SSL preference setting for Crypt-SSLeay-0.51
am 02.01.2006 17:05:51 von tarokHello,
this is a patch to add SSL preference to Crypt-SSLeay-0.51 just like
the web browsers have SSL level selection buttons in their security
preference dialog.
Recently trying to automate access to our payroll system with
WWW::Mechanize I had to deal with a web server which doesn't accept
TLS 1.0, but only SSL 3.0.
openssl-0.9.8a/doc/apps/s_client.pod says:
"Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
work if TLS is turned off with the B<-no_tls> option others will only
support SSL v2 and may need the B<-ssl2> option."
Incidentally the server I managed to connect to says it is:
IBM_HTTP_Server/6.0.2.3 Apache/2.0.47 (Unix)
Since LWP and WWW::Mechanize use Crypt::SSLeay for SSL I slightly
modified Crypt-SSLeay-0.51 so that I can set preference for SSL levels.
With this patch you can switch off each of SSL v2, SSL v3, and TLS 1.0
by setting environment variables like this:
$ENV{SSL_OP_NO_SSLv2} = 1;
or
$ENV{SSL_OP_NO_SSLv3} = 1;
or
$ENV{SSL_OP_NO_TLSv1} = 1;
The last one will suppress use of TLS 1.0.
Connecting to the payroll site for me involves handling of JavaScript
too, so I extended WWW::Mechanize with JavaScript::SpiderMonkey and it
is almost working. So I should be able to report this one soon.
Anyway I will put the patch for Crypt-SSLeay-0.51 below.
-Taro
--- Crypt-SSLeay-0.51/SSLeay.xs_original 2003-05-28
15:55:02.000000000 +0900
+++ Crypt-SSLeay-0.51/SSLeay.xs 2005-12-22 17:12:54.000000000 +0900
@@ -224,6 +224,25 @@
OUTPUT:
RETVAL
+int
+SSL_CTX_set_NO_SSLv2(ctx)
+ SSL_CTX* ctx
+ CODE:
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|0);
+
+int
+SSL_CTX_set_NO_SSLv3(ctx)
+ SSL_CTX* ctx
+ CODE:
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|0);
+
+int
+SSL_CTX_set_NO_TLSv1(ctx)
+ SSL_CTX* ctx
+ CODE:
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|0);
+
+
MODULE = Crypt::SSLeay PACKAGE = Crypt::SSLeay::Conn PREFIX =
SSL_
SSL*
--- Crypt-SSLeay-0.51/lib/Net/SSL.pm_original 2003-05-28
15:26:08.000000000 +0900
+++ Crypt-SSLeay-0.51/lib/Net/SSL.pm 2005-12-22 16:41:29.000000000 +0900
@@ -53,6 +53,8 @@
*$self->{'ssl_new_arg'} = $NEW_ARGS;
*$self->{'ssl_peer_verify'} = 0;
+ $self->set_context();
+
## Crypt::SSLeay must also aware the SSL Proxy before calling
## $socket->configure($args). Because the $sock->configure() will
## die when failed to resolve the destination server IP address,
@@ -432,4 +434,21 @@
$count; # number of successful cert loads/checks
}
+# An excerpt from doc/apps/s_client.pod:
+# Unfortunately there are a lot of ancient and broken servers in use
+# Some servers only work if TLS is turned off with the -no_tls option
+sub set_context {
+ my $self = shift;
+ my $ctx = *$self->{ssl_ctx};
+ if ($ENV{'SSL_OP_NO_SSLv2'}) {
+ $ctx->set_NO_SSLv2();
+ }
+ if ($ENV{'SSL_OP_NO_SSLv3'}) {
+ $ctx->set_NO_SSLv3();
+ }
+ if ($ENV{'SSL_OP_NO_TLSv1'}) {
+ $ctx->set_NO_TLSv1();
+ }
+}
+
1;