From 948f20ded6e3b822c187a35b8e0df675fad4ecdf Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Mon, 17 Sep 2018 15:59:10 +0100 Subject: [PATCH] Update to 2.060 - New upstream release 2.060 - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too); see also CPAN RT#126899 - TLS 1.3 support is not complete yet for session resume --- ...ket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch | 142 ------------------ ...2.059-Do-two-way-shutdown-in-t-sni.t.patch | 65 -------- ...o-two-way-shutdown-in-t-sni_verify.t.patch | 47 ------ ...lude-TLSv1.3-from-t-session_ticket.t.patch | 59 -------- ...g-on-systems-without-TLSv1.3-support.patch | 41 ----- ...-2.059-NPN-is-unavailable-in-TLSv1.3.patch | 49 ------ ...2.060-use-system-default-SSL-version.patch | 8 +- ...2.060-use-system-default-cipher-list.patch | 6 +- perl-IO-Socket-SSL.spec | 42 ++---- sources | 2 +- 10 files changed, 19 insertions(+), 442 deletions(-) delete mode 100644 IO-Socket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch delete mode 100644 IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni.t.patch delete mode 100644 IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni_verify.t.patch delete mode 100644 IO-Socket-SSL-2.059-Exclude-TLSv1.3-from-t-session_ticket.t.patch delete mode 100644 IO-Socket-SSL-2.059-Fix-building-on-systems-without-TLSv1.3-support.patch delete mode 100644 IO-Socket-SSL-2.059-NPN-is-unavailable-in-TLSv1.3.patch rename IO-Socket-SSL-2.059-use-system-default-SSL-version.patch => IO-Socket-SSL-2.060-use-system-default-SSL-version.patch (86%) rename IO-Socket-SSL-2.054-use-system-default-cipher-list.patch => IO-Socket-SSL-2.060-use-system-default-cipher-list.patch (96%) diff --git a/IO-Socket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch b/IO-Socket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch deleted file mode 100644 index e260fcf..0000000 --- a/IO-Socket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch +++ /dev/null @@ -1,142 +0,0 @@ -From d432295468a1efa18e56c1fbb34e3a23bb07d1e8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Thu, 16 Aug 2018 14:56:23 +0200 -Subject: [PATCH] Adapt to OpenSSL 1.1.1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It needs patched Net-SSLeay (CPAN RT#125218). - -This patch introduces some TLSv1.3 identifiers but does not document -them. This is to let the IO-Socket-SSL maintainer to define the API. - -This is not a final patch. We need to fix failures in: - -t/npn.t -t/session_ticket.t -t/sni_verify.t - -Signed-off-by: Petr Písař ---- - lib/IO/Socket/SSL.pm | 17 +++++++++++++++-- - t/ecdhe.t | 16 +++++++++++----- - t/protocol_version.t | 4 ++-- - t/session_ticket.t | 2 ++ - 4 files changed, 30 insertions(+), 9 deletions(-) - -diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm -index 9c81ffc..5b43467 100644 ---- a/lib/IO/Socket/SSL.pm -+++ b/lib/IO/Socket/SSL.pm -@@ -211,7 +211,8 @@ BEGIN{ - # get constants for SSL_OP_NO_* now, instead calling the related functions - # every time we setup a connection - my %SSL_OP_NO; --for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) { -+for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 -+ TLSv1_3 TLSv13:TLSv1_3 )) { - my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_); - my $sub = "Net::SSLeay::OP_NO_$op"; - local $SIG{__DIE__}; -@@ -1836,6 +1837,7 @@ sub get_sslversion { - my $ssl = shift()->_get_ssl_object || return; - my $version = Net::SSLeay::version($ssl) or return; - return -+ $version == 0x0304 ? 'TLSv1_3' : - $version == 0x0303 ? 'TLSv1_2' : - $version == 0x0302 ? 'TLSv1_1' : - $version == 0x0301 ? 'TLSv1' : -@@ -2281,7 +2283,7 @@ sub new { - - my $ver = ''; - for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { -- m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i -+ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i - or croak("invalid SSL_version specified"); - my $not = $1; - ( my $v = lc($2||$3) ) =~s{^(...)}{\U$1}; -@@ -2329,6 +2331,17 @@ sub new { - IO::Socket::SSL->error("SSL Context init failed"); - $CTX_CREATED_IN_THIS_THREAD{$ctx} = 1 if $use_threads; - -+ # There is no CTX_tlsv1_3_new(). Create TLSv1.3 only context using -+ # a flexible method. -+ if ($ver eq 'TLSv1_3') { -+ if (!Net::SSLeay::CTX_set_min_proto_version($ctx, -+ Net::SSLeay::TLS1_3_VERSION()) or -+ !Net::SSLeay::CTX_set_max_proto_version($ctx, -+ Net::SSLeay::TLS1_3_VERSION())) { -+ IO::Socket::SSL->error("TLSv1_3 context init failed"); -+ } -+ } -+ - # SSL_OP_CIPHER_SERVER_PREFERENCE - $ssl_op |= 0x00400000 if $arg_hash->{SSL_honor_cipher_order}; - -diff --git a/t/ecdhe.t b/t/ecdhe.t -index 638d82b..1b229c5 100644 ---- a/t/ecdhe.t -+++ b/t/ecdhe.t -@@ -53,12 +53,18 @@ if ( !defined $pid ) { - }; - ok( "client connected" ); - -- my $cipher = $to_server->get_cipher(); -- if ( $cipher !~m/^ECDHE-/ ) { -- notok("bad key exchange: $cipher"); -- exit; -+ my $protocol = $to_server->get_sslversion; -+ if ($protocol eq 'TLSv1_3') { -+ # -+ ok("# SKIP TLSv1.3 doesn't advertize key exchange in a chipher name"); -+ } else { -+ my $cipher = $to_server->get_cipher(); -+ if ( $cipher !~m/^ECDHE-/ ) { -+ notok("bad key exchange: $cipher"); -+ exit; -+ } -+ ok("ecdh key exchange: $cipher"); - } -- ok("ecdh key exchange: $cipher"); - - } else { ###### Server - -diff --git a/t/protocol_version.t b/t/protocol_version.t -index e3853d8..3577720 100644 ---- a/t/protocol_version.t -+++ b/t/protocol_version.t -@@ -13,7 +13,7 @@ plan skip_all => "Test::More has no done_testing" - $|=1; - - my $XDEBUG = 0; --my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2); -+my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3); - - my $server = IO::Socket::SSL->new( - LocalAddr => '127.0.0.1', -@@ -82,7 +82,7 @@ if ($pid == 0) { - die "best protocol version server supports is $ver" if $supported{foo}; - - # Check if the OpenSSL was compiled without support for specific protocols -- for(qw(SSLv3 TLSv1 TLSv1_1)) { -+ for(qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3)) { - if ( ! $check->($_,'')) { - diag("looks like OpenSSL was compiled without $_ support"); - delete $supported{$_}; -diff --git a/t/session_ticket.t b/t/session_ticket.t -index d3c15d9..bff6a86 100644 ---- a/t/session_ticket.t -+++ b/t/session_ticket.t -@@ -73,6 +73,8 @@ my $client = sub { - }; - - -+# FIXME: TLSv1.3 requires to use SSL_CTX_sess_set_new_cb() by clients instead -+# of SSL_get1_session(). Missing from Net::SSLeay. - $client->(0,0,"no initial session -> no reuse"); - $client->(0,1,"reuse with the next session and secret[0]"); - $client->(1,1,"reuse even though server changed, since they share ticket secret"); --- -2.14.4 - diff --git a/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni.t.patch b/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni.t.patch deleted file mode 100644 index 2e2b54d..0000000 --- a/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni.t.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 1d19a7d01960fd8dc00bb3929a1ffaee186470fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 21 Aug 2018 16:02:19 +0200 -Subject: [PATCH] Do two-way shutdown in t/sni.t -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -TLSv1.3 performs more reading and writing in SSL_accept(). If a client -disconnects after the handshake but before the server finishes -SSL_accept(), the t/sni.t test would fail because accept() could fail with -ECONNRESET. This happened randomly. - -Failed accept() lead to undef->get_servername() call that triggered -a run-time exception and that caused a client being stucked and the -test script never exited. - -This fixes both these issues. - -Signed-off-by: Petr Písař ---- - t/sni.t | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/t/sni.t b/t/sni.t -index de0f06e..91206de 100644 ---- a/t/sni.t -+++ b/t/sni.t -@@ -68,15 +68,31 @@ if ( $pid == 0 ) { - - $client->verify_hostname($host,'http') or print "not "; - print "ok # client verify hostname in cert $host\n"; -+ # Shutdown TLS properly. Otherwise TLSv1.3 $server->accept() fails with -+ # ECONNRESET when a client disconnects too early. -+ $client->close('SSL_fast_shutdown' => 0); - } - exit; - } - -+# If the server dies, a client can get stuck in read(2) while Perl interpreter -+# is collecting children status in the die handler using wait4(2). -+$SIG{__DIE__} = sub { -+ STDERR->print("Server died. Killing client with $pid PID.\n"); -+ kill(9, $pid); -+}; - for my $host (@tests) { -- my $csock = $server->accept or print "not "; -- print "ok # server accept\n"; -+ my $csock = $server->accept; -+ if (!$csock) { -+ print "not ok # server accept SSL_ERROR='$SSL_ERROR', errno='$!'"; -+ } else { -+ print "ok # server accept\n"; -+ } - my $name = $csock->get_servername; - print "not " if ! $name or $name ne $host; - print "ok # server got SNI name $host\n"; -+ # Shutdown TLS properly. Otherwise TLSv1.3 $server->accept() fails with -+ # ECONNRESET when a client disconnects too early. -+ $csock->close('SSL_fast_shutdown' => 0); - } - wait; --- -2.14.4 - diff --git a/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni_verify.t.patch b/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni_verify.t.patch deleted file mode 100644 index ad3d2df..0000000 --- a/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni_verify.t.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 84a3bc6c273977bcd4b709e0d9a3d9fcdd58e36d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 17 Aug 2018 14:46:33 +0200 -Subject: [PATCH] Do two-way shutdown in t/sni_verify.t -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -OpenSSL 1.1.1-pre7 sigipipes TLSv1.3 server if client does not -shutdown TLS properly. - - -Signed-off-by: Petr Písař ---- - t/sni_verify.t | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/t/sni_verify.t b/t/sni_verify.t -index b3b299b..b5ac4bd 100644 ---- a/t/sni_verify.t -+++ b/t/sni_verify.t -@@ -71,6 +71,13 @@ if ( $pid == 0 ) { - - $client->verify_hostname($host,'http') or print "not "; - print "ok # client verify hostname in cert $host\n"; -+ -+ if ($client) { -+ # Shutdown TLS properly. Otherwise TLSv1.3 server will receive SIGPIPE -+ # in SSL_accept() and dies. -+ # . -+ $client->close('SSL_fast_shutdown' => 0); -+ } - } - exit; - } -@@ -81,5 +88,8 @@ for my $host (@tests) { - my $name = $csock->get_servername; - print "not " if ! $name or $name ne $host; - print "ok # server got SNI name $host\n"; -+ if ($csock) { -+ $csock->close('SSL_fast_shutdown' => 0); -+ } - } - wait; --- -2.14.4 - diff --git a/IO-Socket-SSL-2.059-Exclude-TLSv1.3-from-t-session_ticket.t.patch b/IO-Socket-SSL-2.059-Exclude-TLSv1.3-from-t-session_ticket.t.patch deleted file mode 100644 index 8b13a63..0000000 --- a/IO-Socket-SSL-2.059-Exclude-TLSv1.3-from-t-session_ticket.t.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c332d19048735e32e2754685fa3c8654ca068b78 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 21 Aug 2018 12:32:39 +0200 -Subject: [PATCH] Exclude TLSv1.3 from t/session_ticket.t -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The test fails with OpenSSL 1.1.1 because SSL_get1_session() is not -reliable with TLSv1.3. A proper resumption support would need -migration to SSL_CTX_sess_set_new_cb() API. - -This patch also performs full SSL_shutdown in the test becasue -SSL_get1_session() manual documents that a connection must be properly -SSL_shutdowned, otherwise the session will be removed from the -(internal) session cache. - -Signed-off-by: Petr Písař ---- - t/session_ticket.t | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/t/session_ticket.t b/t/session_ticket.t -index bff6a86..69cbc96 100644 ---- a/t/session_ticket.t -+++ b/t/session_ticket.t -@@ -69,7 +69,7 @@ my $client = sub { - diag("connect to $i: ". - ($cl ? "success reuse=$reuse" : "error: $!,$SSL_ERROR")); - is($reuse,$expect_reuse,$desc); -- close($cl); -+ $cl->close('SSL_fast_shutdown' => 0); - }; - - -@@ -123,6 +123,11 @@ sub _server { - SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - SSL_ticket_keycb => $get_ticket_key, - SSL_session_id_context => 'foobar', -+ SSL_version => 'SSLv23:!TLSv1_3', # TLSv1.3 sends session tickes after -+ # a handshake, this SSL_get1_session() is not reliable anymore. -+ # Exclude TLSv1.3 from tests. Proper TLSv1.3 session resumption -+ # will need SSL_CTX_sess_set_new_cb(). -+ # - ) or die "failed to create SSL context: $SSL_ERROR"; - } - -@@ -158,7 +163,7 @@ sub _server { - print "rotate secrets\n"; - push @secrets, shift(@secrets); - } -- close($cl); -+ $cl->close('SSL_fast_shutdown' => 0); - alarm(0); - last; - } --- -2.14.4 - diff --git a/IO-Socket-SSL-2.059-Fix-building-on-systems-without-TLSv1.3-support.patch b/IO-Socket-SSL-2.059-Fix-building-on-systems-without-TLSv1.3-support.patch deleted file mode 100644 index 4613520..0000000 --- a/IO-Socket-SSL-2.059-Fix-building-on-systems-without-TLSv1.3-support.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 12ff43c81b10446bd74cc719f0a6913040598c58 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 21 Aug 2018 16:34:39 +0200 -Subject: [PATCH] Fix building on systems without TLSv1.3 support -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If OpenSSL does not support TLSv1.3, Net::SSLeay does not have -TLS1_3_VERSION() and t/protocol_version.t fails with: - - # Failed test 'Your vendor has not defined SSLeay macro TLS1_3_VERSION at /home/test/fedora/perl-IO-Socket-SSL/IO-Socket-SSL-2.059/blib/lib/IO/Socket/SSL.pm line 2337. - # ' - # at ./t/testlib.pl line 39. - -This patch fixes creating IO::Socket:SSL context for TLSv1.3 by -checking whether it's supported by Net::SSLeay. - -Signed-off-by: Petr Písař ---- - lib/IO/Socket/SSL.pm | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm -index 5b43467..7138ab0 100644 ---- a/lib/IO/Socket/SSL.pm -+++ b/lib/IO/Socket/SSL.pm -@@ -2334,6 +2334,10 @@ sub new { - # There is no CTX_tlsv1_3_new(). Create TLSv1.3 only context using - # a flexible method. - if ($ver eq 'TLSv1_3') { -+ if (!eval {Net::SSLeay::TLS1_3_VERSION()}) { -+ return IO::Socket::SSL->_internal_error( -+ "SSL Version $ver not supported",9); -+ } - if (!Net::SSLeay::CTX_set_min_proto_version($ctx, - Net::SSLeay::TLS1_3_VERSION()) or - !Net::SSLeay::CTX_set_max_proto_version($ctx, --- -2.14.4 - diff --git a/IO-Socket-SSL-2.059-NPN-is-unavailable-in-TLSv1.3.patch b/IO-Socket-SSL-2.059-NPN-is-unavailable-in-TLSv1.3.patch deleted file mode 100644 index 6b93df3..0000000 --- a/IO-Socket-SSL-2.059-NPN-is-unavailable-in-TLSv1.3.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 94b0b52f05911bd8cfe579406248c8afe36004d7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 17 Aug 2018 15:14:40 +0200 -Subject: [PATCH] NPN is unavailable in TLSv1.3 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -TLSv1.3 does not support NPN. Application can use ALPN. This caused -t/npn.t failures when TLSv1.3 was negotiated. This patch disables -TLSv1.3 in the test. - - - -Signed-off-by: Petr Písař ---- - lib/IO/Socket/SSL.pod | 2 +- - t/npn.t | 2 ++ - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod -index 95401aa..363901b 100644 ---- a/lib/IO/Socket/SSL.pod -+++ b/lib/IO/Socket/SSL.pod -@@ -1336,7 +1336,7 @@ as an array ref. - See also method C. - - Next Protocol Negotiation (NPN) is available with Net::SSLeay 1.46+ and --openssl-1.0.1+. -+openssl-1.0.1+. NPN is unavailable in TLSv1.3 protocol. - To check support you might call C<< IO::Socket::SSL->can_npn() >>. - If you use this option with an unsupported Net::SSLeay/OpenSSL it will - throw an error. -diff --git a/t/npn.t b/t/npn.t -index 8992a77..6ee6ca6 100644 ---- a/t/npn.t -+++ b/t/npn.t -@@ -25,6 +25,8 @@ my $addr = '127.0.0.1'; - my $server = IO::Socket::SSL->new( - LocalAddr => $addr, - Listen => 2, -+ SSL_version => 'SSLv23:!TLSv1_3', # NPN does not exist in TLSv1.3 -+ # https://github.com/openssl/openssl/issues/3665 - SSL_cert_file => 'certs/server-cert.pem', - SSL_key_file => 'certs/server-key.pem', - SSL_npn_protocols => [qw(one two)], --- -2.14.4 - diff --git a/IO-Socket-SSL-2.059-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch similarity index 86% rename from IO-Socket-SSL-2.059-use-system-default-SSL-version.patch rename to IO-Socket-SSL-2.060-use-system-default-SSL-version.patch index 25d7ffd..15ad9a6 100644 --- a/IO-Socket-SSL-2.059-use-system-default-SSL-version.patch +++ b/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch @@ -1,6 +1,6 @@ --- lib/IO/Socket/SSL.pm +++ lib/IO/Socket/SSL.pm -@@ -116,7 +116,7 @@ my $algo2digest = do { +@@ -130,7 +130,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p # global defaults my %DEFAULT_SSL_ARGS = ( SSL_check_crl => 0, @@ -9,18 +9,18 @@ SSL_verify_callback => undef, SSL_verifycn_scheme => undef, # fallback cn verification SSL_verifycn_publicsuffix => undef, # fallback default list verification -@@ -2279,7 +2279,7 @@ sub new { +@@ -2295,7 +2295,7 @@ sub new { my $ssl_op = $DEFAULT_SSL_OP; - my $ver; + my $ver = ''; for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { - m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i + m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i or croak("invalid SSL_version specified"); --- lib/IO/Socket/SSL.pod +++ lib/IO/Socket/SSL.pod -@@ -993,11 +993,12 @@ protocol to the specified version. +@@ -1010,11 +1010,12 @@ protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions of Net::SSLeay and openssl. diff --git a/IO-Socket-SSL-2.054-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch similarity index 96% rename from IO-Socket-SSL-2.054-use-system-default-cipher-list.patch rename to IO-Socket-SSL-2.060-use-system-default-cipher-list.patch index 1815c29..e1e6863 100644 --- a/IO-Socket-SSL-2.054-use-system-default-cipher-list.patch +++ b/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch @@ -1,6 +1,6 @@ --- lib/IO/Socket/SSL.pm +++ lib/IO/Socket/SSL.pm -@@ -124,10 +124,10 @@ my %DEFAULT_SSL_ARGS = ( +@@ -138,10 +138,10 @@ my %DEFAULT_SSL_ARGS = ( SSL_npn_protocols => undef, # meaning depends whether on server or client side SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] @@ -15,7 +15,7 @@ ); my %DEFAULT_SSL_CLIENT_ARGS = ( -@@ -137,63 +137,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( +@@ -151,63 +151,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( SSL_ca_file => undef, SSL_ca_path => undef, @@ -81,7 +81,7 @@ # set values inside _init to work with perlcc, RT#95452 --- lib/IO/Socket/SSL.pod +++ lib/IO/Socket/SSL.pod -@@ -1019,12 +1019,8 @@ documentation (L - 2.060-1 +- Update to 2.060 + - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too); + see also CPAN RT#126899 + - TLS 1.3 support is not complete yet for session resume + * Tue Aug 21 2018 Petr Pisar - 2.059-2 - Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198) @@ -148,7 +128,7 @@ make test * Thu Jul 19 2018 Paul Howarth - 2.058-1 - Update to 2.058 - - Fix memory leak that occured with explicit stop_SSL in connection with + - Fix memory leak that occurred with explicit stop_SSL in connection with non-blocking sockets or timeout (CPAN RT#125867) - Fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963) diff --git a/sources b/sources index c150ee8..ce172b6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (IO-Socket-SSL-2.059.tar.gz) = af3800d171036b026bcb502692f70d88c4a9f2546e465181ef9037467b942c94303840cc479403f5f0e6f0ad6b06918cbaf78f0b1447e5416594c819ed94a39b +SHA512 (IO-Socket-SSL-2.060.tar.gz) = 1a1e29f8a4b912bd3643509356c66b3a567ae41bb0ac9eb30f6ca97eb68bf9507e20c0fb8512f5dfd309accd6cfba61811b8d637f5e991aaa0a250a906fcb95c