]>
Commit | Line | Data |
---|---|---|
d393768d AM |
1 | --- lib/IO/Socket/SSL.pm |
2 | +++ lib/IO/Socket/SSL.pm | |
3 | @@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p | |
4 | # global defaults | |
5 | my %DEFAULT_SSL_ARGS = ( | |
6 | SSL_check_crl => 0, | |
7 | - SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken | |
8 | + SSL_version => '', | |
9 | SSL_verify_callback => undef, | |
10 | SSL_verifycn_scheme => undef, # fallback cn verification | |
11 | SSL_verifycn_publicsuffix => undef, # fallback default list verification | |
12 | @@ -2383,7 +2383,7 @@ sub new { | |
13 | ||
14 | my $ssl_op = $DEFAULT_SSL_OP; | |
15 | ||
16 | - my $ver; | |
17 | + my $ver = ''; | |
18 | for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { | |
19 | m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i | |
20 | or croak("invalid SSL_version specified"); | |
21 | --- lib/IO/Socket/SSL.pod | |
22 | +++ lib/IO/Socket/SSL.pod | |
23 | @@ -1043,11 +1043,12 @@ All values are case-insensitive. Instea | |
24 | 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for | |
25 | 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay | |
26 | and openssl. | |
27 | +The default SSL_version is defined by the underlying cryptographic library. | |
28 | ||
29 | Independent from the handshake format you can limit to set of accepted SSL | |
30 | versions by adding !version separated by ':'. | |
31 | ||
32 | -The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the | |
33 | +For example, 'SSLv23:!SSLv3:!SSLv2' means that the | |
34 | handshake format is compatible to SSL2.0 and higher, but that the successful | |
35 | handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because | |
36 | both of these versions have serious security issues and should not be used |