[packages/perl-IO-Socket-SSL.git] / IO-Socket-SSL-2.068-use-system-default-SSL-version.patch

--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
 # global defaults
 my %DEFAULT_SSL_ARGS = (
     SSL_check_crl => 0,
-    SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+    SSL_version => '',
     SSL_verify_callback => undef,
     SSL_verifycn_scheme => undef,  # fallback cn verification
     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
@@ -2383,7 +2383,7 @@ sub new {
 
     my $ssl_op = $DEFAULT_SSL_OP;
 
-    my $ver;
+    my $ver = '';
     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
 	or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1043,11 +1043,12 @@ All values are case-insensitive.  Instea
 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
 and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
 
 Independent from the handshake format you can limit to set of accepted SSL
 versions by adding !version separated by ':'.
 
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
 handshake format is compatible to SSL2.0 and higher, but that the successful
 handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
 both of these versions have serious security issues and should not be used
Commit	Line	Data
d393768d AM	1	--- lib/IO/Socket/SSL.pm
	2	+++ lib/IO/Socket/SSL.pm
	3	@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
	4	# global defaults
	5	my %DEFAULT_SSL_ARGS = (
	6	SSL_check_crl => 0,
	7	- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
	8	+ SSL_version => '',
	9	SSL_verify_callback => undef,
	10	SSL_verifycn_scheme => undef, # fallback cn verification
	11	SSL_verifycn_publicsuffix => undef, # fallback default list verification
	12	@@ -2383,7 +2383,7 @@ sub new {
	13
	14	my $ssl_op = $DEFAULT_SSL_OP;
	15
	16	- my $ver;
	17	+ my $ver = '';
	18	for (split(/\s:\s/,$arg_hash->{SSL_version})) {
	19	m{^(!?)(?:(SSL(?:v2\|v3\|v23\|v2/3))\|(TLSv1(?:_?[123])?))$}i
	20	or croak("invalid SSL_version specified");
	21	--- lib/IO/Socket/SSL.pod
	22	+++ lib/IO/Socket/SSL.pod
	23	@@ -1043,11 +1043,12 @@ All values are case-insensitive. Instea
	24	'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for
	25	'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
	26	and openssl.
	27	+The default SSL_version is defined by the underlying cryptographic library.
	28
	29	Independent from the handshake format you can limit to set of accepted SSL
	30	versions by adding !version separated by ':'.
	31
	32	-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
	33	+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
	34	handshake format is compatible to SSL2.0 and higher, but that the successful
	35	handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
	36	both of these versions have serious security issues and should not be used