Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

SSL preference setting for Crypt-SSLeay-0.51: msg#00002

lang.perl.modules.lwp

Subject: SSL preference setting for Crypt-SSLeay-0.51

Hello,

this is a patch to add SSL preference to Crypt-SSLeay-0.51 just like
the web browsers have SSL level selection buttons in their security
preference dialog.

Recently trying to automate access to our payroll system with
WWW::Mechanize I had to deal with a web server which doesn't accept
TLS 1.0, but only SSL 3.0.

openssl-0.9.8a/doc/apps/s_client.pod says:

"Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
work if TLS is turned off with the B<-no_tls> option others will only
support SSL v2 and may need the B<-ssl2> option."

Incidentally the server I managed to connect to says it is:
IBM_HTTP_Server/6.0.2.3 Apache/2.0.47 (Unix)

Since LWP and WWW::Mechanize use Crypt::SSLeay for SSL I slightly
modified Crypt-SSLeay-0.51 so that I can set preference for SSL levels.

With this patch you can switch off each of SSL v2, SSL v3, and TLS 1.0
by setting environment variables like this:
$ENV{SSL_OP_NO_SSLv2} = 1;
or
$ENV{SSL_OP_NO_SSLv3} = 1;
or
$ENV{SSL_OP_NO_TLSv1} = 1;

The last one will suppress use of TLS 1.0.

Connecting to the payroll site for me involves handling of JavaScript
too, so I extended WWW::Mechanize with JavaScript::SpiderMonkey and it
is almost working. So I should be able to report this one soon.

Anyway I will put the patch for Crypt-SSLeay-0.51 below.

-Taro

--- Crypt-SSLeay-0.51/SSLeay.xs_original 2003-05-28 15:55:02.000000000 +0900
+++ Crypt-SSLeay-0.51/SSLeay.xs 2005-12-22 17:12:54.000000000 +0900
@@ -224,6 +224,25 @@
OUTPUT:
RETVAL

+int
+SSL_CTX_set_NO_SSLv2(ctx)
+ SSL_CTX* ctx
+ CODE:
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|0);
+
+int
+SSL_CTX_set_NO_SSLv3(ctx)
+ SSL_CTX* ctx
+ CODE:
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|0);
+
+int
+SSL_CTX_set_NO_TLSv1(ctx)
+ SSL_CTX* ctx
+ CODE:
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|0);
+
+
MODULE = Crypt::SSLeay PACKAGE = Crypt::SSLeay::Conn PREFIX = SSL_

SSL*

--- Crypt-SSLeay-0.51/lib/Net/SSL.pm_original 2003-05-28 15:26:08.000000000 +0900
+++ Crypt-SSLeay-0.51/lib/Net/SSL.pm 2005-12-22 16:41:29.000000000 +0900
@@ -53,6 +53,8 @@
*$self->{'ssl_new_arg'} = $NEW_ARGS;
*$self->{'ssl_peer_verify'} = 0;

+ $self->set_context();
+
## Crypt::SSLeay must also aware the SSL Proxy before calling
## $socket->configure($args). Because the $sock->configure() will
## die when failed to resolve the destination server IP address,
@@ -432,4 +434,21 @@
$count; # number of successful cert loads/checks
}

+# An excerpt from doc/apps/s_client.pod:
+# Unfortunately there are a lot of ancient and broken servers in use
+# Some servers only work if TLS is turned off with the -no_tls option
+sub set_context {
+ my $self = shift;
+ my $ctx = *$self->{ssl_ctx};
+ if ($ENV{'SSL_OP_NO_SSLv2'}) {
+ $ctx->set_NO_SSLv2();
+ }
+ if ($ENV{'SSL_OP_NO_SSLv3'}) {
+ $ctx->set_NO_SSLv3();
+ }
+ if ($ENV{'SSL_OP_NO_TLSv1'}) {
+ $ctx->set_NO_TLSv1();
+ }
+}
+
1;
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Help needed in login, Matti Rantanen
Next by Date:  Re: Help needed in login, Andy Lester
Previous by Thread:  Help needed in login, Matti Rantanen
Next by Thread:  LWP and UTF-8, Mattias Holmlund
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe