[perl-IO-Socket-SSL/f19] Use OpenSSL default CA if user doesn't specify one (#1059002)

Wed Jan 29 21:18:09 UTC 2014

commit 30b51133478e86c91695272f0e99834d7da18157
Author: Paul Howarth <paul at city-fan.org>
Date:   Wed Jan 29 21:18:16 2014 +0000

    Use OpenSSL default CA if user doesn't specify one (#1059002)

 IO-Socket-SSL-1.88-ca-default.patch |   68 +++++++++++++++++++++++++++++++++++
 perl-IO-Socket-SSL.spec             |    9 ++++-
 2 files changed, 76 insertions(+), 1 deletions(-)
---

diff --git a/IO-Socket-SSL-1.88-ca-default.patch b/IO-Socket-SSL-1.88-ca-default.patch
new file mode 100644
index 0000000..8edef4f
--- /dev/null
+++ b/IO-Socket-SSL-1.88-ca-default.patch
@@ -0,0 +1,68 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -350,10 +350,10 @@
+ 	    my %certs = $is_server ? (
+ 		SSL_key_file => 'certs/server-key.pem',
+ 		SSL_cert_file => 'certs/server-cert.pem',
+-	    ) : (
++	    ) : $arg_hash->{SSL_use_cert} ? (
+ 		SSL_key_file => 'certs/client-key.pem',
+ 		SSL_cert_file => 'certs/client-cert.pem',
+-	    );
++	    ) :();
+ 	    %$arg_hash = ( %$arg_hash, %ca, %certs );
+ 	} else {
+ 	    for(qw(SSL_cert_file SSL_key_file)) {
+@@ -1668,11 +1668,15 @@
+     }
+ 
+     my $verify_mode = $arg_hash->{SSL_verify_mode};
+-    if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
+-	( defined $arg_hash->{SSL_ca_file} || defined $arg_hash->{SSL_ca_path}) and
+-	! Net::SSLeay::CTX_load_verify_locations(
+-	    $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
+-	return IO::Socket::SSL->error("Invalid certificate authority locations");
++    if ( $verify_mode != Net::SSLeay::VERIFY_NONE()) {
++	if ( defined $arg_hash->{SSL_ca_file} || defined $arg_hash->{SSL_ca_path} ) {
++	    return IO::Socket::SSL->error("Invalid certificate authority locations")
++		if ! Net::SSLeay::CTX_load_verify_locations( $ctx, 
++		    $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '');
++	} else {
++	    # no CA path given, continue with system defaults
++	    Net::SSLeay::CTX_set_default_verify_paths($ctx);
++	}
+     }
+ 
+     if ($arg_hash->{'SSL_check_crl'}) {
+@@ -2196,22 +2200,16 @@
+ Net::SSLeay.  This option takes a reference to a subroutine that should return the
+ password required to decrypt your private key.
+ 
+-=item SSL_ca_file
++=item SSL_ca_file | SSL_ca_path
+ 
+-If you want to verify that the peer certificate has been signed by a reputable
+-certificate authority, then you should use this option to locate the file
+-containing the certificateZ<>(s) of the reputable certificate authorities if it is
+-not already in the file F<certs/my-ca.pem>.
+-If you definitly want no SSL_ca_file used you should set it to undef.
+-
+-=item SSL_ca_path
+-
+-If you are unusually friendly with the OpenSSL documentation, you might have set
+-yourself up a directory containing several trusted certificates as separate files
+-as well as an index of the certificates.  If you want to use that directory for
+-validation purposes, and that directory is not F<ca/>, then use this option to
+-point IO::Socket::SSL to the right place to look.
+-If you definitly want no SSL_ca_path used you should set it to undef.
++Usually you want to verify that the peer certificate has been signed by a
++trusted certificate authority. In this case you should use this option to
++specify the file (SSL_ca_file) or directory (SSL_ca_path) containing the
++certificateZ<>(s) of the trusted certificate authorities.
++If both SSL_ca_file and SSL_ca_path are undefined and not builtin defaults (see
++"Defaults for Cert, Key and CA".) can be used, it will try to use the system
++defaults used built into the OpenSSL library.
++If you really don't want to set a CA set this key to C<''>.
+ 
+ =item SSL_verify_mode
+ 
diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index 3b2419f..f5358e1 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -1,11 +1,12 @@
 Name:		perl-IO-Socket-SSL
 Version:	1.88
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Perl library for transparent SSL
 Group:		Development/Libraries
 License:	GPL+ or Artistic
 URL:		http://search.cpan.org/dist/IO-Socket-SSL/
 Source0:	http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version}.tar.gz
+Patch0:		IO-Socket-SSL-1.88-ca-default.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 BuildArch:	noarch
 BuildRequires:	perl(Carp)
@@ -44,6 +45,9 @@ mod_perl.
 %prep
 %setup -q -n IO-Socket-SSL-%{version}
 
+# Use OpenSSL default CA if user doesn't specify one (#1059002)
+%patch0
+
 %build
 perl Makefile.PL INSTALLDIRS=vendor
 make %{?_smp_mflags}
@@ -66,6 +70,9 @@ rm -rf %{buildroot}
 %{_mandir}/man3/IO::Socket::SSL.3pm*
 
 %changelog
+* Wed Jan 29 2014 Paul Howarth <paul at city-fan.org> - 1.88-2
+- Use OpenSSL default CA if user doesn't specify one (#1059002)
+
 * Thu May  2 2013 Paul Howarth <paul at city-fan.org> - 1.88-1
 - Update to 1.88
   - Consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*

