diff --git a/IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch b/IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch deleted file mode 100644 index f2dfcc9..0000000 --- a/IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 270badae7595332807d71b946446a70137369bf0 Mon Sep 17 00:00:00 2001 -From: Joe Orton -Date: Sat, 26 Jan 2019 11:16:08 +0100 -Subject: [PATCH] Enable Post-Handshake-Authentication (TLSv1.3 feature) - client-side iff available. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Petr Písař ---- - lib/IO/Socket/SSL.pm | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm -index f35211b..0a0eef6 100644 ---- a/lib/IO/Socket/SSL.pm -+++ b/lib/IO/Socket/SSL.pm -@@ -67,6 +67,7 @@ my $can_ecdh; # do we support ECDH key exchange - my $can_ocsp; # do we support OCSP - my $can_ocsp_staple; # do we support OCSP stapling - my $can_tckt_keycb; # TLS ticket key callback -+my $can_pha; # do we support PHA - BEGIN { - $can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000; - $can_server_sni = defined &Net::SSLeay::get_servername; -@@ -87,6 +88,7 @@ BEGIN { - && defined &Net::SSLeay::set_tlsext_status_type; - $can_tckt_keycb = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb - && $Net::SSLeay::VERSION >= 1.80; -+ $can_pha = defined &Net::SSLeay::CTX_set_post_handshake_auth; - } - - my $algo2digest = do { -@@ -2018,6 +2020,7 @@ sub can_ecdh { return $can_ecdh } - sub can_ipv6 { return CAN_IPV6 } - sub can_ocsp { return $can_ocsp } - sub can_ticket_keycb { return $can_tckt_keycb } -+sub can_pha { return $can_pha } - - sub DESTROY { - my $self = shift or return; -@@ -2602,6 +2605,9 @@ sub new { - "Failed to load key from file (no PEM or DER)"); - } - -+ Net::SSLeay::CTX_set_post_handshake_auth($ctx,1) -+ if (!$is_server && $can_pha && $havecert && $havekey); -+ - # replace arg_hash with created context - $ctx{$host} = $ctx; - } --- -2.17.2 - diff --git a/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch b/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch deleted file mode 100644 index e68acf6..0000000 --- a/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch +++ /dev/null @@ -1,121 +0,0 @@ -From e96b1c9e394011de4ee181cfa42b8021796bf7d4 Mon Sep 17 00:00:00 2001 -From: Steffen Ullrich -Date: Mon, 17 Sep 2018 14:09:48 +0200 -Subject: [PATCH] make all tests which use fork also ignore signal PIPE -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Petr Písař ---- - t/nonblock.t | 4 +--- - t/protocol_version.t | 2 -- - t/session_ticket.t | 2 -- - t/signal-readline.t | 1 - - t/sni.t | 2 -- - t/sni_verify.t | 2 -- - t/testlib.pl | 2 ++ - 7 files changed, 3 insertions(+), 12 deletions(-) - -diff --git a/t/nonblock.t b/t/nonblock.t -index 6c1bc38..ad62799 100644 ---- a/t/nonblock.t -+++ b/t/nonblock.t -@@ -9,7 +9,7 @@ use Net::SSLeay; - use Socket; - use IO::Socket::SSL; - use IO::Select; --use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS EPIPE ECONNRESET ); -+use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS); - do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; - - if ( ! eval "use 5.006; use IO::Select; return 1" ) { -@@ -17,8 +17,6 @@ if ( ! eval "use 5.006; use IO::Select; return 1" ) { - exit; - } - --$SIG{PIPE} = 'IGNORE'; # use EPIPE not signal handler -- - $|=1; - print "1..27\n"; - -diff --git a/t/protocol_version.t b/t/protocol_version.t -index 2e5cc6f..3577720 100644 ---- a/t/protocol_version.t -+++ b/t/protocol_version.t -@@ -7,8 +7,6 @@ use Socket; - use IO::Socket::SSL; - do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; - --$SIG{PIPE} = 'IGNORE'; -- - plan skip_all => "Test::More has no done_testing" - if !defined &done_testing; - -diff --git a/t/session_ticket.t b/t/session_ticket.t -index ca70b80..4071b8a 100644 ---- a/t/session_ticket.t -+++ b/t/session_ticket.t -@@ -27,8 +27,6 @@ my ($server_cert,$server_key) = CERT_create( - purpose => { server => 1 } - ); - --$SIG{PIPE} = 'IGNORE'; -- - # create two servers with the same session ticket callback - my (@server,@saddr); - for (1,2) { -diff --git a/t/signal-readline.t b/t/signal-readline.t -index 6dcd4ae..3e226c0 100644 ---- a/t/signal-readline.t -+++ b/t/signal-readline.t -@@ -50,7 +50,6 @@ if ( $pid == 0 ) { - - my $csock = $server->accept; - ok("accept"); --$SIG{PIPE} = 'IGNORE'; - - syswrite($csock,"foo") or print "not "; - ok("wrote foo"); -diff --git a/t/sni.t b/t/sni.t -index c6e6510..de0f06e 100644 ---- a/t/sni.t -+++ b/t/sni.t -@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) { - exit; - } - --$SIG{PIPE} = 'IGNORE'; -- - print "1..17\n"; - my $server = IO::Socket::SSL->new( - LocalAddr => '127.0.0.1', -diff --git a/t/sni_verify.t b/t/sni_verify.t -index 86b5dca..b3b299b 100644 ---- a/t/sni_verify.t -+++ b/t/sni_verify.t -@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) { - exit; - } - --$SIG{PIPE} = 'IGNORE'; -- - print "1..17\n"; - my $server = IO::Socket::SSL->new( - LocalAddr => '127.0.0.1', -diff --git a/t/testlib.pl b/t/testlib.pl -index 5a99e49..b3f342c 100644 ---- a/t/testlib.pl -+++ b/t/testlib.pl -@@ -19,6 +19,8 @@ unless ( $Config::Config{d_fork} || $Config::Config{d_pseudofork} || - exit - } - -+# let IO errors result in EPIPE instead of crashing the test -+$SIG{PIPE} = 'IGNORE'; - - # small implementations if not used from Test::More (09_fdleak.t) - if ( ! defined &ok ) { --- -2.17.1 - diff --git a/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.061-use-system-default-SSL-version.patch similarity index 78% rename from IO-Socket-SSL-2.060-use-system-default-SSL-version.patch rename to IO-Socket-SSL-2.061-use-system-default-SSL-version.patch index 15ad9a6..eddad04 100644 --- a/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch +++ b/IO-Socket-SSL-2.061-use-system-default-SSL-version.patch @@ -1,6 +1,6 @@ --- lib/IO/Socket/SSL.pm +++ lib/IO/Socket/SSL.pm -@@ -130,7 +130,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p +@@ -146,7 +146,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p # global defaults my %DEFAULT_SSL_ARGS = ( SSL_check_crl => 0, @@ -9,7 +9,7 @@ SSL_verify_callback => undef, SSL_verifycn_scheme => undef, # fallback cn verification SSL_verifycn_publicsuffix => undef, # fallback default list verification -@@ -2295,7 +2295,7 @@ sub new { +@@ -2315,7 +2315,7 @@ sub new { my $ssl_op = $DEFAULT_SSL_OP; @@ -20,10 +20,10 @@ or croak("invalid SSL_version specified"); --- lib/IO/Socket/SSL.pod +++ lib/IO/Socket/SSL.pod -@@ -1010,11 +1010,12 @@ protocol to the specified version. - All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can - also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires - recent versions of Net::SSLeay and openssl. +@@ -1011,11 +1011,12 @@ All values are case-insensitive. Instea + 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for + 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay + and openssl. +The default SSL_version is defined by the underlying cryptographic library. Independent from the handshake format you can limit to set of accepted SSL diff --git a/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.061-use-system-default-cipher-list.patch similarity index 96% rename from IO-Socket-SSL-2.060-use-system-default-cipher-list.patch rename to IO-Socket-SSL-2.061-use-system-default-cipher-list.patch index e1e6863..bba0451 100644 --- a/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch +++ b/IO-Socket-SSL-2.061-use-system-default-cipher-list.patch @@ -1,6 +1,6 @@ --- lib/IO/Socket/SSL.pm +++ lib/IO/Socket/SSL.pm -@@ -138,10 +138,10 @@ my %DEFAULT_SSL_ARGS = ( +@@ -154,10 +154,10 @@ my %DEFAULT_SSL_ARGS = ( SSL_npn_protocols => undef, # meaning depends whether on server or client side SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] @@ -15,7 +15,7 @@ ); my %DEFAULT_SSL_CLIENT_ARGS = ( -@@ -151,63 +151,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( +@@ -167,63 +167,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( SSL_ca_file => undef, SSL_ca_path => undef, @@ -81,7 +81,7 @@ # set values inside _init to work with perlcc, RT#95452 --- lib/IO/Socket/SSL.pod +++ lib/IO/Socket/SSL.pod -@@ -1036,12 +1036,8 @@ documentation (L, in upstream after 2.060 -Patch3: IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch +Patch0: IO-Socket-SSL-2.061-use-system-default-cipher-list.patch +Patch1: IO-Socket-SSL-2.061-use-system-default-SSL-version.patch # A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch, # bug #1632660, requires openssl tool Patch4: IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch @@ -100,11 +93,7 @@ mod_perl. # Use system-default SSL version too %patch1 -# Prevent tests from dying on SIGPIPE (CPAN RT#126899) -%patch2 -p1 - -# Enable PHA on a client side -%patch3 -p1 +# Add test for PHA %patch4 -p1 %build @@ -132,6 +121,15 @@ make test %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Sat Feb 23 2019 Paul Howarth - 2.061-1 +- Update to 2.061 + - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that + the previous (and undocumented) API for the session cache has been changed + - Support for multiple curves, automatic setting of curves and setting of + supported curves in client (needs Net::SSLeay ≥ 1.86) + - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when + client certificates are provided (needs Net::SSLeay ≥ 1.86) + * Thu Feb 07 2019 Petr Pisar - 2.060-4 - Client sends a post-handshake-authentication extension if a client key and a certificate are available (bug #1632660) @@ -144,9 +142,9 @@ make test * Mon Sep 17 2018 Paul Howarth - 2.060-1 - Update to 2.060 - - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too); - see also CPAN RT#126899 - - TLS 1.3 support is not complete yet for session resume + - Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay ≥ 1.86); see + also CPAN RT#126899 + - TLS 1.3 support is not complete yet for session reuse * Tue Aug 21 2018 Petr Pisar - 2.059-2 - Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198) diff --git a/sources b/sources index ce172b6..ed095c8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (IO-Socket-SSL-2.060.tar.gz) = 1a1e29f8a4b912bd3643509356c66b3a567ae41bb0ac9eb30f6ca97eb68bf9507e20c0fb8512f5dfd309accd6cfba61811b8d637f5e991aaa0a250a906fcb95c +SHA512 (IO-Socket-SSL-2.061.tar.gz) = 2c5aa45f0ace5843e87c2b88f0805efa95b90af3b6e9c8bb258118886ab10ba9feb9b57a224704c33176a02563ae23dacb0707e644a7c647f7ead81132d1e3e0