On Sun, 25 Jul 2010, Matt Simerson wrote: > Here's a chunk of code from one of my projects: > > A config file setting allows an admin to choose from; all, high, medium, or > pci. > > my $s = $ciphers eq 'all' ? 'ALL' > : $ciphers eq 'high' ? 'HIGH:!SSLv2' > : $ciphers eq 'medium' ? 'HIGH:MEDIUM:!SSLv2' > : $ciphers eq 'pci' ? 'DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM' > : 'DEFAULT'; > > Then you set SSL_cipher_list in the call to > IO::Socket::SSL::SSL_Context->new.
Please note that SSL_version is distinct from cipher list, and is not settable in the current code. > > Matt > > PS: IIRC, I pulled the high, medium, low settings out of the openssl docs. > > On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote: > > > > > I've seen some reports that qpsmtp fails some PCI compliance testing > > because it can be accessed via SSLv2. > > > > http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard > > > > http://bugs.contribs.org/show_bug.cgi?id=6141 > > > > Here's a simple, and untested, patch - someone might care to do something > > more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately > > IO::Socket::SSL doesn't seem to allow disable of just SSLv2). > > > > --- qpsmtpd-0.83/plugins/tls.orig 2010-07-22 22:04:00.000000000 -0400 > > +++ qpsmtpd-0.83/plugins/tls 2010-07-22 22:09:35.000000000 -0400 > > @@ -80,6 +80,7 @@ > > local $^W; # this bit is very noisy... > > my $ssl_ctx = IO::Socket::SSL::SSL_Context->new( > > SSL_use_cert => 1, > > + SSL_version => 'TLSv1', > > SSL_cert_file => $self->tls_cert, > > SSL_key_file => $self->tls_key, > > SSL_ca_file => $self->tls_ca, > > @@ -176,6 +177,7 @@ > > my $tlssocket = IO::Socket::SSL->new_from_fd( > > fileno(STDIN), '+>', > > SSL_use_cert => 1, > > + SSL_version => 'TLSv1', > > SSL_cert_file => $self->tls_cert, > > SSL_key_file => $self->tls_key, > > SSL_ca_file => $self->tls_ca, > > > >
