Update to 1.958
- New upstream release 1.958
Lots of behavior changes for more secure defaults:
- BEHAVIOR CHANGE: make default cipher list more secure, especially:
- No longer support MD5 by default (broken)
- No longer support anonymous authentication by default (vulnerable to
man in the middle attacks)
- Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
that it uses by default forward secrecy, if underlying
Net::SSLeay/openssl supports it
- Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
hopefully have been fixed and now RC4 is considered less safe than 3DES)
- Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
to get the best cipher even if the client prefers other ciphers; PLEASE
NOTE that this might break connections with older, less secure
implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
- BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
and thus gets reused if context gets reused; PLEASE NOTE that using
SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
the ciphers of the context
- Rework hostname verification schemes:
- Add RFC names as scheme (e.g. 'rfc2818', ...)
- Add SIP, SNMP, syslog, netconf, GIST
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
- BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
'www2' etc. but not 'www'
- Anywhere wildcards like x* are no longer applied to IDNA names (which start
with 'xn--')
- Fix crash of Utils::CERT_free
- Support TLSv11, TLSv12 as handshake protocols
- Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
authorization; with the DH param given by default since 1.956, old versions
of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
authorization) instead of AES256-SHA and thus the check for the peer
certificate failed (because ADH does not exchange certificates) - fixed by
explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
- Cleaned up tests:
- Remove ssl_settings.req and 02settings.t, because all tests now create a
simple socket at 127.0.0.1 and thus global settings are no longer needed
- Some tests did not have use strict(!); fixed it
- Removed special handling for older Net::SSLeay versions that are less
than our minimum requirement
- Some syntax enhancements: removed some SSL_version and SSL_cipher_list
options where they were not really needed
- Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
least version 2.55 which is now 5 years old
- Fix t/session.t to work with older openssl versions (CPAN RT#90240)
This commit is contained in:
Paul Howarth
parent
ead705628a
commit
90171d5ffc
@ -1,6 +1,6 @@
|
||||
# Work around Perl/RPM versioning inconsistencies
|
||||
%global rpmversion 1.95.5
|
||||
%global cpanversion 1.955
|
||||
%global rpmversion 1.95.8
|
||||
%global cpanversion 1.958
|
||||
|
||||
Name: perl-IO-Socket-SSL
|
||||
Version: %{rpmversion}
|
||||
@ -20,7 +20,7 @@ BuildRequires: perl(ExtUtils::MakeMaker) >= 6.46
|
||||
BuildRequires: perl(IO::Select)
|
||||
BuildRequires: perl(IO::Socket)
|
||||
BuildRequires: perl(IO::Socket::INET)
|
||||
BuildRequires: perl(IO::Socket::INET6)
|
||||
BuildRequires: perl(IO::Socket::INET6) >= 2.55
|
||||
BuildRequires: perl(Net::LibIDN)
|
||||
BuildRequires: perl(Net::SSLeay) >= 1.46
|
||||
BuildRequires: perl(Scalar::Util)
|
||||
@ -32,7 +32,7 @@ BuildRequires: procps
|
||||
BuildRequires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
|
||||
Requires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
|
||||
%else
|
||||
Requires: perl(IO::Socket::INET6), perl(Socket6)
|
||||
Requires: perl(IO::Socket::INET6) >= 2.55, perl(Socket6)
|
||||
%endif
|
||||
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
|
||||
Requires: perl(Net::LibIDN)
|
||||
@ -74,6 +74,55 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man3/IO::Socket::SSL::Utils.3pm*
|
||||
|
||||
%changelog
|
||||
* Mon Nov 11 2013 Paul Howarth <paul@city-fan.org> - 1.95.8-1
|
||||
- Update to 1.958
|
||||
Lots of behavior changes for more secure defaults:
|
||||
- BEHAVIOR CHANGE: make default cipher list more secure, especially:
|
||||
- No longer support MD5 by default (broken)
|
||||
- No longer support anonymous authentication by default (vulnerable to
|
||||
man in the middle attacks)
|
||||
- Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
|
||||
that it uses by default forward secrecy, if underlying
|
||||
Net::SSLeay/openssl supports it
|
||||
- Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
|
||||
hopefully have been fixed and now RC4 is considered less safe than 3DES)
|
||||
- Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
|
||||
to get the best cipher even if the client prefers other ciphers; PLEASE
|
||||
NOTE that this might break connections with older, less secure
|
||||
implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
|
||||
- BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
|
||||
and thus gets reused if context gets reused; PLEASE NOTE that using
|
||||
SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
|
||||
the ciphers of the context
|
||||
- Rework hostname verification schemes:
|
||||
- Add RFC names as scheme (e.g. 'rfc2818', ...)
|
||||
- Add SIP, SNMP, syslog, netconf, GIST
|
||||
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
|
||||
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
|
||||
- BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
|
||||
'www2' etc. but not 'www'
|
||||
- Anywhere wildcards like x* are no longer applied to IDNA names (which start
|
||||
with 'xn--')
|
||||
- Fix crash of Utils::CERT_free
|
||||
- Support TLSv11, TLSv12 as handshake protocols
|
||||
- Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
|
||||
authorization; with the DH param given by default since 1.956, old versions
|
||||
of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
|
||||
authorization) instead of AES256-SHA and thus the check for the peer
|
||||
certificate failed (because ADH does not exchange certificates) - fixed by
|
||||
explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
|
||||
- Cleaned up tests:
|
||||
- Remove ssl_settings.req and 02settings.t, because all tests now create a
|
||||
simple socket at 127.0.0.1 and thus global settings are no longer needed
|
||||
- Some tests did not have use strict(!); fixed it
|
||||
- Removed special handling for older Net::SSLeay versions that are less
|
||||
than our minimum requirement
|
||||
- Some syntax enhancements: removed some SSL_version and SSL_cipher_list
|
||||
options where they were not really needed
|
||||
- Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
|
||||
least version 2.55 which is now 5 years old
|
||||
- Fix t/session.t to work with older openssl versions (CPAN RT#90240)
|
||||
|
||||
* Fri Oct 11 2013 Paul Howarth <paul@city-fan.org> - 1.95.5-1
|
||||
- Update to 1.955
|
||||
- Support for perfect forward secrecy using ECDH, if the Net::SSLeay version
|
||||
|
||||
Loading…
Reference in New Issue
Block a user