search

noxxi / p5-io-socket-ssl

IO::Socket::SSL Perl Module
36 stars 59 forks source link

Default SSL_version should be restricted to TLS 1.2+ #122

Closed haarg closed 1 year ago

haarg commented 1 year ago

TLS versions below 1.2 are now considered insecure and should be blocked by default.

Currently, only SSL2 and SSL3 are blocked.

noxxi commented 1 year ago

since 2.082 the default is now TLS1.2+ - see 4f6ea831

spicyprogramming commented 1 year ago

Just FYI this change prevents installation on Ubuntu 16.04 LTS:

root@811bcdb2dd8c:~# cpanm IO::Socket::SSL
--> Working on IO::Socket::SSL
Fetching http://www.cpan.org/authors/id/S/SU/SULLR/IO-Socket-SSL-2.082.tar.gz ... OK
Configuring IO-Socket-SSL-2.082 ... OK
Building and testing IO-Socket-SSL-2.082 ... FAIL
! Installing IO::Socket::SSL failed. See /root/.cpanm/work/1684396466.4663/build.log for details. Retry with --force to force install it.
root@811bcdb2dd8c:~# 
t/plain_upgrade_downgrade.t ....... ok     
t/protocol_version.t .............. Bailout called.  Further testing stopped:  cannot listen on localhost: No such file or directory
FAILED--Further testing stopped: cannot listen on localhost: No such file or directory
Makefile:859: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255
root@811bcdb2dd8c:~/.cpanm/work/1684396466.4663/IO-Socket-SSL-2.082# make test_dynamic

installing without tests seems to work

root@811bcdb2dd8c:~# cpanm -n IO::Socket::SSL
--> Working on IO::Socket::SSL
Fetching http://www.cpan.org/authors/id/S/SU/SULLR/IO-Socket-SSL-2.082.tar.gz ... OK
Configuring IO-Socket-SSL-2.082 ... OK
Building IO-Socket-SSL-2.082 ... OK
Successfully installed IO-Socket-SSL-2.082
1 distribution installed
root@811bcdb2dd8c:~#

Ubuntu 16.04 LTS is still supported under Expanded Security Maintenance (ESM)

noxxi commented 1 year ago

t/protocol_version.t .............. Bailout called.

This was a regression affecting only older OpenSSL versions (and LibreSSL) with no support for SECLEVEL. Fixed in 2.083

spicyprogramming commented 1 year ago

Thanks, very appreciated:

root@8e4bd7e6a8e7:/# lsb_release -a
LSB Version:    core-9.20160110ubuntu0.2-amd64:core-9.20160110ubuntu0.2-noarch:security-9.20160110ubuntu0.2-amd64:security-9.20160110ubuntu0.2-noarch
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.7 LTS
Release:    16.04
Codename:   xenial
root@8e4bd7e6a8e7:/# cpan SULLR/IO-Socket-SSL-2.083.tar.gz
...
root@8e4bd7e6a8e7:/# cpanm IO::Socket::SSL
IO::Socket::SSL is up to date. (2.083)

For some reason installing with cpanm IO::Socket::SSL is still fetching v2.082 but maybe it's just a matter of time

root@ed56d9673176:/# cpanm IO::Socket::SSL
--> Working on IO::Socket::SSL
Fetching http://www.cpan.org/authors/id/S/SU/SULLR/IO-Socket-SSL-2.082.tar.gz ... OK
Configuring IO-Socket-SSL-2.082 ... OK
Building and testing IO-Socket-SSL-2.082 ... ^C

EDIT: nvm, it works now as cpanm IO::Socket::SSL