--- /dev/null
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+ # global defaults
+ my %DEFAULT_SSL_ARGS = (
+ SSL_check_crl => 0,
+- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
++ SSL_version => '',
+ SSL_verify_callback => undef,
+ SSL_verifycn_scheme => undef, # fallback cn verification
+ SSL_verifycn_publicsuffix => undef, # fallback default list verification
+@@ -2383,7 +2383,7 @@ sub new {
+
+ my $ssl_op = $DEFAULT_SSL_OP;
+
+- my $ver;
++ my $ver = '';
+ for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
+ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
+ or croak("invalid SSL_version specified");
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -1043,11 +1043,12 @@ All values are case-insensitive. Instea
+ 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for
+ 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
+ and openssl.
++The default SSL_version is defined by the underlying cryptographic library.
+
+ Independent from the handshake format you can limit to set of accepted SSL
+ versions by adding !version separated by ':'.
+
+-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
++For example, 'SSLv23:!SSLv3:!SSLv2' means that the
+ handshake format is compatible to SSL2.0 and higher, but that the successful
+ handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
+ both of these versions have serious security issues and should not be used
projects / packages / perl-IO-Socket-SSL.git / blobdiff