8 +++++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
+index 5969785..afa3620 100644
+--- a/lib/Net/LDAP.pm
++++ b/lib/Net/LDAP.pm
+@@ -1079,7 +1079,6 @@ sub start_tls {
+
+ delete $ldap->{net_ldap_root_dse};
+
+- $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
+ $arg->{sslserver} = $ldap->{net_ldap_host} unless defined $arg->{sslserver};
+
+ my $sock_class = ref($sock);
+diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod
+index 06bab70..c819e24 100644
+--- a/lib/Net/LDAP.pod
++++ b/lib/Net/LDAP.pod
+@@ -770,10 +770,12 @@ The server must provide a certificate, and it must be valid.
+ If you set verify to optional or require, you must also set either
+ cafile or capath. The most secure option is B<require>.
+
+-=item sslversion =E<gt> 'sslv2' | 'sslv3' | 'sslv23' | 'tlsv1'
++=item sslversion =E<gt> 'sslv2' | 'sslv3' | 'sslv23' | 'tlsv1' | 'tlsv1_1' | 'tlsv1_2'
+
+-This defines the version of the SSL/TLS protocol to use. Defaults to
+-B<'tlsv1'>.
++This defines the version of the SSL/TLS protocol to use.
++Default is to use the value that L<IO::Socket::SSL> uses as default.
++
++See L<IO::Socket::SSL/SSL_version> for more details.
+
+ =item ciphers =E<gt> CIPHERS
+
+--
+2.13.6
+
diff --git a/SPECS/perl-LDAP.spec b/SPECS/perl-LDAP.spec
index 934c83e..d8a10a7 100644
--- a/SPECS/perl-LDAP.spec
+++ b/SPECS/perl-LDAP.spec
@@ -1,6 +1,6 @@
Name: perl-LDAP
Version: 0.56
-Release: 5%{?dist}
+Release: 6%{?dist}
Epoch: 1
Summary: LDAP Perl module
Group: Development/Libraries
@@ -20,6 +20,10 @@ Patch2: perl-ldap-0.56-RT-96203-LDAP.pm-use-correct-length-for-syswrite.
Patch3: perl-ldap-0.56-Make-LDAP-work-after-LDAP-start_tls.patch
# Fix typo in man pages, bug #1286921
Patch4: perl-ldap-0.56-Fix-typos-in-man-pages.patch
+# 1/2 Do not set default SSL version, bug #1520364, fixed in 0.65
+Patch5: perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-LDAPS.patch
+# 2/2 Do not set default SSL version, bug #1520364, fixed in 0.65
+Patch6: perl-ldap-0.56-LDAP.pm-do-not-set-default-sslversion-for-start_tls.patch
BuildArch: noarch
BuildRequires: perl
BuildRequires: perl(inc::Module::Install)
@@ -86,6 +90,8 @@ maintenance functions such as adding, deleting or modifying entries.
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
chmod -c 644 bin/* contrib/* lib/Net/LDAP/DSML.pm
perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' contrib/*
# Remove bundled libraries
@@ -114,6 +120,9 @@ make test
%{_mandir}/man3/*.3pm*
%changelog
+* Mon Dec 04 2017 Petr Pisar <ppisar@redhat.com> - 1:0.56-6
+- Do not set default SSL version (bug #1520364)
+
* Mon Mar 07 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.56-5
- Update patch to cleanup patch leftover