From 6f9741cacda504506b9c6e27698cf2f56bfe4212 Mon Sep 17 00:00:00 2001 From: Paul Howarth <paul(a)city-fan.org&gt; Date: Tue, 1 Sep 2015 09:44:25 +0100 Subject: Update to 2.018 - New upstream release 2.018 - Checks for readability of files/dirs for certificates and CA no longer use -r because this is not safe when ACLs are used (CPAN RT#106295) - New method sock_certificate similar to peer_certificate (CPAN RT#105733) - get_fingerprint can now take optional certificate as argument and compute the fingerprint of it; useful in connection with sock_certificate - Check for both EWOULDBLOCK and EAGAIN since these codes are different on some platforms (CPAN RT#106573) - Enforce default verification scheme if nothing was specified, i.e. no longer just warn but accept; if really no verification is wanted, a scheme of 'none' must be explicitly specified - Support different cipher suites per SNI hosts - startssl.t failed on darwin with old openssl since server requested client certificate but offered also anon ciphers (CPAN RT#106687) - Update patches as needed diff --git a/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch deleted file mode 100644 index 9cebdef..0000000 --- a/IO-Socket-SSL-2.016-use-system-default-SSL-version.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- lib/IO/Socket/SSL.pm -+++ lib/IO/Socket/SSL.pm -@@ -85,7 +85,7 @@ my $algo2digest = do { - # global defaults - my %DEFAULT_SSL_ARGS = ( - SSL_check_crl => 0, -- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken -+ SSL_version => '', - SSL_verify_callback => undef, - SSL_verifycn_scheme => undef, # fallback cn verification - SSL_verifycn_publicsuffix => undef, # fallback default list verification -@@ -2133,7 +2133,7 @@ WARN - $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE; - $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh; - -- my $ver; -+ my $ver = ''; - for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { - m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i - or croak("invalid SSL_version specified"); ---- lib/IO/Socket/SSL.pod -+++ lib/IO/Socket/SSL.pod -@@ -932,11 +932,12 @@ protocol to the specified version. - All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can - also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires - recent versions of Net::SSLeay and openssl. -+The default SSL_version is defined by the underlying cryptographic library. - - Independent from the handshake format you can limit to set of accepted SSL - versions by adding !version separated by ':'. - --The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the -+For example, 'SSLv23:!SSLv3:!SSLv2' means that the - handshake format is compatible to SSL2.0 and higher, but that the successful - handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because - both of these versions have serious security issues and should not be used diff --git a/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch deleted file mode 100644 index f6b94f2..0000000 --- a/IO-Socket-SSL-2.016-use-system-default-cipher-list.patch +++ /dev/null @@ -1,73 +0,0 @@ ---- lib/IO/Socket/SSL.pm -+++ lib/IO/Socket/SSL.pm -@@ -92,9 +92,7 @@ my %DEFAULT_SSL_ARGS = ( - #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults' - SSL_npn_protocols => undef, # meaning depends whether on server or client side - SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] -- SSL_cipher_list => -- 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '. -- 'EDH ALL +SHA +3DES !RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP', -+ SSL_cipher_list => 'DEFAULT', - ); - - my %DEFAULT_SSL_CLIENT_ARGS = ( -@@ -104,42 +102,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( - SSL_ca_file => undef, - SSL_ca_path => undef, - -- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes -- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html -- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771 -- # Debian works around this by disabling TLSv1_2 on the client side -- # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet -- # stays small enough -- # The following list is taken from IE11, except that we don't do RC4-MD5, -- # RC4-SHA is already bad enough. Also, we have a different sort order -- # compared to IE11, because we put ciphers supporting forward secrecy on top -- -- SSL_cipher_list => join(" ", -- qw( -- ECDHE-ECDSA-AES128-GCM-SHA256 -- ECDHE-ECDSA-AES128-SHA256 -- ECDHE-ECDSA-AES256-GCM-SHA384 -- ECDHE-ECDSA-AES256-SHA384 -- ECDHE-ECDSA-AES128-SHA -- ECDHE-ECDSA-AES256-SHA -- ECDHE-RSA-AES128-SHA256 -- ECDHE-RSA-AES128-SHA -- ECDHE-RSA-AES256-SHA -- DHE-DSS-AES128-SHA256 -- DHE-DSS-AES128-SHA -- DHE-DSS-AES256-SHA256 -- DHE-DSS-AES256-SHA -- AES128-SHA256 -- AES128-SHA -- AES256-SHA256 -- AES256-SHA -- EDH-DSS-DES-CBC3-SHA -- DES-CBC3-SHA -- RC4-SHA -- ), -- # just to make sure, that we don't accidentely add bad ciphers above -- "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP" -- ) - ); - - # set values inside _init to work with perlcc, RT#95452 ---- lib/IO/Socket/SSL.pod -+++ lib/IO/Socket/SSL.pod -@@ -958,12 +958,8 @@ documentation (L<http://www.openssl.org/ - for more details. - - Unless you fail to contact your peer because of no shared ciphers it is --recommended to leave this option at the default setting. The default setting --prefers ciphers with forward secrecy, disables anonymous authentication and --disables known insecure ciphers like MD5, DES etc. This gives a grade A result --at the tests of SSL Labs. --To use the less secure OpenSSL builtin default (whatever this is) set --SSL_cipher_list to ''. -+recommended to leave this option at the default setting, which honors the -+system-wide DEFAULT cipher list. - - =item SSL_honor_cipher_order - diff --git a/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch new file mode 100644 index 0000000..e1b2784 --- /dev/null +++ b/IO-Socket-SSL-2.018-use-system-default-SSL-version.patch @@ -0,0 +1,36 @@ +--- lib/IO/Socket/SSL.pm ++++ lib/IO/Socket/SSL.pm +@@ -85,7 +85,7 @@ my $algo2digest = do { + # global defaults + my %DEFAULT_SSL_ARGS = ( + SSL_check_crl => 0, +- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken ++ SSL_version => '', + SSL_verify_callback => undef, + SSL_verifycn_scheme => undef, # fallback cn verification + SSL_verifycn_publicsuffix => undef, # fallback default list verification +@@ -2135,7 +2135,7 @@ sub new { + $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE; + $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh; + +- my $ver; ++ my $ver = ''; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { + m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i + or croak("invalid SSL_version specified"); +--- lib/IO/Socket/SSL.pod ++++ lib/IO/Socket/SSL.pod +@@ -934,11 +934,12 @@ protocol to the specified version. + All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can + also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires + recent versions of Net::SSLeay and openssl. ++The default SSL_version is defined by the underlying cryptographic library. + + Independent from the handshake format you can limit to set of accepted SSL + versions by adding !version separated by ':'. + +-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the ++For example, 'SSLv23:!SSLv3:!SSLv2' means that the + handshake format is compatible to SSL2.0 and higher, but that the successful + handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because + both of these versions have serious security issues and should not be used diff --git a/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch new file mode 100644 index 0000000..8468bc9 --- /dev/null +++ b/IO-Socket-SSL-2.018-use-system-default-cipher-list.patch @@ -0,0 +1,73 @@ +--- lib/IO/Socket/SSL.pm ++++ lib/IO/Socket/SSL.pm +@@ -92,9 +92,7 @@ my %DEFAULT_SSL_ARGS = ( + #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults' + SSL_npn_protocols => undef, # meaning depends whether on server or client side + SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] +- SSL_cipher_list => +- 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '. +- 'EDH ALL +SHA +3DES !RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP', ++ SSL_cipher_list => 'DEFAULT', + ); + + my %DEFAULT_SSL_CLIENT_ARGS = ( +@@ -104,42 +102,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( + SSL_ca_file => undef, + SSL_ca_path => undef, + +- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes +- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html +- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771 +- # Debian works around this by disabling TLSv1_2 on the client side +- # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet +- # stays small enough +- # The following list is taken from IE11, except that we don't do RC4-MD5, +- # RC4-SHA is already bad enough. Also, we have a different sort order +- # compared to IE11, because we put ciphers supporting forward secrecy on top +- +- SSL_cipher_list => join(" ", +- qw( +- ECDHE-ECDSA-AES128-GCM-SHA256 +- ECDHE-ECDSA-AES128-SHA256 +- ECDHE-ECDSA-AES256-GCM-SHA384 +- ECDHE-ECDSA-AES256-SHA384 +- ECDHE-ECDSA-AES128-SHA +- ECDHE-ECDSA-AES256-SHA +- ECDHE-RSA-AES128-SHA256 +- ECDHE-RSA-AES128-SHA +- ECDHE-RSA-AES256-SHA +- DHE-DSS-AES128-SHA256 +- DHE-DSS-AES128-SHA +- DHE-DSS-AES256-SHA256 +- DHE-DSS-AES256-SHA +- AES128-SHA256 +- AES128-SHA +- AES256-SHA256 +- AES256-SHA +- EDH-DSS-DES-CBC3-SHA +- DES-CBC3-SHA +- RC4-SHA +- ), +- # just to make sure, that we don't accidentely add bad ciphers above +- "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP" +- ) + ); + + # set values inside _init to work with perlcc, RT#95452 +--- lib/IO/Socket/SSL.pod ++++ lib/IO/Socket/SSL.pod +@@ -960,12 +960,8 @@ documentation (L<http://www.openssl.org/ + for more details. + + Unless you fail to contact your peer because of no shared ciphers it is +-recommended to leave this option at the default setting. The default setting +-prefers ciphers with forward secrecy, disables anonymous authentication and +-disables known insecure ciphers like MD5, DES etc. This gives a grade A result +-at the tests of SSL Labs. +-To use the less secure OpenSSL builtin default (whatever this is) set +-SSL_cipher_list to ''. ++recommended to leave this option at the default setting, which honors the ++system-wide DEFAULT cipher list. + + In case different cipher lists are needed for different SNI hosts a hash can be + given with the host as key and the cipher suite as value, similar to diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec index 9892154..266a9a7 100644 --- a/perl-IO-Socket-SSL.spec +++ b/perl-IO-Socket-SSL.spec @@ -1,16 +1,19 @@ Name: perl-IO-Socket-SSL -Version: 2.016 -Release: 3%{?dist} +Version: 2.018 +Release: 1%{?dist} Summary: Perl library for transparent SSL Group: Development/Libraries License: GPL+ or Artistic URL: http://search.cpan.org/dist/IO-Socket-SSL/ Source0: http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version... -Patch0: IO-Socket-SSL-2.016-use-system-default-cipher-list.patch -Patch1: IO-Socket-SSL-2.016-use-system-default-SSL-version.patch +Patch0: IO-Socket-SSL-2.018-use-system-default-cipher-list.patch +Patch1: IO-Socket-SSL-2.018-use-system-default-SSL-version.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildArch: noarch # Module Build +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: make BuildRequires: perl BuildRequires: perl(ExtUtils::MakeMaker) # Module Runtime @@ -112,6 +115,23 @@ rm -rf %{buildroot} %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Mon Aug 31 2015 Paul Howarth <paul(a)city-fan.org&gt; - 2.018-1 +- Update to 2.018 + - Checks for readability of files/dirs for certificates and CA no longer use + -r because this is not safe when ACLs are used (CPAN RT#106295) + - New method sock_certificate similar to peer_certificate (CPAN RT#105733) + - get_fingerprint can now take optional certificate as argument and compute + the fingerprint of it; useful in connection with sock_certificate + - Check for both EWOULDBLOCK and EAGAIN since these codes are different on + some platforms (CPAN RT#106573) + - Enforce default verification scheme if nothing was specified, i.e. no + longer just warn but accept; if really no verification is wanted, a scheme + of 'none' must be explicitly specified + - Support different cipher suites per SNI hosts + - startssl.t failed on darwin with old openssl since server requested client + certificate but offered also anon ciphers (CPAN RT#106687) +- Update patches as needed + * Thu Jun 18 2015 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org&gt; - 2.016-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild diff --git a/sources b/sources index c4c64f6..fefc0b8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a71e9f0f76c7a15a11fef14ca8ef8aa8 IO-Socket-SSL-2.016.tar.gz +817adc9e0cd6817998fd49dea3fe0349 IO-Socket-SSL-2.018.tar.gz -- cgit v0.10.2 http://pkgs.fedoraproject.org/cgit/perl-IO-Socket-SSL.git/commit/?h=maste...