Update to 2.060

- New upstream release 2.060 - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too); see also CPAN RT#126899 - TLS 1.3 support is not complete yet for session resume
2018-09-17 15:59:10 +01:00 · 2018-09-17 15:59:10 +01:00 · 948f20ded6
commit 948f20ded6
parent e2609f60d1
10 changed files with 19 additions and 442 deletions
--- a/IO-Socket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch
+++ b/IO-Socket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch
@ -1,142 +0,0 @@
 From d432295468a1efa18e56c1fbb34e3a23bb07d1e8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Thu, 16 Aug 2018 14:56:23 +0200
 Subject: [PATCH] Adapt to OpenSSL 1.1.1
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 It needs patched Net-SSLeay (CPAN RT#125218).
 This patch introduces some TLSv1.3 identifiers but does not document
 them. This is to let the IO-Socket-SSL maintainer to define the API.
 This is not a final patch. We need to fix failures in:
 t/npn.t
 t/session_ticket.t
 t/sni_verify.t
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 lib/IO/Socket/SSL.pm | 17 +++++++++++++++--
 t/ecdhe.t            | 16 +++++++++++-----
 t/protocol_version.t |  4 ++--
 t/session_ticket.t   |  2 ++
 4 files changed, 30 insertions(+), 9 deletions(-)
 diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
 index 9c81ffc..5b43467 100644
 --- a/lib/IO/Socket/SSL.pm
 +++ b/lib/IO/Socket/SSL.pm
@@ -211,7 +211,8 @@ BEGIN{
 # get constants for SSL_OP_NO_* now, instead calling the related functions
 # every time we setup a connection
 my %SSL_OP_NO;
 -for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) {
 +for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2
 +        TLSv1_3 TLSv13:TLSv1_3 )) {
     my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_);
     my $sub = "Net::SSLeay::OP_NO_$op";
     local $SIG{__DIE__};
@@ -1836,6 +1837,7 @@ sub get_sslversion {
     my $ssl = shift()->_get_ssl_object || return;
     my $version = Net::SSLeay::version($ssl) or return;
     return
 +	$version == 0x0304 ? 'TLSv1_3' :
 	$version == 0x0303 ? 'TLSv1_2' :
 	$version == 0x0302 ? 'TLSv1_1' :
 	$version == 0x0301 ? 'TLSv1'   :
@@ -2281,7 +2283,7 @@ sub new {
     my $ver = '';
     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
 -	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
 +	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
 	or croak("invalid SSL_version specified");
 	my $not = $1;
 	( my $v = lc($2||$3) ) =~s{^(...)}{\U$1};
@@ -2329,6 +2331,17 @@ sub new {
 	    IO::Socket::SSL->error("SSL Context init failed");
 	$CTX_CREATED_IN_THIS_THREAD{$ctx} = 1 if $use_threads;
 +	# There is no CTX_tlsv1_3_new(). Create TLSv1.3 only context using
 +	# a flexible method.
 +	if ($ver eq 'TLSv1_3') {
 +	    if (!Net::SSLeay::CTX_set_min_proto_version($ctx,
 +		    Net::SSLeay::TLS1_3_VERSION()) or
 +		!Net::SSLeay::CTX_set_max_proto_version($ctx,
 +		    Net::SSLeay::TLS1_3_VERSION())) {
 +		IO::Socket::SSL->error("TLSv1_3 context init failed");
 +	    }
 +	}
 +
 	# SSL_OP_CIPHER_SERVER_PREFERENCE
 	$ssl_op |= 0x00400000 if $arg_hash->{SSL_honor_cipher_order};
 diff --git a/t/ecdhe.t b/t/ecdhe.t
 index 638d82b..1b229c5 100644
 --- a/t/ecdhe.t
 +++ b/t/ecdhe.t
@@ -53,12 +53,18 @@ if ( !defined $pid ) {
     };
     ok( "client connected" );
 -    my $cipher = $to_server->get_cipher();
 -    if ( $cipher !~m/^ECDHE-/ ) {
 -	notok("bad key exchange: $cipher");
 -	exit;
 +    my $protocol = $to_server->get_sslversion;
 +    if ($protocol eq 'TLSv1_3') {
 +        # <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
 +        ok("# SKIP TLSv1.3 doesn't advertize key exchange in a chipher name");
 +    } else {
 +        my $cipher = $to_server->get_cipher();
 +        if ( $cipher !~m/^ECDHE-/ ) {
 +            notok("bad key exchange: $cipher");
 +            exit;
 +        }
 +        ok("ecdh key exchange: $cipher");
     }
 -    ok("ecdh key exchange: $cipher");
 } else {                ###### Server
 diff --git a/t/protocol_version.t b/t/protocol_version.t
 index e3853d8..3577720 100644
 --- a/t/protocol_version.t
 +++ b/t/protocol_version.t
@@ -13,7 +13,7 @@ plan skip_all => "Test::More has no done_testing"
 $|=1;
 my $XDEBUG = 0;
 -my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2);
 +my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3);
 my $server = IO::Socket::SSL->new(
     LocalAddr => '127.0.0.1',
@@ -82,7 +82,7 @@ if ($pid == 0) {
     die "best protocol version server supports is $ver" if $supported{foo};
     # Check if the OpenSSL was compiled without support for specific protocols
 -    for(qw(SSLv3 TLSv1 TLSv1_1)) {
 +    for(qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3)) {
 	if ( ! $check->($_,'')) {
 	    diag("looks like OpenSSL was compiled without $_ support");
 	    delete $supported{$_};
 diff --git a/t/session_ticket.t b/t/session_ticket.t
 index d3c15d9..bff6a86 100644
 --- a/t/session_ticket.t
 +++ b/t/session_ticket.t
@@ -73,6 +73,8 @@ my $client = sub {
 };
 +# FIXME: TLSv1.3 requires to use SSL_CTX_sess_set_new_cb() by clients instead
 +# of SSL_get1_session(). Missing from Net::SSLeay.
 $client->(0,0,"no initial session -> no reuse");
 $client->(0,1,"reuse with the next session and secret[0]");
 $client->(1,1,"reuse even though server changed, since they share ticket secret");
 -- 
 2.14.4
--- a/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni.t.patch
+++ b/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni.t.patch
@ -1,65 +0,0 @@
 From 1d19a7d01960fd8dc00bb3929a1ffaee186470fd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Tue, 21 Aug 2018 16:02:19 +0200
 Subject: [PATCH] Do two-way shutdown in t/sni.t
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 TLSv1.3 performs more reading and writing in SSL_accept(). If a client
 disconnects after the handshake but before the server finishes
 SSL_accept(), the t/sni.t test would fail because accept() could fail with
 ECONNRESET. This happened randomly.
 Failed accept() lead to undef->get_servername() call that triggered
 a run-time exception and that caused a client being stucked and the
 test script never exited.
 This fixes both these issues.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 t/sni.t | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)
 diff --git a/t/sni.t b/t/sni.t
 index de0f06e..91206de 100644
 --- a/t/sni.t
 +++ b/t/sni.t
@@ -68,15 +68,31 @@ if ( $pid == 0 ) {
 	$client->verify_hostname($host,'http') or print "not ";
 	print "ok # client verify hostname in cert $host\n";
 +	# Shutdown TLS properly. Otherwise TLSv1.3 $server->accept() fails with
 +	# ECONNRESET when a client disconnects too early.
 +	$client->close('SSL_fast_shutdown' => 0);
     }
     exit;
 }
 +# If the server dies, a client can get stuck in read(2) while Perl interpreter
 +# is collecting children status in the die handler using wait4(2).
 +$SIG{__DIE__} = sub {
 +    STDERR->print("Server died. Killing client with $pid PID.\n");
 +    kill(9, $pid);
 +};
 for my $host (@tests) {
 -    my $csock = $server->accept or print "not ";
 -    print "ok # server accept\n";
 +    my $csock = $server->accept;
 +    if (!$csock) {
 +        print "not ok # server accept SSL_ERROR='$SSL_ERROR', errno='$!'";
 +    } else {
 +        print "ok # server accept\n";
 +    }
     my $name = $csock->get_servername;
     print "not " if ! $name or $name ne $host;
     print "ok # server got SNI name $host\n";
 +    # Shutdown TLS properly. Otherwise TLSv1.3 $server->accept() fails with
 +    # ECONNRESET when a client disconnects too early.
 +    $csock->close('SSL_fast_shutdown' => 0);
 }
 wait;
 -- 
 2.14.4
--- a/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni_verify.t.patch
+++ b/IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni_verify.t.patch
@ -1,47 +0,0 @@
 From 84a3bc6c273977bcd4b709e0d9a3d9fcdd58e36d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Fri, 17 Aug 2018 14:46:33 +0200
 Subject: [PATCH] Do two-way shutdown in t/sni_verify.t
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 OpenSSL 1.1.1-pre7 sigipipes TLSv1.3 server if client does not
 shutdown TLS properly.
 <https://github.com/openssl/openssl/issues/6904>
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 t/sni_verify.t | 10 ++++++++++
 1 file changed, 10 insertions(+)
 diff --git a/t/sni_verify.t b/t/sni_verify.t
 index b3b299b..b5ac4bd 100644
 --- a/t/sni_verify.t
 +++ b/t/sni_verify.t
@@ -71,6 +71,13 @@ if ( $pid == 0 ) {
 	$client->verify_hostname($host,'http') or print "not ";
 	print "ok # client verify hostname in cert $host\n";
 +
 +	if ($client) {
 +	    # Shutdown TLS properly. Otherwise TLSv1.3 server will receive SIGPIPE
 +	    # in SSL_accept() and dies.
 +	    # <https://github.com/openssl/openssl/issues/6904>.
 +	    $client->close('SSL_fast_shutdown' => 0);
 +	}
     }
     exit;
 }
@@ -81,5 +88,8 @@ for my $host (@tests) {
     my $name = $csock->get_servername;
     print "not " if ! $name or $name ne $host;
     print "ok # server got SNI name $host\n";
 +    if ($csock) {
 +        $csock->close('SSL_fast_shutdown' => 0);
 +    }
 }
 wait;
 -- 
 2.14.4
--- a/IO-Socket-SSL-2.059-Exclude-TLSv1.3-from-t-session_ticket.t.patch
+++ b/IO-Socket-SSL-2.059-Exclude-TLSv1.3-from-t-session_ticket.t.patch
@ -1,59 +0,0 @@
 From c332d19048735e32e2754685fa3c8654ca068b78 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Tue, 21 Aug 2018 12:32:39 +0200
 Subject: [PATCH] Exclude TLSv1.3 from t/session_ticket.t
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The test fails with OpenSSL 1.1.1 because SSL_get1_session() is not
 reliable with TLSv1.3. A proper resumption support would need
 migration to SSL_CTX_sess_set_new_cb() API.
 This patch also performs full SSL_shutdown in the test becasue
 SSL_get1_session() manual documents that a connection must be properly
 SSL_shutdowned, otherwise the session will be removed from the
 (internal) session cache.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 t/session_ticket.t | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff --git a/t/session_ticket.t b/t/session_ticket.t
 index bff6a86..69cbc96 100644
 --- a/t/session_ticket.t
 +++ b/t/session_ticket.t
@@ -69,7 +69,7 @@ my $client = sub {
     diag("connect to $i: ".
 	($cl ? "success reuse=$reuse" : "error: $!,$SSL_ERROR"));
     is($reuse,$expect_reuse,$desc);
 -    close($cl);
 +    $cl->close('SSL_fast_shutdown' => 0);
 };
@@ -123,6 +123,11 @@ sub _server {
 	    SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 	    SSL_ticket_keycb => $get_ticket_key,
 	    SSL_session_id_context => 'foobar',
 +	    SSL_version => 'SSLv23:!TLSv1_3', # TLSv1.3 sends session tickes after
 +		# a handshake, this SSL_get1_session() is not reliable anymore.
 +		# Exclude TLSv1.3 from tests. Proper TLSv1.3 session resumption
 +		# will need SSL_CTX_sess_set_new_cb().
 +		# <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
 	) or die "failed to create SSL context: $SSL_ERROR";
     }
@@ -158,7 +163,7 @@ sub _server {
 		print "rotate secrets\n";
 		push @secrets, shift(@secrets);
 	    }
 -	    close($cl);
 +	    $cl->close('SSL_fast_shutdown' => 0);
 	    alarm(0);
 	    last;
 	}
 -- 
 2.14.4
--- a/IO-Socket-SSL-2.059-Fix-building-on-systems-without-TLSv1.3-support.patch
+++ b/IO-Socket-SSL-2.059-Fix-building-on-systems-without-TLSv1.3-support.patch
@ -1,41 +0,0 @@
 From 12ff43c81b10446bd74cc719f0a6913040598c58 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Tue, 21 Aug 2018 16:34:39 +0200
 Subject: [PATCH] Fix building on systems without TLSv1.3 support
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If OpenSSL does not support TLSv1.3, Net::SSLeay does not have
 TLS1_3_VERSION() and t/protocol_version.t fails with:
    #   Failed test 'Your vendor has not defined SSLeay macro TLS1_3_VERSION at /home/test/fedora/perl-IO-Socket-SSL/IO-Socket-SSL-2.059/blib/lib/IO/Socket/SSL.pm line 2337.
    # '
    #   at ./t/testlib.pl line 39.
 This patch fixes creating IO::Socket:SSL context for TLSv1.3 by
 checking whether it's supported by Net::SSLeay.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 lib/IO/Socket/SSL.pm | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
 index 5b43467..7138ab0 100644
 --- a/lib/IO/Socket/SSL.pm
 +++ b/lib/IO/Socket/SSL.pm
@@ -2334,6 +2334,10 @@ sub new {
 	# There is no CTX_tlsv1_3_new(). Create TLSv1.3 only context using
 	# a flexible method.
 	if ($ver eq 'TLSv1_3') {
 +	    if (!eval {Net::SSLeay::TLS1_3_VERSION()}) {
 +		return IO::Socket::SSL->_internal_error(
 +		    "SSL Version $ver not supported",9);
 +	    }
 	    if (!Net::SSLeay::CTX_set_min_proto_version($ctx,
 		    Net::SSLeay::TLS1_3_VERSION()) or
 		!Net::SSLeay::CTX_set_max_proto_version($ctx,
 -- 
 2.14.4
--- a/IO-Socket-SSL-2.059-NPN-is-unavailable-in-TLSv1.3.patch
+++ b/IO-Socket-SSL-2.059-NPN-is-unavailable-in-TLSv1.3.patch
@ -1,49 +0,0 @@
 From 94b0b52f05911bd8cfe579406248c8afe36004d7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Fri, 17 Aug 2018 15:14:40 +0200
 Subject: [PATCH] NPN is unavailable in TLSv1.3
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 TLSv1.3 does not support NPN. Application can use ALPN. This caused
 t/npn.t failures when TLSv1.3 was negotiated. This patch disables
 TLSv1.3 in the test.
 <https://github.com/openssl/openssl/issues/3665>
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 lib/IO/Socket/SSL.pod | 2 +-
 t/npn.t               | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)
 diff --git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod
 index 95401aa..363901b 100644
 --- a/lib/IO/Socket/SSL.pod
 +++ b/lib/IO/Socket/SSL.pod
@@ -1336,7 +1336,7 @@ as an array ref.
 See also method C<next_proto_negotiated>.
 Next Protocol Negotiation (NPN) is available with Net::SSLeay 1.46+ and
 -openssl-1.0.1+.
 +openssl-1.0.1+. NPN is unavailable in TLSv1.3 protocol.
 To check support you might call C<< IO::Socket::SSL->can_npn() >>.
 If you use this option with an unsupported Net::SSLeay/OpenSSL it will
 throw an error.
 diff --git a/t/npn.t b/t/npn.t
 index 8992a77..6ee6ca6 100644
 --- a/t/npn.t
 +++ b/t/npn.t
@@ -25,6 +25,8 @@ my $addr = '127.0.0.1';
 my $server = IO::Socket::SSL->new(
     LocalAddr => $addr,
     Listen => 2,
 +    SSL_version => 'SSLv23:!TLSv1_3', # NPN does not exist in TLSv1.3
 +                                # https://github.com/openssl/openssl/issues/3665
     SSL_cert_file => 'certs/server-cert.pem',
     SSL_key_file => 'certs/server-key.pem',
     SSL_npn_protocols => [qw(one two)],
 -- 
 2.14.4
--- a/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
+++ b/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -116,7 +116,7 @@ my $algo2digest = do {
+@@ -130,7 +130,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
 # global defaults
 my %DEFAULT_SSL_ARGS = (
     SSL_check_crl => 0,
@ -9,18 +9,18 @@
     SSL_verify_callback => undef,
     SSL_verifycn_scheme => undef,  # fallback cn verification
     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
-@@ -2279,7 +2279,7 @@ sub new {
+@@ -2295,7 +2295,7 @@ sub new {
     my $ssl_op = $DEFAULT_SSL_OP;
 -    my $ver;
 +    my $ver = '';
     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
- 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
+ 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
 	or croak("invalid SSL_version specified");
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -993,11 +993,12 @@ protocol to the specified version.
+@@ -1010,11 +1010,12 @@ protocol to the specified version.
 All values are case-insensitive.  Instead of 'TLSv1_1' and 'TLSv1_2' one can
 also use 'TLSv11' and 'TLSv12'.  Support for 'TLSv1_1' and 'TLSv1_2' requires
 recent versions of Net::SSLeay and openssl.
--- a/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch
+++ b/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch
@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -124,10 +124,10 @@ my %DEFAULT_SSL_ARGS = (
+@@ -138,10 +138,10 @@ my %DEFAULT_SSL_ARGS = (
     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
     SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
@ -15,7 +15,7 @@
 );
 my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -137,63 +137,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+@@ -151,63 +151,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
     SSL_ca_file => undef,
     SSL_ca_path => undef,
@ -81,7 +81,7 @@
 # set values inside _init to work with perlcc, RT#95452
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -1019,12 +1019,8 @@ documentation (L<http://www.openssl.org/
+@@ -1036,12 +1036,8 @@ documentation (L<http://www.openssl.org/
 for more details.
 Unless you fail to contact your peer because of no shared ciphers it is
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@ -1,30 +1,12 @@
 Name:		perl-IO-Socket-SSL
-Version:	2.059
+Version:	2.060
-Release:	2%{?dist}
+Release:	1%{?dist}
 Summary:	Perl library for transparent SSL
 License:	GPL+ or Artistic
 URL:		https://metacpan.org/release/IO-Socket-SSL
 Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
-Patch0:		IO-Socket-SSL-2.054-use-system-default-cipher-list.patch
+Patch0:		IO-Socket-SSL-2.060-use-system-default-cipher-list.patch
-Patch1:		IO-Socket-SSL-2.059-use-system-default-SSL-version.patch
+Patch1:		IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
 # Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay, bug #1616198,
 # CPAN RT#126899
 Patch2:		IO-Socket-SSL-2.059-Adapt-to-OpenSSL-1.1.1.patch
 # Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay, bug #1616198,
 # CPAN RT#126899
 Patch3:		IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni_verify.t.patch
 # Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay, bug #1616198,
 # CPAN RT#126899
 Patch4:		IO-Socket-SSL-2.059-NPN-is-unavailable-in-TLSv1.3.patch
 # Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay, bug #1616198,
 # CPAN RT#126899
 Patch5:		IO-Socket-SSL-2.059-Exclude-TLSv1.3-from-t-session_ticket.t.patch
 # Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay, bug #1616198,
 # CPAN RT#126899
 Patch6:		IO-Socket-SSL-2.059-Do-two-way-shutdown-in-t-sni.t.patch
 # Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay, bug #1616198,
 # CPAN RT#126899
 Patch7:		IO-Socket-SSL-2.059-Fix-building-on-systems-without-TLSv1.3-support.patch
 BuildArch:	noarch
 # Module Build
 BuildRequires:	coreutils
@ -104,14 +86,6 @@ mod_perl.
 # Use system-default SSL version too
 %patch1
 # OpensSSL 1.1.1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %build
 NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor
 make %{?_smp_mflags}
@ -137,6 +111,12 @@ make test
 %{_mandir}/man3/IO::Socket::SSL::Utils.3*
 %changelog
 * Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1
 - Update to 2.060
  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
    see also CPAN RT#126899
  - TLS 1.3 support is not complete yet for session resume
 * Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2
 - Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)
@ -148,7 +128,7 @@ make test
 * Thu Jul 19 2018 Paul Howarth <paul@city-fan.org> - 2.058-1
 - Update to 2.058
-  - Fix memory leak that occured with explicit stop_SSL in connection with
+  - Fix memory leak that occurred with explicit stop_SSL in connection with
    non-blocking sockets or timeout (CPAN RT#125867)
  - Fix redefine warnings in case Socket6 is installed but neither
    IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (IO-Socket-SSL-2.059.tar.gz) = af3800d171036b026bcb502692f70d88c4a9f2546e465181ef9037467b942c94303840cc479403f5f0e6f0ad6b06918cbaf78f0b1447e5416594c819ed94a39b
+SHA512 (IO-Socket-SSL-2.060.tar.gz) = 1a1e29f8a4b912bd3643509356c66b3a567ae41bb0ac9eb30f6ca97eb68bf9507e20c0fb8512f5dfd309accd6cfba61811b8d637f5e991aaa0a250a906fcb95c
`@ -1 +1 @@`
	`SHA512 (IO-Socket-SSL-2.059.tar.gz) = af3800d171036b026bcb502692f70d88c4a9f2546e465181ef9037467b942c94303840cc479403f5f0e6f0ad6b06918cbaf78f0b1447e5416594c819ed94a39b`	`SHA512 (IO-Socket-SSL-2.060.tar.gz) = 1a1e29f8a4b912bd3643509356c66b3a567ae41bb0ac9eb30f6ca97eb68bf9507e20c0fb8512f5dfd309accd6cfba61811b8d637f5e991aaa0a250a906fcb95c`