diff --git a/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch deleted file mode 100644 index 358c5e43a2a3848955140653c8e5b814b1adae2c..0000000000000000000000000000000000000000 --- a/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm -index c5affd8..c41b0f1 100644 ---- a/lib/IO/Socket/SSL.pm -+++ b/lib/IO/Socket/SSL.pm -@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_proto_version - # global defaults - my %DEFAULT_SSL_ARGS = ( - SSL_check_crl => 0, -- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken -+ SSL_version => '', - SSL_verify_callback => undef, - SSL_verifycn_scheme => undef, # fallback cn verification - SSL_verifycn_publicsuffix => undef, # fallback default list verification -@@ -2393,7 +2393,7 @@ sub new { - - my $ssl_op = $DEFAULT_SSL_OP; - -- my $ver; -+ my $ver = ''; - for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { - m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i - or croak("invalid SSL_version specified"); -diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod -index a4cf32a..7938d59 100644 ---- a/lib/IO/Socket/SSL.pod -+++ b/lib/IO/Socket/SSL.pod -@@ -1028,11 +1028,12 @@ All values are case-insensitive. Instead of 'TLSv1_1', 'TLSv1_2', and - 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for - 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay - and openssl. -+The default SSL_version is defined by the underlying cryptographic library. - - Independent from the handshake format you can limit to set of accepted SSL - versions by adding !version separated by ':'. - --The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the -+For example, 'SSLv23:!SSLv3:!SSLv2' means that the - handshake format is compatible to SSL2.0 and higher, but that the successful - handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because - both of these versions have serious security issues and should not be used diff --git a/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch deleted file mode 100644 index 8a5151fef2ed716a2e59bef61d43cddffc6d5b3b..0000000000000000000000000000000000000000 --- a/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch +++ /dev/null @@ -1,107 +0,0 @@ -diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm -index c5affd8..10fe332 100644 ---- a/lib/IO/Socket/SSL.pm -+++ b/lib/IO/Socket/SSL.pm -@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = ( - SSL_npn_protocols => undef, # meaning depends whether on server or client side - SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] - -- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05 -- # "Old backward compatibility" for best compatibility -- # .. "Most ciphers that are not clearly broken and dangerous to use are supported" -- # slightly reordered to prefer AES since it is cheaper when hardware accelerated -- SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', -+ # Use system-wide default cipher list to support use of system-wide -+ # crypto policy (#1076390, #1127577, CPAN RT#97816) -+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy -+ SSL_cipher_list => 'DEFAULT', - ); - - my %DEFAULT_SSL_CLIENT_ARGS = ( -@@ -185,64 +184,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( - - SSL_ca_file => undef, - SSL_ca_path => undef, -- -- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes -- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html -- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771 -- # Ubuntu worked around this by disabling TLSv1_2 on the client side for -- # a while. Later a padding extension was added to OpenSSL to work around -- # broken F5 but then IronPort croaked because it did not understand this -- # extension so it was disabled again :( -- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so -- # that packet stays small enough. We try the same here. -- -- SSL_cipher_list => join(" ", -- -- # SSLabs report for Chrome 48/OSX. -- # This also includes the fewer ciphers Firefox uses. -- 'ECDHE-ECDSA-AES128-GCM-SHA256', -- 'ECDHE-RSA-AES128-GCM-SHA256', -- 'DHE-RSA-AES128-GCM-SHA256', -- 'ECDHE-ECDSA-CHACHA20-POLY1305', -- 'ECDHE-RSA-CHACHA20-POLY1305', -- 'ECDHE-ECDSA-AES256-SHA', -- 'ECDHE-RSA-AES256-SHA', -- 'DHE-RSA-AES256-SHA', -- 'ECDHE-ECDSA-AES128-SHA', -- 'ECDHE-RSA-AES128-SHA', -- 'DHE-RSA-AES128-SHA', -- 'AES128-GCM-SHA256', -- 'AES256-SHA', -- 'AES128-SHA', -- 'DES-CBC3-SHA', -- -- # IE11/Edge has some more ciphers, notably SHA384 and DSS -- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM -- # ciphers IE/Edge offers because they look like a large mismatch -- # between a very strong HMAC and a comparably weak (but sufficient) -- # encryption. Similar all browsers which do SHA384 can do ECDHE -- # so skip the DHE*SHA384 ciphers. -- 'ECDHE-RSA-AES256-GCM-SHA384', -- 'ECDHE-ECDSA-AES256-GCM-SHA384', -- # 'ECDHE-RSA-AES256-SHA384', -- # 'ECDHE-ECDSA-AES256-SHA384', -- # 'ECDHE-RSA-AES128-SHA256', -- # 'ECDHE-ECDSA-AES128-SHA256', -- # 'DHE-RSA-AES256-GCM-SHA384', -- # 'AES256-GCM-SHA384', -- 'AES256-SHA256', -- # 'AES128-SHA256', -- 'DHE-DSS-AES256-SHA256', -- # 'DHE-DSS-AES128-SHA256', -- 'DHE-DSS-AES256-SHA', -- 'DHE-DSS-AES128-SHA', -- 'EDH-DSS-DES-CBC3-SHA', -- -- # Just to make sure, that we don't accidentally add bad ciphers above. -- # This includes dropping RC4 which is no longer supported by modern -- # browsers and also excluded in the SSL libraries of Python and Ruby. -- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP" -- ) - ); - - # set values inside _init to work with perlcc, RT#95452 -diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod -index a4cf32a..c0acadd 100644 ---- a/lib/IO/Socket/SSL.pod -+++ b/lib/IO/Socket/SSL.pod -@@ -1054,12 +1054,8 @@ documentation (L) - for more details. - - Unless you fail to contact your peer because of no shared ciphers it is --recommended to leave this option at the default setting. The default setting --prefers ciphers with forward secrecy, disables anonymous authentication and --disables known insecure ciphers like MD5, DES etc. This gives a grade A result --at the tests of SSL Labs. --To use the less secure OpenSSL builtin default (whatever this is) set --SSL_cipher_list to ''. -+recommended to leave this option at the default setting, which honors the -+system-wide DEFAULT cipher list. - - In case different cipher lists are needed for different SNI hosts a hash can be - given with the host as key and the cipher suite as value, similar to --- -2.19.1 - diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec index 4aa8fc26329a0a325f1f8bbcb0031ce02c8685bf..7d4276b79a505d43053e71406a145a67bd382619 100644 --- a/perl-IO-Socket-SSL.spec +++ b/perl-IO-Socket-SSL.spec @@ -1,14 +1,11 @@ Name: perl-IO-Socket-SSL Version: 2.066 -Release: 3 +Release: 4 Summary: Perl library for transparent SSL License: GPL+ or Artistic URL: https://metacpan.org/release/IO-Socket-SSL Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz -# https://fedoraproject.org/wiki/Changes/CryptoPolicy -Patch0: IO-Socket-SSL-2.060-use-system-default-cipher-list.patch -Patch1: IO-Socket-SSL-2.060-use-system-default-SSL-version.patch BuildArch: noarch #For Build BuildRequires: coreutils findutils make perl-generators perl-interpreter perl(ExtUtils::MakeMaker) @@ -64,6 +61,12 @@ make test %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Tue Dec 31 2019 openEuler Buildteam - 2.066-4 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:delete unneeded patch + * Tue Oct 15 2019 shenyangyang - 2.066-3 - Type:enhancement - ID:NA