On 16.12.2021 13:41, arekm wrote: > commit d393768d64437bb1a9054fb07de0cb32f7395a2d > Author: Arkadiusz Miśkiewicz <ar...@maven.pl> > Date: Thu Dec 16 13:40:41 2021 +0100 > > Rel 2; use system default ssl version and cipher list (from fc). > ... > diff --git a/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch > b/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch > new file mode 100644 > index 0000000..800ab64 > --- /dev/null > +++ b/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch > @@ -0,0 +1,101 @@ > +--- lib/IO/Socket/SSL.pm > ++++ lib/IO/Socket/SSL.pm > +@@ -202,77 +202,17 @@ my %DEFAULT_SSL_ARGS = ( > + SSL_npn_protocols => undef, # meaning depends whether on server or > client side > + SSL_alpn_protocols => undef, # list of protocols we'll accept/send, > for example ['http/1.1','spdy/3.1'] > + > +- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05 > +- # "Old backward compatibility" for best compatibility > +- # .. "Most ciphers that are not clearly broken and dangerous to use are > supported" > +- # slightly reordered to prefer AES since it is cheaper when hardware > accelerated > +- SSL_cipher_list => > 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', > ++ # Use system-wide default cipher list to support use of system-wide > ++ # crypto policy (#1076390, #1127577, CPAN RT#97816) > ++ # https://fedoraproject.org/wiki/Changes/CryptoPolicy > ++ SSL_cipher_list => 'PROFILE=SYSTEM',
Where is this PROFILE SYSTEM defined in PLD? With this patch ddclient started to fail on every https call: Failed to set SSL cipher list error:0A0000B9:SSL routines::no cipher match _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en