Update to 2.061

- New upstream release 2.061
  - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
    the previous (and undocumented) API for the session cache has been changed
  - Support for multiple curves, automatic setting of curves and setting of
    supported curves in client (needs Net::SSLeay ≥ 1.86)
  - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
    client certificates are provided (needs Net::SSLeay ≥ 1.86)

IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch

@@ -1,55 +0,0 @@
-From 270badae7595332807d71b946446a70137369bf0 Mon Sep 17 00:00:00 2001
-From: Joe Orton <jorton@redhat.com>
-Date: Sat, 26 Jan 2019 11:16:08 +0100
-Subject: [PATCH] Enable Post-Handshake-Authentication (TLSv1.3 feature)
- client-side iff available.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- lib/IO/Socket/SSL.pm | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
-index f35211b..0a0eef6 100644
---- a/lib/IO/Socket/SSL.pm
-+++ b/lib/IO/Socket/SSL.pm
-@@ -67,6 +67,7 @@ my $can_ecdh;        # do we support ECDH key exchange
- my $can_ocsp;        # do we support OCSP
- my $can_ocsp_staple; # do we support OCSP stapling
- my $can_tckt_keycb;  # TLS ticket key callback
-+my $can_pha;         # do we support PHA
- BEGIN {
-     $can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000;
-     $can_server_sni = defined &Net::SSLeay::get_servername;
-@@ -87,6 +88,7 @@ BEGIN {
- 	&& defined &Net::SSLeay::set_tlsext_status_type;
-     $can_tckt_keycb  = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb
- 	&& $Net::SSLeay::VERSION >= 1.80;  
-+    $can_pha         = defined &Net::SSLeay::CTX_set_post_handshake_auth;
- }
- 
- my $algo2digest = do {
-@@ -2018,6 +2020,7 @@ sub can_ecdh       { return $can_ecdh }
- sub can_ipv6       { return CAN_IPV6 }
- sub can_ocsp       { return $can_ocsp }
- sub can_ticket_keycb { return $can_tckt_keycb }
-+sub can_pha        { return $can_pha }
- 
- sub DESTROY {
-     my $self = shift or return;
-@@ -2602,6 +2605,9 @@ sub new {
- 		"Failed to load key from file (no PEM or DER)");
- 	}
- 
-+        Net::SSLeay::CTX_set_post_handshake_auth($ctx,1)
-+            if (!$is_server && $can_pha && $havecert && $havekey);
-+
- 	# replace arg_hash with created context
- 	$ctx{$host} = $ctx;
-     }
--- 
-2.17.2
-

IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch

@@ -1,121 +0,0 @@
-From e96b1c9e394011de4ee181cfa42b8021796bf7d4 Mon Sep 17 00:00:00 2001
-From: Steffen Ullrich <Steffen_Ullrich@genua.de>
-Date: Mon, 17 Sep 2018 14:09:48 +0200
-Subject: [PATCH] make all tests which use fork also ignore signal PIPE
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- t/nonblock.t         | 4 +---
- t/protocol_version.t | 2 --
- t/session_ticket.t   | 2 --
- t/signal-readline.t  | 1 -
- t/sni.t              | 2 --
- t/sni_verify.t       | 2 --
- t/testlib.pl         | 2 ++
- 7 files changed, 3 insertions(+), 12 deletions(-)
-
-diff --git a/t/nonblock.t b/t/nonblock.t
-index 6c1bc38..ad62799 100644
---- a/t/nonblock.t
-+++ b/t/nonblock.t
-@@ -9,7 +9,7 @@ use Net::SSLeay;
- use Socket;
- use IO::Socket::SSL;
- use IO::Select;
--use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS EPIPE ECONNRESET );
-+use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS);
- do './testlib.pl' || do './t/testlib.pl' || die "no testlib";
- 
- if ( ! eval "use 5.006; use IO::Select; return 1" ) {
-@@ -17,8 +17,6 @@ if ( ! eval "use 5.006; use IO::Select; return 1" ) {
-     exit;
- }
- 
--$SIG{PIPE} = 'IGNORE'; # use EPIPE not signal handler
--
- $|=1;
- print "1..27\n";
- 
-diff --git a/t/protocol_version.t b/t/protocol_version.t
-index 2e5cc6f..3577720 100644
---- a/t/protocol_version.t
-+++ b/t/protocol_version.t
-@@ -7,8 +7,6 @@ use Socket;
- use IO::Socket::SSL;
- do './testlib.pl' || do './t/testlib.pl' || die "no testlib";
- 
--$SIG{PIPE} = 'IGNORE';
--
- plan skip_all => "Test::More has no done_testing"
-     if !defined &done_testing;
- 
-diff --git a/t/session_ticket.t b/t/session_ticket.t
-index ca70b80..4071b8a 100644
---- a/t/session_ticket.t
-+++ b/t/session_ticket.t
-@@ -27,8 +27,6 @@ my ($server_cert,$server_key) = CERT_create(
-     purpose => { server => 1 }
- );
- 
--$SIG{PIPE} = 'IGNORE';
--
- # create two servers with the same session ticket callback
- my (@server,@saddr);
- for (1,2) {
-diff --git a/t/signal-readline.t b/t/signal-readline.t
-index 6dcd4ae..3e226c0 100644
---- a/t/signal-readline.t
-+++ b/t/signal-readline.t
-@@ -50,7 +50,6 @@ if ( $pid == 0 ) {
- 
- my $csock = $server->accept;
- ok("accept");
--$SIG{PIPE} = 'IGNORE';
- 
- syswrite($csock,"foo") or print "not ";
- ok("wrote foo");
-diff --git a/t/sni.t b/t/sni.t
-index c6e6510..de0f06e 100644
---- a/t/sni.t
-+++ b/t/sni.t
-@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) {
-     exit;
- }
- 
--$SIG{PIPE} = 'IGNORE';
--
- print "1..17\n";
- my $server = IO::Socket::SSL->new(
-     LocalAddr => '127.0.0.1',
-diff --git a/t/sni_verify.t b/t/sni_verify.t
-index 86b5dca..b3b299b 100644
---- a/t/sni_verify.t
-+++ b/t/sni_verify.t
-@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) {
-     exit;
- }
- 
--$SIG{PIPE} = 'IGNORE';
--
- print "1..17\n";
- my $server = IO::Socket::SSL->new(
-     LocalAddr => '127.0.0.1',
-diff --git a/t/testlib.pl b/t/testlib.pl
-index 5a99e49..b3f342c 100644
---- a/t/testlib.pl
-+++ b/t/testlib.pl
-@@ -19,6 +19,8 @@ unless ( $Config::Config{d_fork} || $Config::Config{d_pseudofork} ||
-     exit
- }
- 
-+# let IO errors result in EPIPE instead of crashing the test
-+$SIG{PIPE} = 'IGNORE';
- 
- # small implementations if not used from Test::More (09_fdleak.t)
- if ( ! defined &ok ) {
--- 
-2.17.1
-

IO-Socket-SSL-2.061-use-system-default-SSL-version.patch

@@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -130,7 +130,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+@@ -146,7 +146,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
  # global defaults
  my %DEFAULT_SSL_ARGS = (
      SSL_check_crl => 0,
@@ -9,7 +9,7 @@
      SSL_verify_callback => undef,
      SSL_verifycn_scheme => undef,  # fallback cn verification
      SSL_verifycn_publicsuffix => undef,  # fallback default list verification
-@@ -2295,7 +2295,7 @@ sub new {
+@@ -2315,7 +2315,7 @@ sub new {
  
      my $ssl_op = $DEFAULT_SSL_OP;
  
@@ -20,10 +20,10 @@
  	or croak("invalid SSL_version specified");
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -1010,11 +1010,12 @@ protocol to the specified version.
- All values are case-insensitive.  Instead of 'TLSv1_1' and 'TLSv1_2' one can
- also use 'TLSv11' and 'TLSv12'.  Support for 'TLSv1_1' and 'TLSv1_2' requires
- recent versions of Net::SSLeay and openssl.
+@@ -1011,11 +1011,12 @@ All values are case-insensitive.  Instea
+ 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
+ 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
+ and openssl.
 +The default SSL_version is defined by the underlying cryptographic library.
  
  Independent from the handshake format you can limit to set of accepted SSL

IO-Socket-SSL-2.061-use-system-default-cipher-list.patch

@@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -138,10 +138,10 @@ my %DEFAULT_SSL_ARGS = (
+@@ -154,10 +154,10 @@ my %DEFAULT_SSL_ARGS = (
      SSL_npn_protocols => undef,    # meaning depends whether on server or client side
      SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
  
@@ -15,7 +15,7 @@
  );
  
  my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -151,63 +151,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+@@ -167,63 +167,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
      SSL_ca_file => undef,
      SSL_ca_path => undef,
  
@@ -81,7 +81,7 @@
  # set values inside _init to work with perlcc, RT#95452
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -1036,12 +1036,8 @@ documentation (L<http://www.openssl.org/
+@@ -1037,12 +1037,8 @@ documentation (L<http://www.openssl.org/
  for more details.
  
  Unless you fail to contact your peer because of no shared ciphers it is

perl-IO-Socket-SSL.spec

@@ -1,19 +1,12 @@
 Name:		perl-IO-Socket-SSL
-Version:	2.060
-Release:	4%{?dist}
+Version:	2.061
+Release:	1%{?dist}
 Summary:	Perl library for transparent SSL
 License:	GPL+ or Artistic
 URL:		https://metacpan.org/release/IO-Socket-SSL
 Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
-Patch0:		IO-Socket-SSL-2.060-use-system-default-cipher-list.patch
-Patch1:		IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
-# Prevent tests from dying on SIGPIPE, CPAN RT#126899,
-# in upstream after 2.060
-Patch2:		IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch
-# Client sends a post-handshake-authentication extension if a client key and
-# a certificate are available, bug #1632660,
-# <https://github.com/noxxi/p5-io-socket-ssl/pull/80>, in upstream after 2.060
-Patch3:		IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch
+Patch0:		IO-Socket-SSL-2.061-use-system-default-cipher-list.patch
+Patch1:		IO-Socket-SSL-2.061-use-system-default-SSL-version.patch
 # A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
 # bug #1632660, requires openssl tool
 Patch4:		IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch
@@ -100,11 +93,7 @@ mod_perl.
 # Use system-default SSL version too
 %patch1
 
-# Prevent tests from dying on SIGPIPE (CPAN RT#126899)
-%patch2 -p1
-
-# Enable PHA on a client side
-%patch3 -p1
+# Add test for PHA
 %patch4 -p1
 
 %build
@@ -132,6 +121,15 @@ make test
 %{_mandir}/man3/IO::Socket::SSL::Utils.3*
 
 %changelog
+* Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 2.061-1
+- Update to 2.061
+  - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
+    the previous (and undocumented) API for the session cache has been changed
+  - Support for multiple curves, automatic setting of curves and setting of
+    supported curves in client (needs Net::SSLeay ≥ 1.86)
+  - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
+    client certificates are provided (needs Net::SSLeay ≥ 1.86)
+
 * Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
 - Client sends a post-handshake-authentication extension if a client key and
   a certificate are available (bug #1632660)
@@ -144,9 +142,9 @@ make test
 
 * Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1
 - Update to 2.060
-  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
-    see also CPAN RT#126899
-  - TLS 1.3 support is not complete yet for session resume
+  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay ≥ 1.86); see
+    also CPAN RT#126899
+  - TLS 1.3 support is not complete yet for session reuse
 
 * Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2
 - Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)

sources

@@ -1 +1 @@
-SHA512 (IO-Socket-SSL-2.060.tar.gz) = 1a1e29f8a4b912bd3643509356c66b3a567ae41bb0ac9eb30f6ca97eb68bf9507e20c0fb8512f5dfd309accd6cfba61811b8d637f5e991aaa0a250a906fcb95c
+SHA512 (IO-Socket-SSL-2.061.tar.gz) = 2c5aa45f0ace5843e87c2b88f0805efa95b90af3b6e9c8bb258118886ab10ba9feb9b57a224704c33176a02563ae23dacb0707e644a7c647f7ead81132d1e3e0