[packages/perl-IO-Socket-SSL] Rel 2; use system default ssl version and cipher list (from fc).

Jan Palus atler at pld-linux.org
Wed Jan 5 19:22:23 CET 2022


On 16.12.2021 13:41, arekm wrote:
> commit d393768d64437bb1a9054fb07de0cb32f7395a2d
> Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
> Date:   Thu Dec 16 13:40:41 2021 +0100
> 
>     Rel 2; use system default ssl version and cipher list (from fc).
> 
...
> diff --git a/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
> new file mode 100644
> index 0000000..800ab64
> --- /dev/null
> +++ b/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
> @@ -0,0 +1,101 @@
> +--- lib/IO/Socket/SSL.pm
> ++++ lib/IO/Socket/SSL.pm
> +@@ -202,77 +202,17 @@ my %DEFAULT_SSL_ARGS = (
> +     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
> +     SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
> + 
> +-    # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
> +-    # "Old backward compatibility" for best compatibility
> +-    # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
> +-    # slightly reordered to prefer AES since it is cheaper when hardware accelerated
> +-    SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
> ++    # Use system-wide default cipher list to support use of system-wide
> ++    # crypto policy (#1076390, #1127577, CPAN RT#97816)
> ++    # https://fedoraproject.org/wiki/Changes/CryptoPolicy
> ++    SSL_cipher_list => 'PROFILE=SYSTEM',

Where is this PROFILE SYSTEM defined in PLD? With this patch ddclient
started to fail on every https call:

Failed to set SSL cipher list error:0A0000B9:SSL routines::no cipher match


More information about the pld-devel-en mailing list