Update to 2.066

- New upstream release 2.066
  - Make sure that Net::SSLeay::CTX_get0_param is defined before using
    X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
    LibreSSL 2.7.4 but not the first (CPAN RT#=128716)
  - Prefer AES for server side cipher default since it is usually
    hardware-accelerated
  - Fix test t/verify_partial_chain.t by using the newly exposed function
    can_partial_chain instead of guessing (wrongly) if the functionality is
    available

IO-Socket-SSL-2.066-use-system-default-SSL-version.patch

@@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -163,7 +163,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
  # global defaults
  my %DEFAULT_SSL_ARGS = (
      SSL_check_crl => 0,
@@ -9,7 +9,7 @@
      SSL_verify_callback => undef,
      SSL_verifycn_scheme => undef,  # fallback cn verification
      SSL_verifycn_publicsuffix => undef,  # fallback default list verification
-@@ -2333,7 +2333,7 @@ sub new {
+@@ -2335,7 +2335,7 @@ sub new {
  
      my $ssl_op = $DEFAULT_SSL_OP;
  

IO-Socket-SSL-2.066-use-system-default-cipher-list.patch

@@ -1,13 +1,14 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -171,10 +171,10 @@ my %DEFAULT_SSL_ARGS = (
+@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = (
      SSL_npn_protocols => undef,    # meaning depends whether on server or client side
      SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
  
--    # https://wiki.mozilla.org/Security/Server_Side_TLS, 2016/04/20
+-    # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
 -    # "Old backward compatibility" for best compatibility
 -    # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
--    SSL_cipher_list => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+-    # slightly reordered to prefer AES since it is cheaper when hardware accelerated
+-    SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
 +    # Use system-wide default cipher list to support use of system-wide
 +    # crypto policy (#1076390, #1127577, CPAN RT#97816)
 +    # https://fedoraproject.org/wiki/Changes/CryptoPolicy
@@ -15,7 +16,7 @@
  );
  
  my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -184,63 +184,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+@@ -186,63 +185,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
      SSL_ca_file => undef,
      SSL_ca_path => undef,
  

perl-IO-Socket-SSL.spec

@@ -1,12 +1,12 @@
 Name:		perl-IO-Socket-SSL
-Version:	2.064
+Version:	2.066
 Release:	1%{?dist}
 Summary:	Perl library for transparent SSL
 License:	GPL+ or Artistic
 URL:		https://metacpan.org/release/IO-Socket-SSL
 Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
-Patch0:		IO-Socket-SSL-2.064-use-system-default-cipher-list.patch
-Patch1:		IO-Socket-SSL-2.064-use-system-default-SSL-version.patch
+Patch0:		IO-Socket-SSL-2.066-use-system-default-cipher-list.patch
+Patch1:		IO-Socket-SSL-2.066-use-system-default-SSL-version.patch
 # A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
 # bug #1632660, requires openssl tool
 Patch4:		IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch
@@ -121,6 +121,17 @@ make test
 %{_mandir}/man3/IO::Socket::SSL::Utils.3*
 
 %changelog
+* Wed Mar  6 2019 Paul Howarth <paul@city-fan.org> - 2.066-1
+- Update to 2.066
+  - Make sure that Net::SSLeay::CTX_get0_param is defined before using
+    X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
+    LibreSSL 2.7.4 but not the first (CPAN RT#=128716)
+  - Prefer AES for server side cipher default since it is usually
+    hardware-accelerated
+  - Fix test t/verify_partial_chain.t by using the newly exposed function
+    can_partial_chain instead of guessing (wrongly) if the functionality is
+    available
+
 * Mon Mar  4 2019 Paul Howarth <paul@city-fan.org> - 2.064-1
 - Update to 2.064
   - Make algorithm for fingerprint optional, i.e. detect based on length of

sources

@@ -1 +1 @@
-SHA512 (IO-Socket-SSL-2.064.tar.gz) = a9e5b78cae1a852ec623c0ea795ecc6870e9a8b4fafe479e94653bec7d44e70ed2da1a8cc86e35baac8414ddb50ca45ca69e092e7675794430edf0d9a3d3d10a
+SHA512 (IO-Socket-SSL-2.066.tar.gz) = 2a15f6d65f276ad4eae33139ae7af4c891d4c9e5f6aa65f45e51bfa02c85e8367a275bd33c73ece1b47b9d18eadc59e65fe1c584f9ccd3c7655948710fb4a57a