Bug#728660: do not fix the wrong SSL_version string but remove it completly

[Steffen Ullrich]

Hi,
the current patch proposes to fix the wrong SSL_version string like this:

 	if(not IO::Socket::SSL::socket_to_SSL($me->{sock},
-		SSL_version	=>	"SSLv3 TLSv1")){
+		SSL_version	=>	"TLSv1")){
 			croak "Couldn't start TLS: ".IO::Socket::SSL::errstr."\n";

It would be better to simply remove the setting of SSL_version and leave it up
to IO::Socket::SSL to set the value properly. IO::Socket::SSL already contains
sane defaults for this value and keeps these defaults up-to-date with the
current security requirements. Thus one day TLS 1.0 might be disabled and in
this case it would be bad if old modules like this would be fixed again to be
kept up to date with current requirements.

Thus the fix should be:

- 	if(not IO::Socket::SSL::socket_to_SSL($me->{sock},
+       if(not IO::Socket::SSL::socket_to_SSL($me->{sock}){
-		SSL_version	=>	"SSLv3 TLSv1")){
 			croak "Couldn't start TLS: ".IO::Socket::SSL::errstr."\n";

Apart from that 'socket_to_SSL' is a long deprecated interface so you better
might use 'IO::Socket::SSL->start_SSL($me->{sock})' instead. But I don't know if
it is worth for such an old an since 10 years unmaintained module.

Regards,
Steffen Ullrich, Maintainer IO::Socket::SSL