From 68cec04ee61708691430e66369bcf9e508a2648c Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Wed, 21 Sep 2011 01:13:58 +0000
Subject: [PATCH] SSL version selection ability.

IO::Socket:SSL defaults to SSLv2/3 in recent versions. This means that
there is no way to disable TLS, or force a version of SSL in Perlbal.

IO::Socket:SSL provides the SSL_version tunable for this case, which is
now exposed in Perlbal by this patch.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 doc/service-parameters.txt          |    4 ++++
 lib/Perlbal/Manual/Internals.pod    |    5 +++++
 lib/Perlbal/Manual/ReverseProxy.pod |    5 +++++
 lib/Perlbal/Service.pm              |    8 ++++++++
 4 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/doc/service-parameters.txt b/doc/service-parameters.txt
index 3c00aaf..89c78a3 100644
--- a/doc/service-parameters.txt
+++ b/doc/service-parameters.txt
@@ -84,6 +84,10 @@ For all services:
 |---------------------------+----+---------------------+---------------------------|
 |ssl_cipher_list            |    |ALL:!LOW:!EXP        |OpenSSL-style cipher list. |
 |---------------------------+----+---------------------+---------------------------|
+|ssl_version                |    |                     |Sets the version of the SSL|
+|                           |    |                     |protocol used to transmit  |
+|                           |    |                     |data.                      |
+|---------------------------+----+---------------------+---------------------------|
 |ssl_key_file               |    |certs/server-key.pem |Path to private key PEM    |
 |                           |    |                     |file for SSL.              |
 |---------------------------+----+---------------------+---------------------------|
diff --git a/lib/Perlbal/Manual/Internals.pod b/lib/Perlbal/Manual/Internals.pod
index 74da3f6..170370e 100644
--- a/lib/Perlbal/Manual/Internals.pod
+++ b/lib/Perlbal/Manual/Internals.pod
@@ -984,6 +984,11 @@ File to path to cert pem file.
 OpenSSL cipher list string.
 
 
+=item ssl_version
+
+OpenSSL protocols to offer.
+
+
 =item ssl_ca_path
 
 Path to certificates directory.
diff --git a/lib/Perlbal/Manual/ReverseProxy.pod b/lib/Perlbal/Manual/ReverseProxy.pod
index 1fdecb3..2faf40f 100644
--- a/lib/Perlbal/Manual/ReverseProxy.pod
+++ b/lib/Perlbal/Manual/ReverseProxy.pod
@@ -279,6 +279,11 @@ OpenSSL-style cipher list.
 
 Default is C<ALL:!LOW:!EXP>.
 
+=item B<ssl_version> = SSL version
+
+Sets the version of the SSL protocol used to transmit data. The default is taken from L<IO::Socket::SSL>. You may specify C<SSLv23> (auto-negotiates between SSLv2 and SSLv3), C<SSLv2>, C<SSLv3>, or C<TLSv1> (case-insensitive) if you do not want this behavior.
+
+Default is to use the default from L<IO::Socket::SSL>.
 
 =item B<ssl_key_file> = path/to/file
 
diff --git a/lib/Perlbal/Service.pm b/lib/Perlbal/Service.pm
index ad3f958..4d2c8d4 100644
--- a/lib/Perlbal/Service.pm
+++ b/lib/Perlbal/Service.pm
@@ -97,6 +97,7 @@ use fields (
             'ssl_cipher_list',    # OpenSSL cipher list string
             'ssl_ca_path',        # directory:  path to certificates
             'ssl_verify_mode',    # int:  verification mode, see IO::Socket::SSL documentation 
+			'ssl_version',		  # IO::Socket::SSL ssl_version string
 
             'enable_error_retries',  # bool: whether we should retry requests after errors
             'error_retry_schedule',  # string of comma-separated seconds (full or partial) to delay between retries
@@ -591,6 +592,12 @@ our $tunables = {
         default => "ALL:!LOW:!EXP",
         check_role => "*",
     },
+    
+	'ssl_version' => {
+        des => "SSL protocol to offer.",
+        default => undef,
+        check_role => "*",
+    },
 
     'ssl_ca_path' => {
         des => 'Path to directory containing certificates for SSL.',
@@ -1603,6 +1610,7 @@ sub enable {
                 SSL_key_file    => $self->{ssl_key_file},
                 SSL_cert_file   => $self->{ssl_cert_file},
                 SSL_cipher_list => $self->{ssl_cipher_list},
+                (defined $self->{ssl_version} ? (SSL_version => $self->{ssl_version}) : ()),
                 (defined $self->{ssl_ca_path} ? (SSL_ca_path => $self->{ssl_ca_path}) : ()),
                 (defined $self->{ssl_verify_mode} ? (SSL_verify_mode => $self->{ssl_verify_mode}) : ()),
             };
-- 
1.7.6