[PATCH] AnyEvent::TLS and TLSv1.[12]

Maxime Soulé btik-cpan at scoubidou.com
Fri Aug 30 16:36:07 CEST 2013


With the attached patch, it is now possible to handle specifically 
TLSv1.1 and TLSv1.2 protocols.

To avoid modifying AnyEvent::TLS each time a new protocol or option is 
available in Net::SSLeay, perhaps it could be a good thing to put the 
CTX creation and $op initialisation in a special class method, so we can 
inherit from AnyEvent::TLS and just redefine this method to add new 
options or new protocols?

Best regards,

-------------- next part --------------
--- lib/AnyEvent/TLS.pm.orig	2013-08-30 15:47:20.000000000 +0200
+++ lib/AnyEvent/TLS.pm	2013-08-30 16:21:54.000000000 +0200
@@ -127,12 +127,13 @@
 =over 4
-=item method => "SSLv2" | "SSLv3" | "TLSv1" | "any"
+=item method => "SSLv2" | "SSLv3" | "TLSv1" | "TLSv1_1" | "TLSv1_2" | "any"
-The protocol parser to use. C<SSLv2>, C<SSLv3> and C<TLSv1> will use
-a parser for those protocols only (so will I<not> accept or create
-connections with/to other protocol versions), while C<any> (the
-default) uses a parser capable of all three protocols.
+The protocol parser to use. C<SSLv2>, C<SSLv3>, C<TLSv1>, C<TLSv1_1>
+and C<TLSv1_2> will use a parser for those protocols only (so will
+I<not> accept or create connections with/to other protocol versions),
+while C<any> (the default) uses a parser capable of all three
 The default is to use C<"any"> but disable SSLv2. This has the effect of
 sending a SSLv2 hello, indicating the support for SSLv3 and TLSv1, but not
@@ -141,7 +142,7 @@
 Specifying a specific version is almost always wrong to use for a server
 speaking to a wide variety of clients (e.g. web browsers), and often wrong
 for a client. If you only want to allow a specific protocol version, use
-the C<sslv2>, C<sslv3> or C<tlsv1> arguments instead.
+the C<sslv2>, C<sslv3>, C<tlsv1>, C<tlsv1_1> or C<tlsv1_2> arguments instead.
 For new services it is usually a good idea to enforce a C<TLSv1> method
 from the beginning.
@@ -158,6 +159,14 @@
 Enable or disable TLSv1 (normally I<enabled>).
+=item tlsv1_1 => $enabled
+Enable or disable TLSv1_1 (normally I<enabled>).
+=item tlsv1_2 => $enabled
+Enable or disable TLSv1_2 (normally I<enabled>).
 =item verify => $enable
 Enable or disable peer certificate checking (default is I<disabled>, which
@@ -565,7 +574,9 @@
            : $method eq "sslv2"  ? Net::SSLeay::CTX_v2_new    ()
            : $method eq "sslv3"  ? Net::SSLeay::CTX_v3_new    ()
            : $method eq "tlsv1"  ? Net::SSLeay::CTX_tlsv1_new ()
-           : croak "'$method' is not a valid AnyEvent::TLS method (must be one of SSLv2, SSLv3, TLSv1 or any)";
+           : $method eq "tlsv1_1" ? Net::SSLeay::CTX_tlsv1_1_new ()
+           : $method eq "tlsv1_2" ? Net::SSLeay::CTX_tlsv1_2_new ()
+           : croak "'$method' is not a valid AnyEvent::TLS method (must be one of SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2 or any)";
    my $self = bless { ctx => $ctx }, $class; # to make sure it's destroyed if we croak
@@ -574,6 +585,8 @@
    $op |= Net::SSLeay::OP_NO_SSLv2      () unless $arg{sslv2};
    $op |= Net::SSLeay::OP_NO_SSLv3      () if exists $arg{sslv3} && !$arg{sslv3};
    $op |= Net::SSLeay::OP_NO_TLSv1      () if exists $arg{tlsv1} && !$arg{tlsv1};
+   $op |= Net::SSLeay::OP_NO_TLSv1_1    () if exists $arg{tlsv1_1} && !$arg{tlsv1_1};
+   $op |= Net::SSLeay::OP_NO_TLSv1_2    () if exists $arg{tlsv1_2} && !$arg{tlsv1_2};
    $op |= Net::SSLeay::OP_SINGLE_DH_USE () if !exists $arg{dh_single_use} || $arg{dh_single_use};
    Net::SSLeay::CTX_set_options ($ctx, $op);

More information about the anyevent mailing list