patchset to provides the SSL_version tunable
31 views
Skip to first unread message
quantumsummers
Mar 7, 2012, 5:13:04 PM3/7/12
to perlbal, rob...@gentoo.org
IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.
IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.
I have been using this for awhile now, works nicely.
Patchset inline, applies against current master at github.com/perlbal/
Perlbal.
From 8b64f2ad529972bb63b52bc7d2cc68de2a21f515 Mon Sep 17 00:00:00 2001
From: Matthew Summers <quantum...@gentoo.org>
Date: Wed, 7 Mar 2012 16:05:09 -0600
Subject: [PATCH] Original work by Robin H. Johnson
<rob...@gentoo.org> re-spun
IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.
IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.
diff --git a/doc/service-parameters.txt b/doc/service-parameters.txt
index 9befbaf..4dc25e1 100644
--- a/doc/service-parameters.txt
+++ b/doc/service-parameters.txt
@@ -92,6 +92,10 @@ For all services:
|---------------------------+----+---------------------
+---------------------------|
|ssl_cipher_list | |ALL:!LOW:!EXP |OpenSSL-style
cipher list. |
|---------------------------+----+---------------------
+---------------------------|
+|ssl_version | | |Sets the
version of the SSL|
+| | | |protocol used
to transmit |
+| | | |
data. |
+|---------------------------+----+---------------------
+---------------------------|
|ssl_key_file | |certs/server-key.pem |Path to
private key PEM |
| | | |file for
SSL. |
|---------------------------+----+---------------------
+---------------------------|
diff --git a/lib/Perlbal/Manual/Internals.pod b/lib/Perlbal/Manual/
Internals.pod
index 74da3f6..130d9e6 100644
--- a/lib/Perlbal/Manual/Internals.pod
+++ b/lib/Perlbal/Manual/Internals.pod
@@ -983,6 +983,10 @@ File to path to cert pem file.
OpenSSL cipher list string.
+=item ssl_version
+
+OpenSSL protocols to offer.
+
=item ssl_ca_path
diff --git a/lib/Perlbal/Manual/ReverseProxy.pod b/lib/Perlbal/Manual/
ReverseProxy.pod
index 1fdecb3..4b33311 100644
--- a/lib/Perlbal/Manual/ReverseProxy.pod
+++ b/lib/Perlbal/Manual/ReverseProxy.pod
@@ -279,6 +279,11 @@ OpenSSL-style cipher list.
Default is C<ALL:!LOW:!EXP>.
++=item B<ssl_version> = SSL version
++
+Sets the version of the SSL protocol used to transmit data. The
default is taken from L<IO::Socket::SSL>. You may specify C<SSLv23>
(auto-negotiates between SSLv2 and SSLv3), C<SSLv2>, C<SSLv3>, or
C<TLSv1> (case-insensitive) if you do not want this behavior.
+
+Default is to use the default from L<IO::Socket::SSL>.
=item B<ssl_key_file> = path/to/file
diff --git a/lib/Perlbal/Service.pm b/lib/Perlbal/Service.pm
index 6efa277..a9d1332 100644
--- a/lib/Perlbal/Service.pm
+++ b/lib/Perlbal/Service.pm
@@ -96,7 +96,8 @@ use fields (
'ssl_cert_file', # file: path to key pem file
'ssl_cipher_list', # OpenSSL cipher list string
'ssl_ca_path', # directory: path to certificates
- 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_version', # IO::Socket::SSL
ssl_version string
'enable_error_retries', # bool: whether we should retry
requests after errors
'error_retry_schedule', # string of comma-separated
seconds (full or partial) to delay between retries
@@ -601,6 +602,12 @@ our $tunables = {
default => "ALL:!LOW:!EXP",
check_role => "*",
},
+
+ 'ssl_version' => {
+ des => "SSL protocol to offer.",
+ default => undef,
+ check_role => "*",
+ },
'ssl_ca_path' => {
des => 'Path to directory containing certificates for SSL.',
@@ -1641,6 +1648,7 @@ sub enable {
SSL_key_file => $self->{ssl_key_file},
SSL_cert_file => $self->{ssl_cert_file},
SSL_cipher_list => $self->{ssl_cipher_list},
+ (defined $self->{ssl_version} ? (SSL_version => $self-
>{ssl_version}) : ()),
(defined $self->{ssl_ca_path} ? (SSL_ca_path => $self-
>{ssl_ca_path}) : ()),
(defined $self->{ssl_verify_mode} ? (SSL_verify_mode
=> $self->{ssl_verify_mode}) : ()),
};
--
1.7.3.4
there is no way to disable TLS, or force a version of SSL in Perlbal.
IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.
I have been using this for awhile now, works nicely.
Patchset inline, applies against current master at github.com/perlbal/
Perlbal.
From 8b64f2ad529972bb63b52bc7d2cc68de2a21f515 Mon Sep 17 00:00:00 2001
From: Matthew Summers <quantum...@gentoo.org>
Date: Wed, 7 Mar 2012 16:05:09 -0600
Subject: [PATCH] Original work by Robin H. Johnson
<rob...@gentoo.org> re-spun
IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.
IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.
diff --git a/doc/service-parameters.txt b/doc/service-parameters.txt
index 9befbaf..4dc25e1 100644
--- a/doc/service-parameters.txt
+++ b/doc/service-parameters.txt
@@ -92,6 +92,10 @@ For all services:
|---------------------------+----+---------------------
+---------------------------|
|ssl_cipher_list | |ALL:!LOW:!EXP |OpenSSL-style
cipher list. |
|---------------------------+----+---------------------
+---------------------------|
+|ssl_version | | |Sets the
version of the SSL|
+| | | |protocol used
to transmit |
+| | | |
data. |
+|---------------------------+----+---------------------
+---------------------------|
|ssl_key_file | |certs/server-key.pem |Path to
private key PEM |
| | | |file for
SSL. |
|---------------------------+----+---------------------
+---------------------------|
diff --git a/lib/Perlbal/Manual/Internals.pod b/lib/Perlbal/Manual/
Internals.pod
index 74da3f6..130d9e6 100644
--- a/lib/Perlbal/Manual/Internals.pod
+++ b/lib/Perlbal/Manual/Internals.pod
@@ -983,6 +983,10 @@ File to path to cert pem file.
OpenSSL cipher list string.
+=item ssl_version
+
+OpenSSL protocols to offer.
+
=item ssl_ca_path
diff --git a/lib/Perlbal/Manual/ReverseProxy.pod b/lib/Perlbal/Manual/
ReverseProxy.pod
index 1fdecb3..4b33311 100644
--- a/lib/Perlbal/Manual/ReverseProxy.pod
+++ b/lib/Perlbal/Manual/ReverseProxy.pod
@@ -279,6 +279,11 @@ OpenSSL-style cipher list.
Default is C<ALL:!LOW:!EXP>.
++=item B<ssl_version> = SSL version
++
+Sets the version of the SSL protocol used to transmit data. The
default is taken from L<IO::Socket::SSL>. You may specify C<SSLv23>
(auto-negotiates between SSLv2 and SSLv3), C<SSLv2>, C<SSLv3>, or
C<TLSv1> (case-insensitive) if you do not want this behavior.
+
+Default is to use the default from L<IO::Socket::SSL>.
=item B<ssl_key_file> = path/to/file
diff --git a/lib/Perlbal/Service.pm b/lib/Perlbal/Service.pm
index 6efa277..a9d1332 100644
--- a/lib/Perlbal/Service.pm
+++ b/lib/Perlbal/Service.pm
@@ -96,7 +96,8 @@ use fields (
'ssl_cert_file', # file: path to key pem file
'ssl_cipher_list', # OpenSSL cipher list string
'ssl_ca_path', # directory: path to certificates
- 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_version', # IO::Socket::SSL
ssl_version string
'enable_error_retries', # bool: whether we should retry
requests after errors
'error_retry_schedule', # string of comma-separated
seconds (full or partial) to delay between retries
@@ -601,6 +602,12 @@ our $tunables = {
default => "ALL:!LOW:!EXP",
check_role => "*",
},
+
+ 'ssl_version' => {
+ des => "SSL protocol to offer.",
+ default => undef,
+ check_role => "*",
+ },
'ssl_ca_path' => {
des => 'Path to directory containing certificates for SSL.',
@@ -1641,6 +1648,7 @@ sub enable {
SSL_key_file => $self->{ssl_key_file},
SSL_cert_file => $self->{ssl_cert_file},
SSL_cipher_list => $self->{ssl_cipher_list},
+ (defined $self->{ssl_version} ? (SSL_version => $self-
>{ssl_version}) : ()),
(defined $self->{ssl_ca_path} ? (SSL_ca_path => $self-
>{ssl_ca_path}) : ()),
(defined $self->{ssl_verify_mode} ? (SSL_verify_mode
=> $self->{ssl_verify_mode}) : ()),
};
--
1.7.3.4
Matthew Summers
May 26, 2012, 6:56:56 PM5/26/12
to perlbal
this patch outside the release package?
--
M. Summers
dormando
May 31, 2012, 2:22:30 PM5/31/12
to perlbal
> Hey, anyone care to look at this or does gentoo simply need to carry
> this patch outside the release package?
>
We'll be doing another round of perlbal patch merging within a couple
> this patch outside the release package?
>
weeks... Sorry that it takes so long :/
Matthew Summers
Jul 3, 2012, 5:49:10 PM7/3/12
to per...@googlegroups.com
commits, but not the one I am hoping for.
Anything I can do to help here?
Thanks,
Matt
--
M. Summers (quantumsummers)
dormando
Jul 7, 2012, 2:15:50 PM7/7/12
to per...@googlegroups.com
> On Thu, May 31, 2012 at 1:22 PM, dormando <dorm...@rydia.net> wrote:
> >> Hey, anyone care to look at this or does gentoo simply need to carry
> >> this patch outside the release package?
> >>
> >
> > We'll be doing another round of perlbal patch merging within a couple
> > weeks... Sorry that it takes so long :/
>
> Just thought I would check in with this. I have seen a couple new
> commits, but not the one I am hoping for.
>
> Anything I can do to help here?
Bad scheduling on our part (hachi's been buried with life stuff and I've
> >> Hey, anyone care to look at this or does gentoo simply need to carry
> >> this patch outside the release package?
> >>
> >
> > We'll be doing another round of perlbal patch merging within a couple
> > weeks... Sorry that it takes so long :/
>
> Just thought I would check in with this. I have seen a couple new
> commits, but not the one I am hoping for.
>
> Anything I can do to help here?
been buried with four other OSS projects). Perlbal is under the schedule
to be kicked around first thing, when we get time again, which should
definitely be before the end of july.
Getting things back on a regular schedule is tough, but we'll be there
soon.
Reply all
Reply to author
Forward
0 new messages