SSL preference setting for Crypt-SSLeay-0.51

Mon, 02 Jan 2006 08:07:12 -0800 

Hello,

this is a patch to add SSL preference to Crypt-SSLeay-0.51 just like
the web browsers have SSL level selection buttons in their security
preference dialog.

Recently trying to automate access to our payroll system with
WWW::Mechanize I had to deal with a web server which doesn't accept
TLS 1.0, but only SSL 3.0.

openssl-0.9.8a/doc/apps/s_client.pod says:

"Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
work if TLS is turned off with the B<-no_tls> option others will only
support SSL v2 and may need the B<-ssl2> option."

Incidentally the server I managed to connect to says it is:
   IBM_HTTP_Server/6.0.2.3 Apache/2.0.47 (Unix)

Since LWP and WWW::Mechanize use Crypt::SSLeay for SSL I slightly
modified Crypt-SSLeay-0.51 so that I can set preference for SSL levels.

With this patch you can switch off each of SSL v2, SSL v3, and TLS 1.0
by setting environment variables like this:
$ENV{SSL_OP_NO_SSLv2} = 1;
or
$ENV{SSL_OP_NO_SSLv3} = 1;
or
$ENV{SSL_OP_NO_TLSv1} = 1;

The last one will suppress use of TLS 1.0.

Connecting to the payroll site for me involves handling of JavaScript
too, so I extended WWW::Mechanize with JavaScript::SpiderMonkey and it
is almost working.  So I should be able to report this one soon.

Anyway I will put the patch for Crypt-SSLeay-0.51 below.

-Taro
--- Crypt-SSLeay-0.51/SSLeay.xs_original 2003-05-28 15:55:02.000000000 +0900 
+++ Crypt-SSLeay-0.51/SSLeay.xs    2005-12-22 17:12:54.000000000 +0900
@@ -224,6 +224,25 @@
     OUTPUT:
       RETVAL

+int
+SSL_CTX_set_NO_SSLv2(ctx)
+     SSL_CTX* ctx
+     CODE:
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|0);
+
+int
+SSL_CTX_set_NO_SSLv3(ctx)
+     SSL_CTX* ctx
+     CODE:
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|0);
+
+int
+SSL_CTX_set_NO_TLSv1(ctx)
+     SSL_CTX* ctx
+     CODE:
+     SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|0);
+
+
MODULE = Crypt::SSLeay PACKAGE = Crypt::SSLeay::Conn PREFIX = SSL_ 

SSL*
--- Crypt-SSLeay-0.51/lib/Net/SSL.pm_original 2003-05-28 15:26:08.000000000 +0900 
+++ Crypt-SSLeay-0.51/lib/Net/SSL.pm    2005-12-22 16:41:29.000000000 +0900
@@ -53,6 +53,8 @@
    *$self->{'ssl_new_arg'} = $NEW_ARGS;
    *$self->{'ssl_peer_verify'} = 0;

+    $self->set_context();
+
    ## Crypt::SSLeay must also aware the SSL Proxy before calling
    ## $socket->configure($args). Because the $sock->configure() will
    ## die when failed to resolve the destination server IP address,
@@ -432,4 +434,21 @@
    $count; # number of successful cert loads/checks
}

+# An excerpt from doc/apps/s_client.pod:
+# Unfortunately there are a lot of ancient and broken servers in use
+# Some servers only work if TLS is turned off with the -no_tls option
+sub set_context {
+    my $self = shift;
+    my $ctx = *$self->{ssl_ctx};
+    if ($ENV{'SSL_OP_NO_SSLv2'}) {
+        $ctx->set_NO_SSLv2();
+    }
+    if ($ENV{'SSL_OP_NO_SSLv3'}) {
+        $ctx->set_NO_SSLv3();
+    }
+    if ($ENV{'SSL_OP_NO_TLSv1'}) {
+        $ctx->set_NO_TLSv1();
+    }
+}
+
1;

Reply via email to