You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60 lines
2.1 KiB
60 lines
2.1 KiB
From 9a0188335ea83a5e0078d21624e8bb134ef21687 Mon Sep 17 00:00:00 2001 |
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> |
|
Date: Thu, 24 Apr 2014 15:51:01 +0200 |
|
Subject: [PATCH 1/2] Do not set SSL_ciphers to ALL by default |
|
MIME-Version: 1.0 |
|
Content-Type: text/plain; charset=UTF-8 |
|
Content-Transfer-Encoding: 8bit |
|
|
|
'ALL' cipher list is not the same as OpenSSL default. The 'ALL' |
|
contains more ciphers. Some of them are too weak, some of them |
|
prevents from using SSLv3 protocol. Then used SSLv2 protocol does not |
|
support elliptic curve parameter negotion which can cause |
|
interoperability issues when server picks a curve not supported by the |
|
client. |
|
|
|
IO-Socket-SSL-1.955 supports special value '' (empty string) to |
|
designed the OpenSSL default. However older IO-Socket-SSL recommends |
|
not to set the option at all. |
|
|
|
Thus this patch sets SSL_ciphers only if Net::LDAP application passes |
|
the ciphers option. |
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com> |
|
--- |
|
lib/Net/LDAP.pm | 3 ++- |
|
lib/Net/LDAP.pod | 4 ++-- |
|
2 files changed, 4 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm |
|
index 03eb23f..99d227a 100644 |
|
--- a/lib/Net/LDAP.pm |
|
+++ b/lib/Net/LDAP.pm |
|
@@ -243,7 +243,8 @@ sub _SSL_context_init_args { |
|
} |
|
|
|
( |
|
- SSL_cipher_list => defined $arg->{ciphers} ? $arg->{ciphers} : 'ALL', |
|
+ defined $arg->{ciphers} ? |
|
+ ( SSL_cipher_list => defined $arg->{ciphers}) : (), |
|
SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '', |
|
SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '', |
|
SSL_key_file => $clientcert ? $clientkey : undef, |
|
diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod |
|
index 77a8400..c35508a 100644 |
|
--- a/lib/Net/LDAP.pod |
|
+++ b/lib/Net/LDAP.pod |
|
@@ -779,8 +779,8 @@ B<'tlsv1'>. |
|
|
|
Specify which subset of cipher suites are permissible for this |
|
connection, using the standard OpenSSL string format. The default |
|
-value is B<'ALL'>, which permits all ciphers, even those that don't |
|
-encrypt. |
|
+behavior is to keep the decision on the underlying cryptographic |
|
+library. |
|
|
|
=item clientcert =E<gt> '/path/to/cert.pem' |
|
|
|
-- |
|
1.9.3 |
|
|
|
|