[perl-IO-Socket-SSL/f19] Use OpenSSL default CA if user doesn't specify one (#1059002)
Paul Howarth
pghmcfc at fedoraproject.org
Wed Jan 29 21:18:09 UTC 2014
commit 30b51133478e86c91695272f0e99834d7da18157
Author: Paul Howarth <paul at city-fan.org>
Date: Wed Jan 29 21:18:16 2014 +0000
Use OpenSSL default CA if user doesn't specify one (#1059002)
IO-Socket-SSL-1.88-ca-default.patch | 68 +++++++++++++++++++++++++++++++++++
perl-IO-Socket-SSL.spec | 9 ++++-
2 files changed, 76 insertions(+), 1 deletions(-)
---
diff --git a/IO-Socket-SSL-1.88-ca-default.patch b/IO-Socket-SSL-1.88-ca-default.patch
new file mode 100644
index 0000000..8edef4f
--- /dev/null
+++ b/IO-Socket-SSL-1.88-ca-default.patch
@@ -0,0 +1,68 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -350,10 +350,10 @@
+ my %certs = $is_server ? (
+ SSL_key_file => 'certs/server-key.pem',
+ SSL_cert_file => 'certs/server-cert.pem',
+- ) : (
++ ) : $arg_hash->{SSL_use_cert} ? (
+ SSL_key_file => 'certs/client-key.pem',
+ SSL_cert_file => 'certs/client-cert.pem',
+- );
++ ) :();
+ %$arg_hash = ( %$arg_hash, %ca, %certs );
+ } else {
+ for(qw(SSL_cert_file SSL_key_file)) {
+@@ -1668,11 +1668,15 @@
+ }
+
+ my $verify_mode = $arg_hash->{SSL_verify_mode};
+- if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
+- ( defined $arg_hash->{SSL_ca_file} || defined $arg_hash->{SSL_ca_path}) and
+- ! Net::SSLeay::CTX_load_verify_locations(
+- $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
+- return IO::Socket::SSL->error("Invalid certificate authority locations");
++ if ( $verify_mode != Net::SSLeay::VERIFY_NONE()) {
++ if ( defined $arg_hash->{SSL_ca_file} || defined $arg_hash->{SSL_ca_path} ) {
++ return IO::Socket::SSL->error("Invalid certificate authority locations")
++ if ! Net::SSLeay::CTX_load_verify_locations( $ctx,
++ $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '');
++ } else {
++ # no CA path given, continue with system defaults
++ Net::SSLeay::CTX_set_default_verify_paths($ctx);
++ }
+ }
+
+ if ($arg_hash->{'SSL_check_crl'}) {
+@@ -2196,22 +2200,16 @@
+ Net::SSLeay. This option takes a reference to a subroutine that should return the
+ password required to decrypt your private key.
+
+-=item SSL_ca_file
++=item SSL_ca_file | SSL_ca_path
+
+-If you want to verify that the peer certificate has been signed by a reputable
+-certificate authority, then you should use this option to locate the file
+-containing the certificateZ<>(s) of the reputable certificate authorities if it is
+-not already in the file F<certs/my-ca.pem>.
+-If you definitly want no SSL_ca_file used you should set it to undef.
+-
+-=item SSL_ca_path
+-
+-If you are unusually friendly with the OpenSSL documentation, you might have set
+-yourself up a directory containing several trusted certificates as separate files
+-as well as an index of the certificates. If you want to use that directory for
+-validation purposes, and that directory is not F<ca/>, then use this option to
+-point IO::Socket::SSL to the right place to look.
+-If you definitly want no SSL_ca_path used you should set it to undef.
++Usually you want to verify that the peer certificate has been signed by a
++trusted certificate authority. In this case you should use this option to
++specify the file (SSL_ca_file) or directory (SSL_ca_path) containing the
++certificateZ<>(s) of the trusted certificate authorities.
++If both SSL_ca_file and SSL_ca_path are undefined and not builtin defaults (see
++"Defaults for Cert, Key and CA".) can be used, it will try to use the system
++defaults used built into the OpenSSL library.
++If you really don't want to set a CA set this key to C<''>.
+
+ =item SSL_verify_mode
+
diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index 3b2419f..f5358e1 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -1,11 +1,12 @@
Name: perl-IO-Socket-SSL
Version: 1.88
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Perl library for transparent SSL
Group: Development/Libraries
License: GPL+ or Artistic
URL: http://search.cpan.org/dist/IO-Socket-SSL/
Source0: http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version}.tar.gz
+Patch0: IO-Socket-SSL-1.88-ca-default.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
BuildArch: noarch
BuildRequires: perl(Carp)
@@ -44,6 +45,9 @@ mod_perl.
%prep
%setup -q -n IO-Socket-SSL-%{version}
+# Use OpenSSL default CA if user doesn't specify one (#1059002)
+%patch0
+
%build
perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
@@ -66,6 +70,9 @@ rm -rf %{buildroot}
%{_mandir}/man3/IO::Socket::SSL.3pm*
%changelog
+* Wed Jan 29 2014 Paul Howarth <paul at city-fan.org> - 1.88-2
+- Use OpenSSL default CA if user doesn't specify one (#1059002)
+
* Thu May 2 2013 Paul Howarth <paul at city-fan.org> - 1.88-1
- Update to 1.88
- Consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
More information about the perl-devel
mailing list