From 1c9734277a1af5128b25beca42b03dfd96eab0d1 Mon Sep 17 00:00:00 2001 From: Paul Howarth <p...@city-fan.org> Date: Tue, 23 Aug 2016 09:22:35 +0100 Subject: Update to 2.037
- New upstream release 2.037 - Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795) - Fix session cache del_session: it freed the session but did not properly remove it from the cache; further reuse caused crash - Update patches as needed --- ...-SSL-2.034-use-system-default-cipher-list.patch | 98 ---------------------- ...-SSL-2.035-use-system-default-SSL-version.patch | 36 -------- ...-SSL-2.037-use-system-default-SSL-version.patch | 36 ++++++++ ...-SSL-2.037-use-system-default-cipher-list.patch | 98 ++++++++++++++++++++++ perl-IO-Socket-SSL.spec | 13 ++- sources | 2 +- 6 files changed, 145 insertions(+), 138 deletions(-) delete mode 100644 IO-Socket-SSL-2.034-use-system-default-cipher-list.patch delete mode 100644 IO-Socket-SSL-2.035-use-system-default-SSL-version.patch create mode 100644 IO-Socket-SSL-2.037-use-system-default-SSL-version.patch create mode 100644 IO-Socket-SSL-2.037-use-system-default-cipher-list.patch diff --git a/IO-Socket-SSL-2.034-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.034-use-system-default-cipher-list.patch deleted file mode 100644 index f36ec0c..0000000 --- a/IO-Socket-SSL-2.034-use-system-default-cipher-list.patch +++ /dev/null @@ -1,98 +0,0 @@ ---- lib/IO/Socket/SSL.pm -+++ lib/IO/Socket/SSL.pm -@@ -101,10 +101,10 @@ my %DEFAULT_SSL_ARGS = ( - SSL_npn_protocols => undef, # meaning depends whether on server or client side - SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] - -- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2016/04/20 -- # "Old backward compatibility" for best compatibility -- # .. "Most ciphers that are not clearly broken and dangerous to use are supported" -- SSL_cipher_list => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', -+ # Use system-wide default cipher list to support use of system-wide -+ # crypto policy (#1076390, #1127577, CPAN RT#97816) -+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy -+ SSL_cipher_list => 'DEFAULT', - ); - - my %DEFAULT_SSL_CLIENT_ARGS = ( -@@ -114,63 +114,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( - SSL_ca_file => undef, - SSL_ca_path => undef, - -- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes -- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html -- # http://guest:gu...@rt.openssl.org/Ticket/Display.html?id=2771 -- # Ubuntu worked around this by disabling TLSv1_2 on the client side for -- # a while. Later a padding extension was added to OpenSSL to work around -- # broken F5 but then IronPort croaked because it did not understand this -- # extension so it was disabled again :( -- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so -- # that packet stays small enough. We try the same here. -- -- SSL_cipher_list => join(" ", -- -- # SSLabs report for Chrome 48/OSX. -- # This also includes the fewer ciphers Firefox uses. -- 'ECDHE-ECDSA-AES128-GCM-SHA256', -- 'ECDHE-RSA-AES128-GCM-SHA256', -- 'DHE-RSA-AES128-GCM-SHA256', -- 'ECDHE-ECDSA-CHACHA20-POLY1305', -- 'ECDHE-RSA-CHACHA20-POLY1305', -- 'ECDHE-ECDSA-AES256-SHA', -- 'ECDHE-RSA-AES256-SHA', -- 'DHE-RSA-AES256-SHA', -- 'ECDHE-ECDSA-AES128-SHA', -- 'ECDHE-RSA-AES128-SHA', -- 'DHE-RSA-AES128-SHA', -- 'AES128-GCM-SHA256', -- 'AES256-SHA', -- 'AES128-SHA', -- 'DES-CBC3-SHA', -- -- # IE11/Edge has some more ciphers, notably SHA384 and DSS -- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM -- # ciphers IE/Edge offers because they look like a large mismatch -- # between a very strong HMAC and a comparably weak (but sufficient) -- # encryption. Similar all browsers which do SHA384 can do ECDHE -- # so skip the DHE*SHA384 ciphers. -- 'ECDHE-RSA-AES256-GCM-SHA384', -- 'ECDHE-ECDSA-AES256-GCM-SHA384', -- # 'ECDHE-RSA-AES256-SHA384', -- # 'ECDHE-ECDSA-AES256-SHA384', -- # 'ECDHE-RSA-AES128-SHA256', -- # 'ECDHE-ECDSA-AES128-SHA256', -- # 'DHE-RSA-AES256-GCM-SHA384', -- # 'AES256-GCM-SHA384', -- 'AES256-SHA256', -- # 'AES128-SHA256', -- 'DHE-DSS-AES256-SHA256', -- # 'DHE-DSS-AES128-SHA256', -- 'DHE-DSS-AES256-SHA', -- 'DHE-DSS-AES128-SHA', -- 'EDH-DSS-DES-CBC3-SHA', -- -- # Just to make sure, that we don't accidentally add bad ciphers above. -- # This includes dropping RC4 which is no longer supported by modern -- # browsers and also excluded in the SSL libraries of Python and Ruby. -- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP" -- ) - ); - - # set values inside _init to work with perlcc, RT#95452 ---- lib/IO/Socket/SSL.pod -+++ lib/IO/Socket/SSL.pod -@@ -984,12 +984,8 @@ documentation (L<http://www.openssl.org/ - for more details. - - Unless you fail to contact your peer because of no shared ciphers it is --recommended to leave this option at the default setting. The default setting --prefers ciphers with forward secrecy, disables anonymous authentication and --disables known insecure ciphers like MD5, DES etc. This gives a grade A result --at the tests of SSL Labs. --To use the less secure OpenSSL builtin default (whatever this is) set --SSL_cipher_list to ''. -+recommended to leave this option at the default setting, which honors the -+system-wide DEFAULT cipher list. - - In case different cipher lists are needed for different SNI hosts a hash can be - given with the host as key and the cipher suite as value, similar to diff --git a/IO-Socket-SSL-2.035-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.035-use-system-default-SSL-version.patch deleted file mode 100644 index 8cda4a4..0000000 --- a/IO-Socket-SSL-2.035-use-system-default-SSL-version.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- lib/IO/Socket/SSL.pm -+++ lib/IO/Socket/SSL.pm -@@ -93,7 +93,7 @@ my $algo2digest = do { - # global defaults - my %DEFAULT_SSL_ARGS = ( - SSL_check_crl => 0, -- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken -+ SSL_version => '', - SSL_verify_callback => undef, - SSL_verifycn_scheme => undef, # fallback cn verification - SSL_verifycn_publicsuffix => undef, # fallback default list verification -@@ -2200,7 +2200,7 @@ sub new { - - my $ssl_op = $DEFAULT_SSL_OP; - -- my $ver; -+ my $ver = ''; - for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { - m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i - or croak("invalid SSL_version specified"); ---- lib/IO/Socket/SSL.pod -+++ lib/IO/Socket/SSL.pod -@@ -958,11 +958,12 @@ protocol to the specified version. - All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can - also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires - recent versions of Net::SSLeay and openssl. -+The default SSL_version is defined by the underlying cryptographic library. - - Independent from the handshake format you can limit to set of accepted SSL - versions by adding !version separated by ':'. - --The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the -+For example, 'SSLv23:!SSLv3:!SSLv2' means that the - handshake format is compatible to SSL2.0 and higher, but that the successful - handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because - both of these versions have serious security issues and should not be used diff --git a/IO-Socket-SSL-2.037-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.037-use-system-default-SSL-version.patch new file mode 100644 index 0000000..2e184c0 --- /dev/null +++ b/IO-Socket-SSL-2.037-use-system-default-SSL-version.patch @@ -0,0 +1,36 @@ +--- lib/IO/Socket/SSL.pm ++++ lib/IO/Socket/SSL.pm +@@ -95,7 +95,7 @@ my $algo2digest = do { + # global defaults + my %DEFAULT_SSL_ARGS = ( + SSL_check_crl => 0, +- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken ++ SSL_version => '', + SSL_verify_callback => undef, + SSL_verifycn_scheme => undef, # fallback cn verification + SSL_verifycn_publicsuffix => undef, # fallback default list verification +@@ -2202,7 +2202,7 @@ sub new { + + my $ssl_op = $DEFAULT_SSL_OP; + +- my $ver; ++ my $ver = ''; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { + m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i + or croak("invalid SSL_version specified"); +--- lib/IO/Socket/SSL.pod ++++ lib/IO/Socket/SSL.pod +@@ -958,11 +958,12 @@ protocol to the specified version. + All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can + also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires + recent versions of Net::SSLeay and openssl. ++The default SSL_version is defined by the underlying cryptographic library. + + Independent from the handshake format you can limit to set of accepted SSL + versions by adding !version separated by ':'. + +-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the ++For example, 'SSLv23:!SSLv3:!SSLv2' means that the + handshake format is compatible to SSL2.0 and higher, but that the successful + handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because + both of these versions have serious security issues and should not be used diff --git a/IO-Socket-SSL-2.037-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.037-use-system-default-cipher-list.patch new file mode 100644 index 0000000..15f5d12 --- /dev/null +++ b/IO-Socket-SSL-2.037-use-system-default-cipher-list.patch @@ -0,0 +1,98 @@ +--- lib/IO/Socket/SSL.pm ++++ lib/IO/Socket/SSL.pm +@@ -103,10 +103,10 @@ my %DEFAULT_SSL_ARGS = ( + SSL_npn_protocols => undef, # meaning depends whether on server or client side + SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] + +- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2016/04/20 +- # "Old backward compatibility" for best compatibility +- # .. "Most ciphers that are not clearly broken and dangerous to use are supported" +- SSL_cipher_list => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', ++ # Use system-wide default cipher list to support use of system-wide ++ # crypto policy (#1076390, #1127577, CPAN RT#97816) ++ # https://fedoraproject.org/wiki/Changes/CryptoPolicy ++ SSL_cipher_list => 'DEFAULT', + ); + + my %DEFAULT_SSL_CLIENT_ARGS = ( +@@ -116,63 +116,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( + SSL_ca_file => undef, + SSL_ca_path => undef, + +- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes +- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html +- # http://guest:gu...@rt.openssl.org/Ticket/Display.html?id=2771 +- # Ubuntu worked around this by disabling TLSv1_2 on the client side for +- # a while. Later a padding extension was added to OpenSSL to work around +- # broken F5 but then IronPort croaked because it did not understand this +- # extension so it was disabled again :( +- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so +- # that packet stays small enough. We try the same here. +- +- SSL_cipher_list => join(" ", +- +- # SSLabs report for Chrome 48/OSX. +- # This also includes the fewer ciphers Firefox uses. +- 'ECDHE-ECDSA-AES128-GCM-SHA256', +- 'ECDHE-RSA-AES128-GCM-SHA256', +- 'DHE-RSA-AES128-GCM-SHA256', +- 'ECDHE-ECDSA-CHACHA20-POLY1305', +- 'ECDHE-RSA-CHACHA20-POLY1305', +- 'ECDHE-ECDSA-AES256-SHA', +- 'ECDHE-RSA-AES256-SHA', +- 'DHE-RSA-AES256-SHA', +- 'ECDHE-ECDSA-AES128-SHA', +- 'ECDHE-RSA-AES128-SHA', +- 'DHE-RSA-AES128-SHA', +- 'AES128-GCM-SHA256', +- 'AES256-SHA', +- 'AES128-SHA', +- 'DES-CBC3-SHA', +- +- # IE11/Edge has some more ciphers, notably SHA384 and DSS +- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM +- # ciphers IE/Edge offers because they look like a large mismatch +- # between a very strong HMAC and a comparably weak (but sufficient) +- # encryption. Similar all browsers which do SHA384 can do ECDHE +- # so skip the DHE*SHA384 ciphers. +- 'ECDHE-RSA-AES256-GCM-SHA384', +- 'ECDHE-ECDSA-AES256-GCM-SHA384', +- # 'ECDHE-RSA-AES256-SHA384', +- # 'ECDHE-ECDSA-AES256-SHA384', +- # 'ECDHE-RSA-AES128-SHA256', +- # 'ECDHE-ECDSA-AES128-SHA256', +- # 'DHE-RSA-AES256-GCM-SHA384', +- # 'AES256-GCM-SHA384', +- 'AES256-SHA256', +- # 'AES128-SHA256', +- 'DHE-DSS-AES256-SHA256', +- # 'DHE-DSS-AES128-SHA256', +- 'DHE-DSS-AES256-SHA', +- 'DHE-DSS-AES128-SHA', +- 'EDH-DSS-DES-CBC3-SHA', +- +- # Just to make sure, that we don't accidentally add bad ciphers above. +- # This includes dropping RC4 which is no longer supported by modern +- # browsers and also excluded in the SSL libraries of Python and Ruby. +- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP" +- ) + ); + + # set values inside _init to work with perlcc, RT#95452 +--- lib/IO/Socket/SSL.pod ++++ lib/IO/Socket/SSL.pod +@@ -984,12 +984,8 @@ documentation (L<http://www.openssl.org/ + for more details. + + Unless you fail to contact your peer because of no shared ciphers it is +-recommended to leave this option at the default setting. The default setting +-prefers ciphers with forward secrecy, disables anonymous authentication and +-disables known insecure ciphers like MD5, DES etc. This gives a grade A result +-at the tests of SSL Labs. +-To use the less secure OpenSSL builtin default (whatever this is) set +-SSL_cipher_list to ''. ++recommended to leave this option at the default setting, which honors the ++system-wide DEFAULT cipher list. + + In case different cipher lists are needed for different SNI hosts a hash can be + given with the host as key and the cipher suite as value, similar to diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec index 060fbd7..b6f8d23 100644 --- a/perl-IO-Socket-SSL.spec +++ b/perl-IO-Socket-SSL.spec @@ -1,13 +1,13 @@ Name: perl-IO-Socket-SSL -Version: 2.035 +Version: 2.037 Release: 1%{?dist} Summary: Perl library for transparent SSL Group: Development/Libraries License: GPL+ or Artistic URL: http://search.cpan.org/dist/IO-Socket-SSL/ Source0: http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version}.tar.gz -Patch0: IO-Socket-SSL-2.034-use-system-default-cipher-list.patch -Patch1: IO-Socket-SSL-2.035-use-system-default-SSL-version.patch +Patch0: IO-Socket-SSL-2.037-use-system-default-cipher-list.patch +Patch1: IO-Socket-SSL-2.037-use-system-default-SSL-version.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildArch: noarch # Module Build @@ -116,6 +116,13 @@ rm -rf %{buildroot} %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Tue Aug 23 2016 Paul Howarth <p...@city-fan.org> - 2.037-1 +- Update to 2.037 + - Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795) + - Fix session cache del_session: it freed the session but did not properly + remove it from the cache; further reuse caused crash +- Update patches as needed + * Thu Aug 11 2016 Paul Howarth <p...@city-fan.org> - 2.035-1 - Update to 2.035 - Fixes for issues introduced in 2.034 diff --git a/sources b/sources index 0761baa..8ddf99f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -18a653525b5e00253dc8a8e97c172a4d IO-Socket-SSL-2.035.tar.gz +415172849bcc03a1f59ea012233ad127 IO-Socket-SSL-2.037.tar.gz -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/perl-IO-Socket-SSL.git/commit/?h=master&id=1c9734277a1af5128b25beca42b03dfd96eab0d1 -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org