patchset to provides the SSL_version tunable

31 views
Skip to first unread message

quantumsummers

unread,
Mar 7, 2012, 5:13:04 PM3/7/12
to perlbal, rob...@gentoo.org
IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.

IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.

I have been using this for awhile now, works nicely.

Patchset inline, applies against current master at github.com/perlbal/
Perlbal.


From 8b64f2ad529972bb63b52bc7d2cc68de2a21f515 Mon Sep 17 00:00:00 2001
From: Matthew Summers <quantum...@gentoo.org>
Date: Wed, 7 Mar 2012 16:05:09 -0600
Subject: [PATCH] Original work by Robin H. Johnson
<rob...@gentoo.org> re-spun

IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.

IO::Socket:SSL provides the SSL_version tunable for this case, which
is
now exposed in Perlbal by this patch.

diff --git a/doc/service-parameters.txt b/doc/service-parameters.txt
index 9befbaf..4dc25e1 100644
--- a/doc/service-parameters.txt
+++ b/doc/service-parameters.txt
@@ -92,6 +92,10 @@ For all services:
|---------------------------+----+---------------------
+---------------------------|
|ssl_cipher_list | |ALL:!LOW:!EXP |OpenSSL-style
cipher list. |
|---------------------------+----+---------------------
+---------------------------|
+|ssl_version | | |Sets the
version of the SSL|
+| | | |protocol used
to transmit |
+| | | |
data. |
+|---------------------------+----+---------------------
+---------------------------|
|ssl_key_file | |certs/server-key.pem |Path to
private key PEM |
| | | |file for
SSL. |
|---------------------------+----+---------------------
+---------------------------|
diff --git a/lib/Perlbal/Manual/Internals.pod b/lib/Perlbal/Manual/
Internals.pod
index 74da3f6..130d9e6 100644
--- a/lib/Perlbal/Manual/Internals.pod
+++ b/lib/Perlbal/Manual/Internals.pod
@@ -983,6 +983,10 @@ File to path to cert pem file.

OpenSSL cipher list string.

+=item ssl_version
+
+OpenSSL protocols to offer.
+

=item ssl_ca_path

diff --git a/lib/Perlbal/Manual/ReverseProxy.pod b/lib/Perlbal/Manual/
ReverseProxy.pod
index 1fdecb3..4b33311 100644
--- a/lib/Perlbal/Manual/ReverseProxy.pod
+++ b/lib/Perlbal/Manual/ReverseProxy.pod
@@ -279,6 +279,11 @@ OpenSSL-style cipher list.

Default is C<ALL:!LOW:!EXP>.

++=item B<ssl_version> = SSL version
++
+Sets the version of the SSL protocol used to transmit data. The
default is taken from L<IO::Socket::SSL>. You may specify C<SSLv23>
(auto-negotiates between SSLv2 and SSLv3), C<SSLv2>, C<SSLv3>, or
C<TLSv1> (case-insensitive) if you do not want this behavior.
+
+Default is to use the default from L<IO::Socket::SSL>.

=item B<ssl_key_file> = path/to/file

diff --git a/lib/Perlbal/Service.pm b/lib/Perlbal/Service.pm
index 6efa277..a9d1332 100644
--- a/lib/Perlbal/Service.pm
+++ b/lib/Perlbal/Service.pm
@@ -96,7 +96,8 @@ use fields (
'ssl_cert_file', # file: path to key pem file
'ssl_cipher_list', # OpenSSL cipher list string
'ssl_ca_path', # directory: path to certificates
- 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_verify_mode', # int: verification mode, see
IO::Socket::SSL documentation
+ 'ssl_version', # IO::Socket::SSL
ssl_version string

'enable_error_retries', # bool: whether we should retry
requests after errors
'error_retry_schedule', # string of comma-separated
seconds (full or partial) to delay between retries
@@ -601,6 +602,12 @@ our $tunables = {
default => "ALL:!LOW:!EXP",
check_role => "*",
},
+
+ 'ssl_version' => {
+ des => "SSL protocol to offer.",
+ default => undef,
+ check_role => "*",
+ },

'ssl_ca_path' => {
des => 'Path to directory containing certificates for SSL.',
@@ -1641,6 +1648,7 @@ sub enable {
SSL_key_file => $self->{ssl_key_file},
SSL_cert_file => $self->{ssl_cert_file},
SSL_cipher_list => $self->{ssl_cipher_list},
+ (defined $self->{ssl_version} ? (SSL_version => $self-
>{ssl_version}) : ()),
(defined $self->{ssl_ca_path} ? (SSL_ca_path => $self-
>{ssl_ca_path}) : ()),
(defined $self->{ssl_verify_mode} ? (SSL_verify_mode
=> $self->{ssl_verify_mode}) : ()),
};
--
1.7.3.4

Matthew Summers

unread,
Mar 7, 2012, 5:14:24 PM3/7/12
to perlbal

Horrendous formatting, patch attached.

--
M. Summers

"...there are no rules here -- we're trying to accomplish something."
  - Thomas A. Edison

0001-Original-work-by-Robin-H.-Johnson-robbat2-gentoo.org.patch

Matthew Summers

unread,
May 26, 2012, 6:56:56 PM5/26/12
to perlbal
Hey, anyone care to look at this or does gentoo simply need to carry
this patch outside the release package?

--
M. Summers

dormando

unread,
May 31, 2012, 2:22:30 PM5/31/12
to perlbal
> Hey, anyone care to look at this or does gentoo simply need to carry
> this patch outside the release package?
>

We'll be doing another round of perlbal patch merging within a couple
weeks... Sorry that it takes so long :/

Matthew Summers

unread,
Jul 3, 2012, 5:49:10 PM7/3/12
to per...@googlegroups.com
Just thought I would check in with this. I have seen a couple new
commits, but not the one I am hoping for.

Anything I can do to help here?

Thanks,
Matt

--
M. Summers (quantumsummers)

dormando

unread,
Jul 7, 2012, 2:15:50 PM7/7/12
to per...@googlegroups.com
> On Thu, May 31, 2012 at 1:22 PM, dormando <dorm...@rydia.net> wrote:
> >> Hey, anyone care to look at this or does gentoo simply need to carry
> >> this patch outside the release package?
> >>
> >
> > We'll be doing another round of perlbal patch merging within a couple
> > weeks... Sorry that it takes so long :/
>
> Just thought I would check in with this. I have seen a couple new
> commits, but not the one I am hoping for.
>
> Anything I can do to help here?

Bad scheduling on our part (hachi's been buried with life stuff and I've
been buried with four other OSS projects). Perlbal is under the schedule
to be kicked around first thing, when we get time again, which should
definitely be before the end of july.

Getting things back on a regular schedule is tough, but we'll be there
soon.
Reply all
Reply to author
Forward
0 new messages