Here's a chunk of code from one of my projects:
A config file setting allows an admin to choose from; all, high, medium, or
pci.
my $s = $ciphers eq 'all' ? 'ALL'
: $ciphers eq 'high' ? 'HIGH:!SSLv2'
: $ciphers eq 'medium' ? 'HIGH:MEDIUM:!SSLv2'
: $ciphers eq 'pci' ? 'DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM'
: 'DEFAULT';
Then you set SSL_cipher_list in the call to IO::Socket::SSL::SSL_Context->new.
Matt
PS: IIRC, I pulled the high, medium, low settings out of the openssl docs.
On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote:
>
> I've seen some reports that qpsmtp fails some PCI compliance testing
> because it can be accessed via SSLv2.
>
> http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
>
> http://bugs.contribs.org/show_bug.cgi?id=6141
>
> Here's a simple, and untested, patch - someone might care to do something
> more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately
> IO::Socket::SSL doesn't seem to allow disable of just SSLv2).
>
> --- qpsmtpd-0.83/plugins/tls.orig 2010-07-22 22:04:00.000000000 -0400
> +++ qpsmtpd-0.83/plugins/tls 2010-07-22 22:09:35.000000000 -0400
> @@ -80,6 +80,7 @@
> local $^W; # this bit is very noisy...
> my $ssl_ctx = IO::Socket::SSL::SSL_Context->new(
> SSL_use_cert => 1,
> + SSL_version => 'TLSv1',
> SSL_cert_file => $self->tls_cert,
> SSL_key_file => $self->tls_key,
> SSL_ca_file => $self->tls_ca,
> @@ -176,6 +177,7 @@
> my $tlssocket = IO::Socket::SSL->new_from_fd(
> fileno(STDIN), '+>',
> SSL_use_cert => 1,
> + SSL_version => 'TLSv1',
> SSL_cert_file => $self->tls_cert,
> SSL_key_file => $self->tls_key,
> SSL_ca_file => $self->tls_ca,
>
