You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
61 lines
2.1 KiB
61 lines
2.1 KiB
6 months ago
|
From 9a0188335ea83a5e0078d21624e8bb134ef21687 Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||
|
Date: Thu, 24 Apr 2014 15:51:01 +0200
|
||
|
Subject: [PATCH 1/2] Do not set SSL_ciphers to ALL by default
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
'ALL' cipher list is not the same as OpenSSL default. The 'ALL'
|
||
|
contains more ciphers. Some of them are too weak, some of them
|
||
|
prevents from using SSLv3 protocol. Then used SSLv2 protocol does not
|
||
|
support elliptic curve parameter negotion which can cause
|
||
|
interoperability issues when server picks a curve not supported by the
|
||
|
client.
|
||
|
|
||
|
IO-Socket-SSL-1.955 supports special value '' (empty string) to
|
||
|
designed the OpenSSL default. However older IO-Socket-SSL recommends
|
||
|
not to set the option at all.
|
||
|
|
||
|
Thus this patch sets SSL_ciphers only if Net::LDAP application passes
|
||
|
the ciphers option.
|
||
|
|
||
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||
|
---
|
||
|
lib/Net/LDAP.pm | 3 ++-
|
||
|
lib/Net/LDAP.pod | 4 ++--
|
||
|
2 files changed, 4 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
|
||
|
index 03eb23f..99d227a 100644
|
||
|
--- a/lib/Net/LDAP.pm
|
||
|
+++ b/lib/Net/LDAP.pm
|
||
|
@@ -243,7 +243,8 @@ sub _SSL_context_init_args {
|
||
|
}
|
||
|
|
||
|
(
|
||
|
- SSL_cipher_list => defined $arg->{ciphers} ? $arg->{ciphers} : 'ALL',
|
||
|
+ defined $arg->{ciphers} ?
|
||
|
+ ( SSL_cipher_list => defined $arg->{ciphers}) : (),
|
||
|
SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '',
|
||
|
SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '',
|
||
|
SSL_key_file => $clientcert ? $clientkey : undef,
|
||
|
diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod
|
||
|
index 77a8400..c35508a 100644
|
||
|
--- a/lib/Net/LDAP.pod
|
||
|
+++ b/lib/Net/LDAP.pod
|
||
|
@@ -779,8 +779,8 @@ B<'tlsv1'>.
|
||
|
|
||
|
Specify which subset of cipher suites are permissible for this
|
||
|
connection, using the standard OpenSSL string format. The default
|
||
|
-value is B<'ALL'>, which permits all ciphers, even those that don't
|
||
|
-encrypt.
|
||
|
+behavior is to keep the decision on the underlying cryptographic
|
||
|
+library.
|
||
|
|
||
|
=item clientcert =E<gt> '/path/to/cert.pem'
|
||
|
|
||
|
--
|
||
|
1.9.3
|
||
|
|