Skip Menu |

This queue is for tickets about the perl-ldap CPAN distribution.

Report information
The Basics
Id: 95001
Status: resolved
Priority: 0/
Queue: perl-ldap
People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 0.40
Fixed in: 0.63

History Show all quoted text
  Thu Apr 24 10:39:12 2014 ppisar [...] redhat.com - Ticket created
Subject: Setting SSL cipher list to 'ALL' is wrong
perl-ldap 0.40 as well as current 0.62 set SSL cipher list string to 'ALL' by default. This is wrong as it can lead to compatibility and security issues. Attached patch changes the behavior to use OpenSSL built-in default. -- Petr
Subject: 0001-Do-not-set-SSL_ciphers-to-ALL-by-default.patch
From 132767577b169ae4b3f82d4273a8308c76df7013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Thu, 24 Apr 2014 15:51:01 +0200 Subject: [PATCH] Do not set SSL_ciphers to ALL by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'ALL' cipher list is not the same as OpenSSL default. The 'ALL' contains more ciphers. Some of them are too weak, some of them prevents from using SSLv3 protocol. Then used SSLv2 protocol does not support elliptic curve parameter negotion which can cause interoperability issues when server picks a curve not supported by the client. IO-Socket-SSL-1.955 supports special value '' (empty string) to designed the OpenSSL default. However older IO-Socket-SSL recommends not to set the option at all. Thus this patch sets SSL_ciphers only if Net::LDAP application passes the ciphers option. Signed-off-by: Petr Písař <ppisar@redhat.com> --- lib/Net/LDAP.pm | 3 ++- lib/Net/LDAP.pod | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm index fe90a2b..8e033d1 100644 --- a/lib/Net/LDAP.pm +++ b/lib/Net/LDAP.pm @@ -251,7 +251,8 @@ sub _SSL_context_init_args { } ( - SSL_cipher_list => defined $arg->{ciphers} ? $arg->{ciphers} : 'ALL', + defined $arg->{ciphers} ? + ( SSL_cipher_list => defined $arg->{ciphers}) : (), SSL_ca_file => exists $arg->{cafile} ? $arg->{cafile} : '', SSL_ca_path => exists $arg->{capath} ? $arg->{capath} : '', SSL_key_file => $clientcert ? $clientkey : undef, diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod index f242d12..ef38884 100644 --- a/lib/Net/LDAP.pod +++ b/lib/Net/LDAP.pod @@ -792,8 +792,8 @@ B<'tlsv1'>. Specify which subset of cipher suites are permissible for this connection, using the standard OpenSSL string format. The default -value is B<'ALL'>, which permits all ciphers, even those that don't -encrypt. +behavior is to keep the decision on the underlying cryptographic +library. =item clientcert =E<gt> '/path/to/cert.pem' -- 1.9.0
  Sun Jun 01 06:57:21 2014 MARSCHAP [...] cpan.org - Status changed from 'new' to 'patched'
  Sun Jun 01 13:17:01 2014 MARSCHAP [...] cpan.org - Status changed from 'patched' to 'resolved'
  Sun Jun 01 13:17:02 2014 MARSCHAP [...] cpan.org - Fixed in 0.63 added