commit 59f445d3f954916eb86d84f1971bbaa8fa38240f Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 11:12:33 2019 -0400 Package init diff --git a/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch new file mode 100644 index 0000000..358c5e4 --- /dev/null +++ b/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch @@ -0,0 +1,40 @@ +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index c5affd8..c41b0f1 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_proto_version + # global defaults + my %DEFAULT_SSL_ARGS = ( + SSL_check_crl => 0, +- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken ++ SSL_version => '', + SSL_verify_callback => undef, + SSL_verifycn_scheme => undef, # fallback cn verification + SSL_verifycn_publicsuffix => undef, # fallback default list verification +@@ -2393,7 +2393,7 @@ sub new { + + my $ssl_op = $DEFAULT_SSL_OP; + +- my $ver; ++ my $ver = ''; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { + m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i + or croak("invalid SSL_version specified"); +diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod +index a4cf32a..7938d59 100644 +--- a/lib/IO/Socket/SSL.pod ++++ b/lib/IO/Socket/SSL.pod +@@ -1028,11 +1028,12 @@ All values are case-insensitive. Instead of 'TLSv1_1', 'TLSv1_2', and + 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for + 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay + and openssl. ++The default SSL_version is defined by the underlying cryptographic library. + + Independent from the handshake format you can limit to set of accepted SSL + versions by adding !version separated by ':'. + +-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the ++For example, 'SSLv23:!SSLv3:!SSLv2' means that the + handshake format is compatible to SSL2.0 and higher, but that the successful + handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because + both of these versions have serious security issues and should not be used diff --git a/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch new file mode 100644 index 0000000..8a5151f --- /dev/null +++ b/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch @@ -0,0 +1,107 @@ +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index c5affd8..10fe332 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = ( + SSL_npn_protocols => undef, # meaning depends whether on server or client side + SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] + +- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05 +- # "Old backward compatibility" for best compatibility +- # .. "Most ciphers that are not clearly broken and dangerous to use are supported" +- # slightly reordered to prefer AES since it is cheaper when hardware accelerated +- SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', ++ # Use system-wide default cipher list to support use of system-wide ++ # crypto policy (#1076390, #1127577, CPAN RT#97816) ++ # https://fedoraproject.org/wiki/Changes/CryptoPolicy ++ SSL_cipher_list => 'DEFAULT', + ); + + my %DEFAULT_SSL_CLIENT_ARGS = ( +@@ -185,64 +184,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( + + SSL_ca_file => undef, + SSL_ca_path => undef, +- +- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes +- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html +- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771 +- # Ubuntu worked around this by disabling TLSv1_2 on the client side for +- # a while. Later a padding extension was added to OpenSSL to work around +- # broken F5 but then IronPort croaked because it did not understand this +- # extension so it was disabled again :( +- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so +- # that packet stays small enough. We try the same here. +- +- SSL_cipher_list => join(" ", +- +- # SSLabs report for Chrome 48/OSX. +- # This also includes the fewer ciphers Firefox uses. +- 'ECDHE-ECDSA-AES128-GCM-SHA256', +- 'ECDHE-RSA-AES128-GCM-SHA256', +- 'DHE-RSA-AES128-GCM-SHA256', +- 'ECDHE-ECDSA-CHACHA20-POLY1305', +- 'ECDHE-RSA-CHACHA20-POLY1305', +- 'ECDHE-ECDSA-AES256-SHA', +- 'ECDHE-RSA-AES256-SHA', +- 'DHE-RSA-AES256-SHA', +- 'ECDHE-ECDSA-AES128-SHA', +- 'ECDHE-RSA-AES128-SHA', +- 'DHE-RSA-AES128-SHA', +- 'AES128-GCM-SHA256', +- 'AES256-SHA', +- 'AES128-SHA', +- 'DES-CBC3-SHA', +- +- # IE11/Edge has some more ciphers, notably SHA384 and DSS +- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM +- # ciphers IE/Edge offers because they look like a large mismatch +- # between a very strong HMAC and a comparably weak (but sufficient) +- # encryption. Similar all browsers which do SHA384 can do ECDHE +- # so skip the DHE*SHA384 ciphers. +- 'ECDHE-RSA-AES256-GCM-SHA384', +- 'ECDHE-ECDSA-AES256-GCM-SHA384', +- # 'ECDHE-RSA-AES256-SHA384', +- # 'ECDHE-ECDSA-AES256-SHA384', +- # 'ECDHE-RSA-AES128-SHA256', +- # 'ECDHE-ECDSA-AES128-SHA256', +- # 'DHE-RSA-AES256-GCM-SHA384', +- # 'AES256-GCM-SHA384', +- 'AES256-SHA256', +- # 'AES128-SHA256', +- 'DHE-DSS-AES256-SHA256', +- # 'DHE-DSS-AES128-SHA256', +- 'DHE-DSS-AES256-SHA', +- 'DHE-DSS-AES128-SHA', +- 'EDH-DSS-DES-CBC3-SHA', +- +- # Just to make sure, that we don't accidentally add bad ciphers above. +- # This includes dropping RC4 which is no longer supported by modern +- # browsers and also excluded in the SSL libraries of Python and Ruby. +- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP" +- ) + ); + + # set values inside _init to work with perlcc, RT#95452 +diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod +index a4cf32a..c0acadd 100644 +--- a/lib/IO/Socket/SSL.pod ++++ b/lib/IO/Socket/SSL.pod +@@ -1054,12 +1054,8 @@ documentation (L) + for more details. + + Unless you fail to contact your peer because of no shared ciphers it is +-recommended to leave this option at the default setting. The default setting +-prefers ciphers with forward secrecy, disables anonymous authentication and +-disables known insecure ciphers like MD5, DES etc. This gives a grade A result +-at the tests of SSL Labs. +-To use the less secure OpenSSL builtin default (whatever this is) set +-SSL_cipher_list to ''. ++recommended to leave this option at the default setting, which honors the ++system-wide DEFAULT cipher list. + + In case different cipher lists are needed for different SNI hosts a hash can be + given with the host as key and the cipher suite as value, similar to +-- +2.19.1 + diff --git a/IO-Socket-SSL-2.066.tar.gz b/IO-Socket-SSL-2.066.tar.gz new file mode 100644 index 0000000..0eb3342 Binary files /dev/null and b/IO-Socket-SSL-2.066.tar.gz differ diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec new file mode 100644 index 0000000..f1f586f --- /dev/null +++ b/perl-IO-Socket-SSL.spec @@ -0,0 +1,69 @@ +Name: perl-IO-Socket-SSL +Version: 2.066 +Release: 1 +Summary: Perl library for transparent SSL +License: GPL+ or Artistic +URL: https://metacpan.org/release/IO-Socket-SSL +Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz + +# https://fedoraproject.org/wiki/Changes/CryptoPolicy +Patch0: IO-Socket-SSL-2.060-use-system-default-cipher-list.patch +Patch1: IO-Socket-SSL-2.060-use-system-default-SSL-version.patch +BuildArch: noarch +#For Build +BuildRequires: coreutils findutils make perl-generators perl-interpreter perl(ExtUtils::MakeMaker) +# For Runtime +BuildRequires: openssl >= 0.9.8 perl(Carp) perl(Config) perl(constant) perl(Errno) perl(Exporter) +BuildRequires: perl(HTTP::Tiny) perl(IO::Socket) perl(IO::Socket::INET6) >= 2.62 perl(Net::SSLeay) >= 1.46 +BuildRequires: perl(Scalar::Util) perl(Socket) perl(Socket6) perl(strict) perl(vars) perl(warnings) +# For Test +BuildRequires: perl(Data::Dumper) perl(File::Temp) perl(FindBin) perl(IO::Select) +BuildRequires: perl(IO::Socket::INET) perl(Test::More) >= 0.88 perl(utf8) procps +BuildRequires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95 +BuildRequires: perl(Net::IDN::Encode) perl(Net::LibIDN) perl(URI::_idna) + +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: openssl >= 0.9.8 +Requires: perl(Config) +Requires: perl(HTTP::Tiny) +Requires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95 +Requires: perl(URI::_idna) + +%description +IO::Socket::SSL is a class implementing an object oriented +interface to SSL sockets. The class is a descendent of +IO::Socket::INET. + +%package_help + +%prep +%autosetup -n IO-Socket-SSL-%{version} -p1 + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_NETWORK_TESTING=1 NO_PACKLIST=1 +%make_build + +%install +make pure_install DESTDIR=%{buildroot} +%{_fixperms} -c %{buildroot} + +%check +make test + +%files +%doc BUGS Changes README docs/ certs/ example/ +%dir %{perl_vendorlib}/IO/ +%dir %{perl_vendorlib}/IO/Socket/ +%doc %{perl_vendorlib}/IO/Socket/SSL.pod +%{perl_vendorlib}/IO/Socket/SSL.pm +%{perl_vendorlib}/IO/Socket/SSL/ + +%files help +%{_mandir}/man3/IO::Socket::SSL.3* +%{_mandir}/man3/IO::Socket::SSL::Intercept.3* +%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3* +%{_mandir}/man3/IO::Socket::SSL::Utils.3* + +%changelog +* Wed Sep 11 2019 openEuler Buildteam - 2.066-1 +- Package init