IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.
IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.
I have been using this for awhile now, works nicely.
Patchset inline, applies against current master at
github.com/perlbal/
Perlbal.
From 8b64f2ad529972bb63b52bc7d2cc68de2a21f515 Mon Sep 17 00:00:00 2001
From: Matthew Summers <
quantum...@gentoo.org>
Date: Wed, 7 Mar 2012 16:05:09 -0600
Subject: [PATCH] Original work by Robin H. Johnson
<
rob...@gentoo.org> re-spun
IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.
IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.
diff --git a/doc/service-parameters.txt b/doc/service-parameters.txt
index 9befbaf..4dc25e1 100644
--- a/doc/service-parameters.txt
+++ b/doc/service-parameters.txt
@@ -92,6 +92,10 @@ For all services:
|---------------------------+----+---------------------
+---------------------------|
|ssl_cipher_list | |ALL:!LOW:!EXP |OpenSSL-style
cipher list. |
|---------------------------+----+---------------------
+---------------------------|
+|ssl_version | | |Sets the
version of the SSL|
+| | | |protocol used
to transmit |
+| | | |
data. |
+|---------------------------+----+---------------------
+---------------------------|
|ssl_key_file | |certs/server-key.pem |Path to
private key PEM |
| | | |file for
SSL. |
|---------------------------+----+---------------------
+---------------------------|
diff --git a/lib/Perlbal/Manual/Internals.pod b/lib/Perlbal/Manual/
Internals.pod
index 74da3f6..130d9e6 100644
--- a/lib/Perlbal/Manual/Internals.pod
+++ b/lib/Perlbal/Manual/Internals.pod
@@ -983,6 +983,10 @@ File to path to cert pem file.
OpenSSL cipher list string.
+=item ssl_version
+
+OpenSSL protocols to offer.
+
=item ssl_ca_path
diff --git a/lib/Perlbal/Manual/ReverseProxy.pod b/lib/Perlbal/Manual/
ReverseProxy.pod
index 1fdecb3..4b33311 100644
--- a/lib/Perlbal/Manual/ReverseProxy.pod
+++ b/lib/Perlbal/Manual/ReverseProxy.pod
@@ -279,6 +279,11 @@ OpenSSL-style cipher list.
Default is C<ALL:!LOW:!EXP>.
++=item B<ssl_version> = SSL version
++
+Sets the version of the SSL protocol used to transmit data. The
default is taken from L<IO::Socket::SSL>. You may specify C<SSLv23>
(auto-negotiates between SSLv2 and SSLv3), C<SSLv2>, C<SSLv3>, or
C<TLSv1> (case-insensitive) if you do not want this behavior.
+
+Default is to use the default from L<IO::Socket::SSL>.
=item B<ssl_key_file> = path/to/file
diff --git a/lib/Perlbal/Service.pm b/lib/Perlbal/Service.pm
index 6efa277..a9d1332 100644
--- a/lib/Perlbal/Service.pm
+++ b/lib/Perlbal/Service.pm
@@ -96,7 +96,8 @@ use fields (
'ssl_cert_file', # file: path to key pem file
'ssl_cipher_list', # OpenSSL cipher list string
'ssl_ca_path', # directory: path to certificates
- 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_version', # IO::Socket::SSL
ssl_version string
'enable_error_retries', # bool: whether we should retry
requests after errors
'error_retry_schedule', # string of comma-separated
seconds (full or partial) to delay between retries
@@ -601,6 +602,12 @@ our $tunables = {
default => "ALL:!LOW:!EXP",
check_role => "*",
},
+
+ 'ssl_version' => {
+ des => "SSL protocol to offer.",
+ default => undef,
+ check_role => "*",
+ },
'ssl_ca_path' => {
des => 'Path to directory containing certificates for SSL.',
@@ -1641,6 +1648,7 @@ sub enable {
SSL_key_file => $self->{ssl_key_file},
SSL_cert_file => $self->{ssl_cert_file},
SSL_cipher_list => $self->{ssl_cipher_list},
+ (defined $self->{ssl_version} ? (SSL_version => $self-
>{ssl_version}) : ()),
(defined $self->{ssl_ca_path} ? (SSL_ca_path => $self-
>{ssl_ca_path}) : ()),
(defined $self->{ssl_verify_mode} ? (SSL_verify_mode
=> $self->{ssl_verify_mode}) : ()),
};
--
1.7.3.4