packages/perl-IO-Socket-SSL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!1 perl-IO-Socket-SSL

Browse Source 
Merge pull request !1 from openeuler-basic/init
This commit is contained in:
openeuler-ci-bot 2019-12-31 17:07:48 +08:00 committed by Gitee
commit eb82ba780f
3 changed files with 7 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
View File

@ -1,40 +0,0 @@
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index c5affd8..c41b0f1 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_proto_version
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+ SSL_version => '',
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2393,7 +2393,7 @@ sub new {
my $ssl_op = $DEFAULT_SSL_OP;
- my $ver;
+ my $ver = '';
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
or croak("invalid SSL_version specified");
diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod
index a4cf32a..7938d59 100644
--- a/lib/IO/Socket/SSL.pod
+++ b/lib/IO/Socket/SSL.pod
@@ -1028,11 +1028,12 @@ All values are case-insensitive. Instead of 'TLSv1_1', 'TLSv1_2', and
'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for
'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
Independent from the handshake format you can limit to set of accepted SSL
versions by adding !version separated by ':'.
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
handshake format is compatible to SSL2.0 and higher, but that the successful
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
both of these versions have serious security issues and should not be used

107
IO-Socket-SSL-2.060-use-system-default-cipher-list.patch
View File

@ -1,107 +0,0 @@
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index c5affd8..10fe332 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = (
SSL_npn_protocols => undef, # meaning depends whether on server or client side
SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
- # "Old backward compatibility" for best compatibility
- # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
- # slightly reordered to prefer AES since it is cheaper when hardware accelerated
- SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+ # Use system-wide default cipher list to support use of system-wide
+ # crypto policy (#1076390, #1127577, CPAN RT#97816)
+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy
+ SSL_cipher_list => 'DEFAULT',
);
my %DEFAULT_SSL_CLIENT_ARGS = (
@@ -185,64 +184,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
SSL_ca_file => undef,
SSL_ca_path => undef,
-
- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
- # Ubuntu worked around this by disabling TLSv1_2 on the client side for
- # a while. Later a padding extension was added to OpenSSL to work around
- # broken F5 but then IronPort croaked because it did not understand this
- # extension so it was disabled again :(
- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so
- # that packet stays small enough. We try the same here.
-
- SSL_cipher_list => join(" ",
-
- # SSLabs report for Chrome 48/OSX.
- # This also includes the fewer ciphers Firefox uses.
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-GCM-SHA256',
- 'ECDHE-ECDSA-CHACHA20-POLY1305',
- 'ECDHE-RSA-CHACHA20-POLY1305',
- 'ECDHE-ECDSA-AES256-SHA',
- 'ECDHE-RSA-AES256-SHA',
- 'DHE-RSA-AES256-SHA',
- 'ECDHE-ECDSA-AES128-SHA',
- 'ECDHE-RSA-AES128-SHA',
- 'DHE-RSA-AES128-SHA',
- 'AES128-GCM-SHA256',
- 'AES256-SHA',
- 'AES128-SHA',
- 'DES-CBC3-SHA',
-
- # IE11/Edge has some more ciphers, notably SHA384 and DSS
- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM
- # ciphers IE/Edge offers because they look like a large mismatch
- # between a very strong HMAC and a comparably weak (but sufficient)
- # encryption. Similar all browsers which do SHA384 can do ECDHE
- # so skip the DHE*SHA384 ciphers.
- 'ECDHE-RSA-AES256-GCM-SHA384',
- 'ECDHE-ECDSA-AES256-GCM-SHA384',
- # 'ECDHE-RSA-AES256-SHA384',
- # 'ECDHE-ECDSA-AES256-SHA384',
- # 'ECDHE-RSA-AES128-SHA256',
- # 'ECDHE-ECDSA-AES128-SHA256',
- # 'DHE-RSA-AES256-GCM-SHA384',
- # 'AES256-GCM-SHA384',
- 'AES256-SHA256',
- # 'AES128-SHA256',
- 'DHE-DSS-AES256-SHA256',
- # 'DHE-DSS-AES128-SHA256',
- 'DHE-DSS-AES256-SHA',
- 'DHE-DSS-AES128-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
-
- # Just to make sure, that we don't accidentally add bad ciphers above.
- # This includes dropping RC4 which is no longer supported by modern
- # browsers and also excluded in the SSL libraries of Python and Ruby.
- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP"
- )
);
# set values inside _init to work with perlcc, RT#95452
diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod
index a4cf32a..c0acadd 100644
--- a/lib/IO/Socket/SSL.pod
+++ b/lib/IO/Socket/SSL.pod
@@ -1054,12 +1054,8 @@ documentation (L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>)
for more details.
Unless you fail to contact your peer because of no shared ciphers it is
-recommended to leave this option at the default setting. The default setting
-prefers ciphers with forward secrecy, disables anonymous authentication and
-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
-at the tests of SSL Labs.
-To use the less secure OpenSSL builtin default (whatever this is) set
-SSL_cipher_list to ''.
+recommended to leave this option at the default setting, which honors the
+system-wide DEFAULT cipher list.
In case different cipher lists are needed for different SNI hosts a hash can be
given with the host as key and the cipher suite as value, similar to
--
2.19.1

11
perl-IO-Socket-SSL.spec
View File

@ -1,14 +1,11 @@
Name: perl-IO-Socket-SSL Name: perl-IO-Socket-SSL
Version: 2.066 Version: 2.066
Release: 3 Release: 4
Summary: Perl library for transparent SSL Summary: Perl library for transparent SSL
License: GPL+ or Artistic License: GPL+ or Artistic
URL: https://metacpan.org/release/IO-Socket-SSL URL: https://metacpan.org/release/IO-Socket-SSL
Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
# https://fedoraproject.org/wiki/Changes/CryptoPolicy
Patch0: IO-Socket-SSL-2.060-use-system-default-cipher-list.patch
Patch1: IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
BuildArch: noarch BuildArch: noarch
#For Build #For Build
BuildRequires: coreutils findutils make perl-generators perl-interpreter perl(ExtUtils::MakeMaker) BuildRequires: coreutils findutils make perl-generators perl-interpreter perl(ExtUtils::MakeMaker)
@ -64,6 +61,12 @@ make test
%{_mandir}/man3/IO::Socket::SSL::Utils.3* %{_mandir}/man3/IO::Socket::SSL::Utils.3*
%changelog %changelog
* Tue Dec 31 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.066-4
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:delete unneeded patch
* Tue Oct 15 2019 shenyangyang <shenyangyang4@huawei.com> - 2.066-3 * Tue Oct 15 2019 shenyangyang <shenyangyang4@huawei.com> - 2.066-3
- Type:enhancement - Type:enhancement
- ID:NA - ID:NA