diff --git a/IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch b/IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch
deleted file mode 100644
index 83191e7..0000000
--- a/IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 921d3a471156896a0d139e82a50d07441992c811 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Fri, 8 Feb 2019 14:50:32 +0100
-Subject: [PATCH] Test client performs Post-Handshake-Authentication
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This test uses openssl tool because PHA is not yet supported by
-IO::Socket::SSL's server implementation. The openssl tool uses a fixed
-port. So the test can fail.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- MANIFEST       |  1 +
- t/pha_client.t | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 88 insertions(+)
- create mode 100755 t/pha_client.t
-
-diff --git a/MANIFEST b/MANIFEST
-index 5c2b87c..e46f919 100644
---- a/MANIFEST
-+++ b/MANIFEST
-@@ -52,6 +52,7 @@ t/memleak_bad_handshake.t
- t/mitm.t
- t/nonblock.t
- t/npn.t
-+t/pha_client.t
- t/plain_upgrade_downgrade.t
- t/protocol_version.t
- t/public_suffix_lib.pl
-diff --git a/t/pha_client.t b/t/pha_client.t
-new file mode 100755
-index 0000000..6699443
---- /dev/null
-+++ b/t/pha_client.t
-@@ -0,0 +1,87 @@
-+#!/usr/bin/perl
-+use strict;
-+use warnings;
-+use Test::More;
-+use IPC::Run ();
-+use IO::Socket::SSL ();
-+use IO::Select ();
-+
-+if (!system('openssl', 'version')) {
-+    plan tests => 5;
-+} else {
-+    plan skip_all => 'openssl tool is not available';
-+}
-+
-+my $port = 2000;
-+my $ca_cert = 'certs/test-ca.pem';
-+
-+diag 'Starting a server';
-+my ($server, $input, $stdout, $stderr);
-+eval {
-+    $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
-+            '-Verify', '1',
-+            '-cert', 'certs/server-wildcard.pem',
-+            '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
-+        \$input, \$stdout, \$stderr);
-+    # subsequent \undef does not work
-+    # <https://github.com/toddr/IPC-Run/issues/124>
-+};
-+if (!$server or $@) {
-+    BAIL_OUT("Could not start a server: $@");
-+}
-+# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
-+while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
-+if ($stderr =~ /unable to bind socket/) {
-+    $server->kill_kill;
-+    BAIL_OUT("Could not start a server: $stderr");
-+}
-+ok($server, 'Server started');
-+
-+my $client = IO::Socket::SSL->new(
-+    PeerHost => 'localhost',
-+    PeerPort => $port,
-+    SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
-+    SSL_verifycn_scheme => 'www',
-+    SSL_verifycn_name => 'www.server.local',
-+    SSL_ca_file => $ca_cert,
-+    SSL_key_file => 'certs/client-key.pem',
-+    SSL_cert_file => 'certs/client-cert.pem'
-+);
-+ok($client, 'Client connected');
-+
-+SKIP: {
-+    skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
-+        unless $client;
-+    $client->blocking(0);
-+
-+    SKIP: {
-+        # Ask openssl s_server for PHA request and wait for the result.
-+        $input .= "c\n";
-+        while ($server->pumpable &&
-+            $stderr !~ /SSL_verify_client_post_handshake/ &&
-+            $stdout !~ /SSL_do_handshake -> 1/
-+        ) {
-+            # Push the PHA command to the server and read outputs.
-+            $server->pump;
-+
-+            # Client also must perform I/O to process the PHA request.
-+            my $select = IO::Select->new($client);
-+            while ($select->can_read(1)) {  # 1 second time-out because of
-+                                            # blocking IPC::Run
-+                my $retval = $client->read(my $buf, 1);
-+                if (defined $buf and $buf eq 'c') {
-+                    skip 'openssl tool does not support PHA command', 1;
-+                }
-+            }
-+        }
-+        ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
-+    }
-+
-+    ok($client->close, 'Client disconnected');
-+}
-+
-+eval {
-+    $server->kill_kill;
-+};
-+ok(!$@, 'Server terminated');
-+
--- 
-2.17.2
-
diff --git a/IO-Socket-SSL-2.062-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.062-use-system-default-SSL-version.patch
deleted file mode 100644
index a767a99..0000000
--- a/IO-Socket-SSL-2.062-use-system-default-SSL-version.patch
+++ /dev/null
@@ -1,36 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -155,7 +155,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
- # global defaults
- my %DEFAULT_SSL_ARGS = (
-     SSL_check_crl => 0,
--    SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
-+    SSL_version => '',
-     SSL_verify_callback => undef,
-     SSL_verifycn_scheme => undef,  # fallback cn verification
-     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
-@@ -2324,7 +2324,7 @@ sub new {
- 
-     my $ssl_op = $DEFAULT_SSL_OP;
- 
--    my $ver;
-+    my $ver = '';
-     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
- 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
- 	or croak("invalid SSL_version specified");
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -1011,11 +1011,12 @@ All values are case-insensitive.  Instea
- 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
- 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
- and openssl.
-+The default SSL_version is defined by the underlying cryptographic library.
- 
- Independent from the handshake format you can limit to set of accepted SSL
- versions by adding !version separated by ':'.
- 
--The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
-+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
- handshake format is compatible to SSL2.0 and higher, but that the successful
- handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
- both of these versions have serious security issues and should not be used
diff --git a/IO-Socket-SSL-2.062-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.062-use-system-default-cipher-list.patch
deleted file mode 100644
index e9883bc..0000000
--- a/IO-Socket-SSL-2.062-use-system-default-cipher-list.patch
+++ /dev/null
@@ -1,98 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -163,10 +163,10 @@ my %DEFAULT_SSL_ARGS = (
-     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
-     SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
- 
--    # https://wiki.mozilla.org/Security/Server_Side_TLS, 2016/04/20
--    # "Old backward compatibility" for best compatibility
--    # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
--    SSL_cipher_list => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
-+    # Use system-wide default cipher list to support use of system-wide
-+    # crypto policy (#1076390, #1127577, CPAN RT#97816)
-+    # https://fedoraproject.org/wiki/Changes/CryptoPolicy
-+    SSL_cipher_list => 'DEFAULT',
- );
- 
- my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -176,63 +176,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
-     SSL_ca_file => undef,
-     SSL_ca_path => undef,
- 
--    # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
--    # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
--    # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
--    # Ubuntu worked around this by disabling TLSv1_2 on the client side for
--    # a while. Later a padding extension was added to OpenSSL to work around
--    # broken F5 but then IronPort croaked because it did not understand this
--    # extension so it was disabled again :(
--    # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so
--    # that packet stays small enough. We try the same here.
--
--    SSL_cipher_list => join(" ",
--
--	# SSLabs report for Chrome 48/OSX. 
--	# This also includes the fewer ciphers Firefox uses.
--	'ECDHE-ECDSA-AES128-GCM-SHA256',
--	'ECDHE-RSA-AES128-GCM-SHA256',
--	'DHE-RSA-AES128-GCM-SHA256',
--	'ECDHE-ECDSA-CHACHA20-POLY1305',
--	'ECDHE-RSA-CHACHA20-POLY1305',
--	'ECDHE-ECDSA-AES256-SHA',
--	'ECDHE-RSA-AES256-SHA',
--	'DHE-RSA-AES256-SHA',
--	'ECDHE-ECDSA-AES128-SHA',
--	'ECDHE-RSA-AES128-SHA',
--	'DHE-RSA-AES128-SHA',
--	'AES128-GCM-SHA256',
--	'AES256-SHA',
--	'AES128-SHA',
--	'DES-CBC3-SHA',
--
--	# IE11/Edge has some more ciphers, notably SHA384 and DSS
--	# we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM
--	# ciphers IE/Edge offers because they look like a large mismatch
--	# between a very strong HMAC and a comparably weak (but sufficient)
--	# encryption. Similar all browsers which do SHA384 can do ECDHE
--	# so skip the DHE*SHA384 ciphers.
--	'ECDHE-RSA-AES256-GCM-SHA384',
--	'ECDHE-ECDSA-AES256-GCM-SHA384',
--	# 'ECDHE-RSA-AES256-SHA384',
--	# 'ECDHE-ECDSA-AES256-SHA384',
--	# 'ECDHE-RSA-AES128-SHA256',
--	# 'ECDHE-ECDSA-AES128-SHA256',
--	# 'DHE-RSA-AES256-GCM-SHA384',
--	# 'AES256-GCM-SHA384',
--	'AES256-SHA256',
--	# 'AES128-SHA256',
--	'DHE-DSS-AES256-SHA256',
--	# 'DHE-DSS-AES128-SHA256',
--	'DHE-DSS-AES256-SHA',
--	'DHE-DSS-AES128-SHA',
--	'EDH-DSS-DES-CBC3-SHA',
--
--	# Just to make sure, that we don't accidentally add bad ciphers above.
--	# This includes dropping RC4 which is no longer supported by modern
--	# browsers and also excluded in the SSL libraries of Python and Ruby.
--	"!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP"
--    )
- );
- 
- # set values inside _init to work with perlcc, RT#95452
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -1037,12 +1037,8 @@ documentation (L<http://www.openssl.org/
- for more details.
- 
- Unless you fail to contact your peer because of no shared ciphers it is
--recommended to leave this option at the default setting. The default setting
--prefers ciphers with forward secrecy, disables anonymous authentication and
--disables known insecure ciphers like MD5, DES etc. This gives a grade A result
--at the tests of SSL Labs.
--To use the less secure OpenSSL builtin default (whatever this is) set
--SSL_cipher_list to ''.
-+recommended to leave this option at the default setting, which honors the
-+system-wide DEFAULT cipher list.
- 
- In case different cipher lists are needed for different SNI hosts a hash can be
- given with the host as key and the cipher suite as value, similar to
diff --git a/IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch b/IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch
new file mode 100644
index 0000000..86f4484
--- /dev/null
+++ b/IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch
@@ -0,0 +1,127 @@
+From 921d3a471156896a0d139e82a50d07441992c811 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Feb 2019 14:50:32 +0100
+Subject: [PATCH] Test client performs Post-Handshake-Authentication
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This test uses openssl tool because PHA is not yet supported by
+IO::Socket::SSL's server implementation. The openssl tool uses a fixed
+port. So the test can fail.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ MANIFEST       |  1 +
+ t/pha_client.t | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 88 insertions(+)
+ create mode 100755 t/pha_client.t
+
+diff --git a/MANIFEST b/MANIFEST
+index 5c2b87c..e46f919 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -57,6 +57,7 @@ t/memleak_bad_handshake.t
+ t/multiple-cert-rsa-ecc.t
+ t/nonblock.t
+ t/npn.t
++t/pha_client.t
+ t/plain_upgrade_downgrade.t
+ t/protocol_version.t
+ t/public_suffix_lib_encode_idn.t
+diff --git a/t/pha_client.t b/t/pha_client.t
+new file mode 100755
+index 0000000..6699443
+--- /dev/null
++++ b/t/pha_client.t
+@@ -0,0 +1,87 @@
++#!/usr/bin/perl
++use strict;
++use warnings;
++use Test::More;
++use IPC::Run ();
++use IO::Socket::SSL ();
++use IO::Select ();
++
++if (!system('openssl', 'version')) {
++    plan tests => 5;
++} else {
++    plan skip_all => 'openssl tool is not available';
++}
++
++my $port = 2000;
++my $ca_cert = 'certs/test-ca.pem';
++
++diag 'Starting a server';
++my ($server, $input, $stdout, $stderr);
++eval {
++    $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
++            '-Verify', '1',
++            '-cert', 'certs/server-wildcard.pem',
++            '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
++        \$input, \$stdout, \$stderr);
++    # subsequent \undef does not work
++    # <https://github.com/toddr/IPC-Run/issues/124>
++};
++if (!$server or $@) {
++    BAIL_OUT("Could not start a server: $@");
++}
++# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
++while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
++if ($stderr =~ /unable to bind socket/) {
++    $server->kill_kill;
++    BAIL_OUT("Could not start a server: $stderr");
++}
++ok($server, 'Server started');
++
++my $client = IO::Socket::SSL->new(
++    PeerHost => 'localhost',
++    PeerPort => $port,
++    SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
++    SSL_verifycn_scheme => 'www',
++    SSL_verifycn_name => 'www.server.local',
++    SSL_ca_file => $ca_cert,
++    SSL_key_file => 'certs/client-key.pem',
++    SSL_cert_file => 'certs/client-cert.pem'
++);
++ok($client, 'Client connected');
++
++SKIP: {
++    skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
++        unless $client;
++    $client->blocking(0);
++
++    SKIP: {
++        # Ask openssl s_server for PHA request and wait for the result.
++        $input .= "c\n";
++        while ($server->pumpable &&
++            $stderr !~ /SSL_verify_client_post_handshake/ &&
++            $stdout !~ /SSL_do_handshake -> 1/
++        ) {
++            # Push the PHA command to the server and read outputs.
++            $server->pump;
++
++            # Client also must perform I/O to process the PHA request.
++            my $select = IO::Select->new($client);
++            while ($select->can_read(1)) {  # 1 second time-out because of
++                                            # blocking IPC::Run
++                my $retval = $client->read(my $buf, 1);
++                if (defined $buf and $buf eq 'c') {
++                    skip 'openssl tool does not support PHA command', 1;
++                }
++            }
++        }
++        ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
++    }
++
++    ok($client->close, 'Client disconnected');
++}
++
++eval {
++    $server->kill_kill;
++};
++ok(!$@, 'Server terminated');
++
+-- 
+2.17.2
+
diff --git a/IO-Socket-SSL-2.063-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.063-use-system-default-SSL-version.patch
new file mode 100644
index 0000000..0569738
--- /dev/null
+++ b/IO-Socket-SSL-2.063-use-system-default-SSL-version.patch
@@ -0,0 +1,36 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -158,7 +158,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+ # global defaults
+ my %DEFAULT_SSL_ARGS = (
+     SSL_check_crl => 0,
+-    SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
++    SSL_version => '',
+     SSL_verify_callback => undef,
+     SSL_verifycn_scheme => undef,  # fallback cn verification
+     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
+@@ -2328,7 +2328,7 @@ sub new {
+ 
+     my $ssl_op = $DEFAULT_SSL_OP;
+ 
+-    my $ver;
++    my $ver = '';
+     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
+ 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
+ 	or croak("invalid SSL_version specified");
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -1022,11 +1022,12 @@ All values are case-insensitive.  Instea
+ 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
+ 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
+ and openssl.
++The default SSL_version is defined by the underlying cryptographic library.
+ 
+ Independent from the handshake format you can limit to set of accepted SSL
+ versions by adding !version separated by ':'.
+ 
+-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
++For example, 'SSLv23:!SSLv3:!SSLv2' means that the
+ handshake format is compatible to SSL2.0 and higher, but that the successful
+ handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
+ both of these versions have serious security issues and should not be used
diff --git a/IO-Socket-SSL-2.063-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.063-use-system-default-cipher-list.patch
new file mode 100644
index 0000000..0103ff4
--- /dev/null
+++ b/IO-Socket-SSL-2.063-use-system-default-cipher-list.patch
@@ -0,0 +1,98 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -166,10 +166,10 @@ my %DEFAULT_SSL_ARGS = (
+     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
+     SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
+ 
+-    # https://wiki.mozilla.org/Security/Server_Side_TLS, 2016/04/20
+-    # "Old backward compatibility" for best compatibility
+-    # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
+-    SSL_cipher_list => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
++    # Use system-wide default cipher list to support use of system-wide
++    # crypto policy (#1076390, #1127577, CPAN RT#97816)
++    # https://fedoraproject.org/wiki/Changes/CryptoPolicy
++    SSL_cipher_list => 'DEFAULT',
+ );
+ 
+ my %DEFAULT_SSL_CLIENT_ARGS = (
+@@ -179,63 +179,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+     SSL_ca_file => undef,
+     SSL_ca_path => undef,
+ 
+-    # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
+-    # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
+-    # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
+-    # Ubuntu worked around this by disabling TLSv1_2 on the client side for
+-    # a while. Later a padding extension was added to OpenSSL to work around
+-    # broken F5 but then IronPort croaked because it did not understand this
+-    # extension so it was disabled again :(
+-    # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so
+-    # that packet stays small enough. We try the same here.
+-
+-    SSL_cipher_list => join(" ",
+-
+-	# SSLabs report for Chrome 48/OSX. 
+-	# This also includes the fewer ciphers Firefox uses.
+-	'ECDHE-ECDSA-AES128-GCM-SHA256',
+-	'ECDHE-RSA-AES128-GCM-SHA256',
+-	'DHE-RSA-AES128-GCM-SHA256',
+-	'ECDHE-ECDSA-CHACHA20-POLY1305',
+-	'ECDHE-RSA-CHACHA20-POLY1305',
+-	'ECDHE-ECDSA-AES256-SHA',
+-	'ECDHE-RSA-AES256-SHA',
+-	'DHE-RSA-AES256-SHA',
+-	'ECDHE-ECDSA-AES128-SHA',
+-	'ECDHE-RSA-AES128-SHA',
+-	'DHE-RSA-AES128-SHA',
+-	'AES128-GCM-SHA256',
+-	'AES256-SHA',
+-	'AES128-SHA',
+-	'DES-CBC3-SHA',
+-
+-	# IE11/Edge has some more ciphers, notably SHA384 and DSS
+-	# we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM
+-	# ciphers IE/Edge offers because they look like a large mismatch
+-	# between a very strong HMAC and a comparably weak (but sufficient)
+-	# encryption. Similar all browsers which do SHA384 can do ECDHE
+-	# so skip the DHE*SHA384 ciphers.
+-	'ECDHE-RSA-AES256-GCM-SHA384',
+-	'ECDHE-ECDSA-AES256-GCM-SHA384',
+-	# 'ECDHE-RSA-AES256-SHA384',
+-	# 'ECDHE-ECDSA-AES256-SHA384',
+-	# 'ECDHE-RSA-AES128-SHA256',
+-	# 'ECDHE-ECDSA-AES128-SHA256',
+-	# 'DHE-RSA-AES256-GCM-SHA384',
+-	# 'AES256-GCM-SHA384',
+-	'AES256-SHA256',
+-	# 'AES128-SHA256',
+-	'DHE-DSS-AES256-SHA256',
+-	# 'DHE-DSS-AES128-SHA256',
+-	'DHE-DSS-AES256-SHA',
+-	'DHE-DSS-AES128-SHA',
+-	'EDH-DSS-DES-CBC3-SHA',
+-
+-	# Just to make sure, that we don't accidentally add bad ciphers above.
+-	# This includes dropping RC4 which is no longer supported by modern
+-	# browsers and also excluded in the SSL libraries of Python and Ruby.
+-	"!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP"
+-    )
+ );
+ 
+ # set values inside _init to work with perlcc, RT#95452
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -1048,12 +1048,8 @@ documentation (L<http://www.openssl.org/
+ for more details.
+ 
+ Unless you fail to contact your peer because of no shared ciphers it is
+-recommended to leave this option at the default setting. The default setting
+-prefers ciphers with forward secrecy, disables anonymous authentication and
+-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
+-at the tests of SSL Labs.
+-To use the less secure OpenSSL builtin default (whatever this is) set
+-SSL_cipher_list to ''.
++recommended to leave this option at the default setting, which honors the
++system-wide DEFAULT cipher list.
+ 
+ In case different cipher lists are needed for different SNI hosts a hash can be
+ given with the host as key and the cipher suite as value, similar to
diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index 824d6f7..30ea89c 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -1,15 +1,15 @@
 Name:		perl-IO-Socket-SSL
-Version:	2.062
+Version:	2.063
 Release:	1%{?dist}
 Summary:	Perl library for transparent SSL
 License:	GPL+ or Artistic
 URL:		https://metacpan.org/release/IO-Socket-SSL
 Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
-Patch0:		IO-Socket-SSL-2.062-use-system-default-cipher-list.patch
-Patch1:		IO-Socket-SSL-2.062-use-system-default-SSL-version.patch
+Patch0:		IO-Socket-SSL-2.063-use-system-default-cipher-list.patch
+Patch1:		IO-Socket-SSL-2.063-use-system-default-SSL-version.patch
 # A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
 # bug #1632660, requires openssl tool
-Patch4:		IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch
+Patch4:		IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch
 BuildArch:	noarch
 # Module Build
 BuildRequires:	coreutils
@@ -121,6 +121,14 @@ make test
 %{_mandir}/man3/IO::Socket::SSL::Utils.3*
 
 %changelog
+* Sat Mar  2 2019 Paul Howarth <paul@city-fan.org> - 2.063-1
+- Update to 2.063
+  - Support for both RSA and ECDSA certificate on same domain
+  - Update PublicSuffix
+  - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
+    then linked against another API-incompatible version (i.e. more than just
+    the patchlevel differs)
+
 * Mon Feb 25 2019 Paul Howarth <paul@city-fan.org> - 2.062-1
 - Update to 2.062
   - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
diff --git a/sources b/sources
index 94b5acd..0ffa20d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (IO-Socket-SSL-2.062.tar.gz) = 8a568b08961550df532cbad2707aea670d00a4e446c3f91e2ba6ca2bb1d85e09428d1f495dab1c8f7d9a74b04717852a1dcdb1b9e2684cf37b7166797b6f1183
+SHA512 (IO-Socket-SSL-2.063.tar.gz) = 31e42de5244fe1766c9c699767473d691657350a8dce115a17dde605274a0e99b460bc165625733d473febda699e07c0318a74f8398faa902683722b0c5e80cb