develooper Front page | perl.libwww | Postings from January 2006

SSL preference setting for Crypt-SSLeay-0.51

From:
Taro Kawagishi
Date:
January 2, 2006 08:06
Subject:
SSL preference setting for Crypt-SSLeay-0.51
Message ID:
43B94F5F.3090901@acm.org
Hello,

this is a patch to add SSL preference to Crypt-SSLeay-0.51 just like
the web browsers have SSL level selection buttons in their security
preference dialog.

Recently trying to automate access to our payroll system with
WWW::Mechanize I had to deal with a web server which doesn't accept
TLS 1.0, but only SSL 3.0.

openssl-0.9.8a/doc/apps/s_client.pod says:

"Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
work if TLS is turned off with the B<-no_tls> option others will only
support SSL v2 and may need the B<-ssl2> option."

Incidentally the server I managed to connect to says it is:
    IBM_HTTP_Server/6.0.2.3 Apache/2.0.47 (Unix)

Since LWP and WWW::Mechanize use Crypt::SSLeay for SSL I slightly
modified Crypt-SSLeay-0.51 so that I can set preference for SSL levels.

With this patch you can switch off each of SSL v2, SSL v3, and TLS 1.0
by setting environment variables like this:
$ENV{SSL_OP_NO_SSLv2} = 1;
or
$ENV{SSL_OP_NO_SSLv3} = 1;
or
$ENV{SSL_OP_NO_TLSv1} = 1;

The last one will suppress use of TLS 1.0.

Connecting to the payroll site for me involves handling of JavaScript
too, so I extended WWW::Mechanize with JavaScript::SpiderMonkey and it
is almost working.  So I should be able to report this one soon.

Anyway I will put the patch for Crypt-SSLeay-0.51 below.

-Taro

--- Crypt-SSLeay-0.51/SSLeay.xs_original    2003-05-28 
15:55:02.000000000 +0900
+++ Crypt-SSLeay-0.51/SSLeay.xs    2005-12-22 17:12:54.000000000 +0900
@@ -224,6 +224,25 @@
      OUTPUT:
        RETVAL
 
+int
+SSL_CTX_set_NO_SSLv2(ctx)
+     SSL_CTX* ctx
+     CODE:
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|0);
+
+int
+SSL_CTX_set_NO_SSLv3(ctx)
+     SSL_CTX* ctx
+     CODE:
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|0);
+
+int
+SSL_CTX_set_NO_TLSv1(ctx)
+     SSL_CTX* ctx
+     CODE:
+     SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|0);
+
+
 MODULE = Crypt::SSLeay        PACKAGE = Crypt::SSLeay::Conn    PREFIX = 
SSL_
 
 SSL*

--- Crypt-SSLeay-0.51/lib/Net/SSL.pm_original    2003-05-28 
15:26:08.000000000 +0900
+++ Crypt-SSLeay-0.51/lib/Net/SSL.pm    2005-12-22 16:41:29.000000000 +0900
@@ -53,6 +53,8 @@
     *$self->{'ssl_new_arg'} = $NEW_ARGS;
     *$self->{'ssl_peer_verify'} = 0;
 
+    $self->set_context();
+
     ## Crypt::SSLeay must also aware the SSL Proxy before calling
     ## $socket->configure($args). Because the $sock->configure() will
     ## die when failed to resolve the destination server IP address,
@@ -432,4 +434,21 @@
     $count; # number of successful cert loads/checks
 }
 
+# An excerpt from doc/apps/s_client.pod:
+# Unfortunately there are a lot of ancient and broken servers in use
+# Some servers only work if TLS is turned off with the -no_tls option
+sub set_context {
+    my $self = shift;
+    my $ctx = *$self->{ssl_ctx};
+    if ($ENV{'SSL_OP_NO_SSLv2'}) {
+        $ctx->set_NO_SSLv2();
+    }
+    if ($ENV{'SSL_OP_NO_SSLv3'}) {
+        $ctx->set_NO_SSLv3();
+    }
+    if ($ENV{'SSL_OP_NO_TLSv1'}) {
+        $ctx->set_NO_TLSv1();
+    }
+}
+
 1;




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About