diff --git a/perl-IO-Socket-SSL-use-system-default-cipher-list.patch b/perl-IO-Socket-SSL-use-system-default-cipher-list.patch new file mode 100644 index 0000000..7bcf70a --- /dev/null +++ b/perl-IO-Socket-SSL-use-system-default-cipher-list.patch @@ -0,0 +1,34 @@ +Index: IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pm +=================================================================== +--- IO-Socket-SSL-2.074.orig/lib/IO/Socket/SSL.pm ++++ IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pm +@@ -205,8 +205,10 @@ my %DEFAULT_SSL_ARGS = ( + SSL_npn_protocols => undef, # meaning depends whether on server or client side + SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] + +- # rely on system default but be sure to disable some definitely bad ones +- SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP', ++ # Use system-wide default cipher list to support use of system-wide ++ # crypto policy (#1076390, #1127577, CPAN RT#97816) ++ # https://fedoraproject.org/wiki/Changes/CryptoPolicy ++ SSL_cipher_list => 'PROFILE=SYSTEM', + ); + + my %DEFAULT_SSL_CLIENT_ARGS = ( +Index: IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pod +=================================================================== +--- IO-Socket-SSL-2.074.orig/lib/IO/Socket/SSL.pod ++++ IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pod +@@ -1070,9 +1070,8 @@ ciphers for TLS 1.2 and lower. See the O + for more details. + + Unless you fail to contact your peer because of no shared ciphers it is +-recommended to leave this option at the default setting, which uses the system +-default but disables some insecure ciphers which might still be enabled on older +-systems. ++recommended to leave this option at the default setting, which honors the ++system-wide PROFILE=SYSTEM cipher list. + + In case different cipher lists are needed for different SNI hosts a hash can be + given with the host as key and the cipher suite as value, similar to + diff --git a/perl-IO-Socket-SSL.changes b/perl-IO-Socket-SSL.changes index d680dae..99a0bb9 100644 --- a/perl-IO-Socket-SSL.changes +++ b/perl-IO-Socket-SSL.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jun 9 16:41:18 UTC 2022 - David Anes + +- (bsc#1200295) follow system "PROFILE=SYSTEM" openSSL ciphers + ------------------------------------------------------------------- Sat Jan 8 03:07:59 UTC 2022 - Tina Müller diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec index 067fac7..f11b9cb 100644 --- a/perl-IO-Socket-SSL.spec +++ b/perl-IO-Socket-SSL.spec @@ -25,6 +25,9 @@ License: Artistic-1.0 OR GPL-1.0-or-later URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml +# (bsc#1200295) perl-IO-Socket-SSL doesn't follow system "PROFILE=SYSTEM" openSSL ciphers +# UPSTREAM PATCH: https://git.centos.org/rpms/perl-IO-Socket-SSL/blob/e0b0ae04f5cdb41b1f29cb7d76c23abba7ac35e9/f/SOURCES/IO-Socket-SSL-2.066-use-system-default-cipher-list.patch +Patch0: perl-IO-Socket-SSL-use-system-default-cipher-list.patch BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros @@ -74,7 +77,7 @@ Additional documentation can be found in * * IO::Socket::SSL::Utils - Useful functions for certificates etc %prep -%autosetup -n %{cpan_name}-%{version} +%autosetup -n %{cpan_name}-%{version} -p1 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644 %build