import perl-IO-Socket-SSL-2.085-2.el10

.gitignore

@@ -0,0 +1 @@
+SOURCES/IO-Socket-SSL-2.085.tar.gz

.perl-IO-Socket-SSL.metadata

@@ -0,0 +1 @@
+4ea8881ecd788f719bcaf1e9bb86c5c914abddc6 SOURCES/IO-Socket-SSL-2.085.tar.gz

SOURCES/IO-Socket-SSL-2.080-Test-client-performs-Post-Handshake-Authentication.patch

@@ -0,0 +1,130 @@
+From 6b05dc28e94e90ab4852c9977d7fbe66fec6cd48 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Feb 2019 14:50:32 +0100
+Subject: [PATCH] Test client performs Post-Handshake-Authentication
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This test uses openssl tool because PHA is not yet supported by
+IO::Socket::SSL's server implementation. The openssl tool uses a fixed
+port. So the test can fail.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ MANIFEST       |  1 +
+ t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 91 insertions(+)
+ create mode 100755 t/pha_client.t
+
+diff --git a/MANIFEST b/MANIFEST
+index 20cddb6..2b8328d 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -57,6 +57,7 @@ t/mitm.t
+ t/multiple-cert-rsa-ecc.t
+ t/nonblock.t
+ t/npn.t
++t/pha_client.t
+ t/plain_upgrade_downgrade.t
+ t/protocol_version.t
+ t/public_suffix_lib_encode_idn.t
+diff --git a/t/pha_client.t b/t/pha_client.t
+new file mode 100755
+index 0000000..2413588
+--- /dev/null
++++ b/t/pha_client.t
+@@ -0,0 +1,90 @@
++#!/usr/bin/perl
++use strict;
++use warnings;
++use Test::More;
++use IPC::Run ();
++use IO::Socket::SSL ();
++use Net::SSLeay ();
++use IO::Select ();
++
++if (system('openssl', 'version')) {
++    plan skip_all => 'openssl tool is not available';
++} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) {
++    plan skip_all => 'Net::SSLeay does not expose PHA';
++} else {
++    plan tests => 5;
++}
++
++my $port = 2000;
++my $ca_cert = 't/certs/test-ca.pem';
++
++diag 'Starting a server';
++my ($server, $input, $stdout, $stderr);
++eval {
++    $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
++            '-Verify', '1',
++            '-cert', 't/certs/server-wildcard.pem',
++            '-key', 't/certs/server-wildcard.pem', '-CAfile', $ca_cert],
++        \$input, \$stdout, \$stderr);
++    # subsequent \undef does not work
++    # <https://github.com/toddr/IPC-Run/issues/124>
++};
++if (!$server or $@) {
++    BAIL_OUT("Could not start a server: $@");
++}
++# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
++while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
++if ($stderr =~ /unable to bind socket/) {
++    $server->kill_kill;
++    BAIL_OUT("Could not start a server: $stderr");
++}
++ok($server, 'Server started');
++
++my $client = IO::Socket::SSL->new(
++    PeerHost => 'localhost',
++    PeerPort => $port,
++    SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
++    SSL_verifycn_scheme => 'www',
++    SSL_verifycn_name => 'www.server.local',
++    SSL_ca_file => $ca_cert,
++    SSL_key_file => 't/certs/client-key.pem',
++    SSL_cert_file => 't/certs/client-cert.pem'
++);
++ok($client, 'Client connected');
++
++SKIP: {
++    skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
++        unless $client;
++    $client->blocking(0);
++
++    SKIP: {
++        # Ask openssl s_server for PHA request and wait for the result.
++        $input .= "c\n";
++        while ($server->pumpable &&
++            $stderr !~ /SSL_verify_client_post_handshake/ &&
++            $stdout !~ /SSL_do_handshake -> 1/
++        ) {
++            # Push the PHA command to the server and read outputs.
++            $server->pump;
++
++            # Client also must perform I/O to process the PHA request.
++            my $select = IO::Select->new($client);
++            while ($select->can_read(1)) {  # 1 second time-out because of
++                                            # blocking IPC::Run
++                my $retval = $client->read(my $buf, 1);
++                if (defined $buf and $buf eq 'c') {
++                    skip 'openssl tool does not support PHA command', 1;
++                }
++            }
++        }
++        ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
++    }
++
++    ok($client->close, 'Client disconnected');
++}
++
++eval {
++    $server->kill_kill;
++};
++ok(!$@, 'Server terminated');
++
+-- 
+2.20.1
+

SOURCES/IO-Socket-SSL-2.084-use-system-default-SSL-version.patch

@@ -0,0 +1,37 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -196,8 +196,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+ # global defaults
+ my %DEFAULT_SSL_ARGS = (
+     SSL_check_crl => 0,
+-    # TLS 1.1 and lower are deprecated with RFC 8996
+-    SSL_version => 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2',
++    SSL_version => '',
+     SSL_verify_callback => undef,
+     SSL_verifycn_scheme => undef,  # fallback cn verification
+     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
+@@ -2445,7 +2444,7 @@ sub new {
+ 
+     my $ssl_op = $DEFAULT_SSL_OP;
+ 
+-    my $ver;
++    my $ver = '';
+     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
+ 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
+ 	or croak("invalid SSL_version specified");
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -1044,11 +1044,12 @@ All values are case-insensitive.  Instea
+ versions are actually supported depend on the versions of OpenSSL and
+ Net::SSLeay installed, but modern protocols like TLS 1.3 are supported by these
+ for many years now.
++The default SSL_version is defined by the underlying cryptographic library.
+ 
+ Independent from the handshake format you can limit to set of accepted SSL
+ versions by adding !version separated by ':'.
+ 
+-The default SSL_version is 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2'. This means,
++For example, 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2' means
+ that the handshake format is compatible to SSL2.0 and higher, but that the
+ successful handshake is limited to TLS1.2 and higher, that is no SSL2.0, SSL3.0,
+ TLS 1.0 or TLS 1.1 because these versions have serious security issues and

SOURCES/IO-Socket-SSL-2.084-use-system-default-cipher-list.patch

@@ -0,0 +1,29 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -205,8 +205,10 @@ my %DEFAULT_SSL_ARGS = (
+     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
+     SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
+ 
+-    # rely on system default but be sure to disable some definitely bad ones
+-    SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP',
++    # Use system-wide default cipher list to support use of system-wide
++    # crypto policy (#1076390, #1127577, CPAN RT#97816)
++    # https://fedoraproject.org/wiki/Changes/CryptoPolicy
++    SSL_cipher_list => 'PROFILE=SYSTEM',
+ );
+ 
+ my %DEFAULT_SSL_CLIENT_ARGS = (
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -1071,9 +1071,8 @@ ciphers for TLS 1.2 and lower. See the O
+ for more details.
+ 
+ Unless you fail to contact your peer because of no shared ciphers it is
+-recommended to leave this option at the default setting, which uses the system
+-default but disables some insecure ciphers which might still be enabled on older
+-systems.
++recommended to leave this option at the default setting, which honors the
++system-wide PROFILE=SYSTEM cipher list.
+ 
+ In case different cipher lists are needed for different SNI hosts a hash can be
+ given with the host as key and the cipher suite as value, similar to