From abf3820637f676b7ff731b69564bf494b23c3ee2 Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul@city-fan.org>
Date: Sat, 15 Feb 2020 15:11:21 +0000
Subject: [PATCH] Update to 2.067

- New upstream release 2.067
  - Fix memory leak on incomplete handshake (GH#92)
  - Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
    can decrease memory usage at the costs of more allocations (CPAN RT#129463)
  - More detailed error messages when loading of certificate file failed (GH#89)
  - Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
  - Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
  - Fix warning when no ecdh support is available
  - Documentation update regarding use of select and TLS 1.3
  - Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
  - Stability fix for t/core.t
---
 ...2.067-use-system-default-SSL-version.patch |  6 +++---
 ...2.067-use-system-default-cipher-list.patch | 12 ++++++-----
 perl-IO-Socket-SSL.spec                       | 21 +++++++++++++++----
 sources                                       |  2 +-
 4 files changed, 28 insertions(+), 13 deletions(-)
 rename IO-Socket-SSL-2.066-use-system-default-SSL-version.patch => IO-Socket-SSL-2.067-use-system-default-SSL-version.patch (90%)
 rename IO-Socket-SSL-2.066-use-system-default-cipher-list.patch => IO-Socket-SSL-2.067-use-system-default-cipher-list.patch (95%)

diff --git a/IO-Socket-SSL-2.066-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.067-use-system-default-SSL-version.patch
similarity index 90%
rename from IO-Socket-SSL-2.066-use-system-default-SSL-version.patch
rename to IO-Socket-SSL-2.067-use-system-default-SSL-version.patch
index a9a4331..732ce31 100644
--- a/IO-Socket-SSL-2.066-use-system-default-SSL-version.patch
+++ b/IO-Socket-SSL-2.067-use-system-default-SSL-version.patch
@@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
  # global defaults
  my %DEFAULT_SSL_ARGS = (
      SSL_check_crl => 0,
@@ -9,7 +9,7 @@
      SSL_verify_callback => undef,
      SSL_verifycn_scheme => undef,  # fallback cn verification
      SSL_verifycn_publicsuffix => undef,  # fallback default list verification
-@@ -2335,7 +2335,7 @@ sub new {
+@@ -2383,7 +2383,7 @@ sub new {
  
      my $ssl_op = $DEFAULT_SSL_OP;
  
@@ -20,7 +20,7 @@
  	or croak("invalid SSL_version specified");
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -1028,11 +1028,12 @@ All values are case-insensitive.  Instea
+@@ -1043,11 +1043,12 @@ All values are case-insensitive.  Instea
  'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
  'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
  and openssl.
diff --git a/IO-Socket-SSL-2.066-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.067-use-system-default-cipher-list.patch
similarity index 95%
rename from IO-Socket-SSL-2.066-use-system-default-cipher-list.patch
rename to IO-Socket-SSL-2.067-use-system-default-cipher-list.patch
index 53681e3..800ab64 100644
--- a/IO-Socket-SSL-2.066-use-system-default-cipher-list.patch
+++ b/IO-Socket-SSL-2.067-use-system-default-cipher-list.patch
@@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = (
+@@ -202,77 +202,17 @@ my %DEFAULT_SSL_ARGS = (
      SSL_npn_protocols => undef,    # meaning depends whether on server or client side
      SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
  
@@ -16,10 +16,12 @@
  );
  
  my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -186,63 +185,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+     %DEFAULT_SSL_ARGS,
+     SSL_verify_mode => SSL_VERIFY_PEER,
+-
      SSL_ca_file => undef,
      SSL_ca_path => undef,
- 
+-
 -    # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
 -    # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
 -    # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
@@ -32,7 +34,7 @@
 -
 -    SSL_cipher_list => join(" ",
 -
--	# SSLabs report for Chrome 48/OSX. 
+-	# SSLabs report for Chrome 48/OSX.
 -	# This also includes the fewer ciphers Firefox uses.
 -	'ECDHE-ECDSA-AES128-GCM-SHA256',
 -	'ECDHE-RSA-AES128-GCM-SHA256',
@@ -82,7 +84,7 @@
  # set values inside _init to work with perlcc, RT#95452
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -1054,12 +1054,8 @@ documentation (L<http://www.openssl.org/
+@@ -1069,12 +1069,8 @@ documentation (L<https://www.openssl.org
  for more details.
  
  Unless you fail to contact your peer because of no shared ciphers it is
diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index 0a72653..c39d43a 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -2,14 +2,14 @@
 %bcond_without perl_IO_Socket_SSL_test_IO_Socket_INET6
 
 Name:		perl-IO-Socket-SSL
-Version:	2.066
-Release:	8%{?dist}
+Version:	2.067
+Release:	1%{?dist}
 Summary:	Perl library for transparent SSL
 License:	(GPL+ or Artistic) and MPLv2.0
 URL:		https://metacpan.org/release/IO-Socket-SSL
 Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
-Patch0:		IO-Socket-SSL-2.066-use-system-default-cipher-list.patch
-Patch1:		IO-Socket-SSL-2.066-use-system-default-SSL-version.patch
+Patch0:		IO-Socket-SSL-2.067-use-system-default-cipher-list.patch
+Patch1:		IO-Socket-SSL-2.067-use-system-default-SSL-version.patch
 # A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
 # bug #1632660, requires openssl tool
 Patch2:		IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch
@@ -122,6 +122,19 @@ make test
 %{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*
 
 %changelog
+* Sat Feb 15 2020 Paul Howarth <paul@city-fan.org> - 2.067-1
+- Update to 2.067
+  - Fix memory leak on incomplete handshake (GH#92)
+  - Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
+    can decrease memory usage at the costs of more allocations (CPAN RT#129463)
+  - More detailed error messages when loading of certificate file failed (GH#89)
+  - Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
+  - Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
+  - Fix warning when no ecdh support is available
+  - Documentation update regarding use of select and TLS 1.3
+  - Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
+  - Stability fix for t/core.t
+
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
diff --git a/sources b/sources
index 7bfc295..5adf803 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (IO-Socket-SSL-2.066.tar.gz) = 2a15f6d65f276ad4eae33139ae7af4c891d4c9e5f6aa65f45e51bfa02c85e8367a275bd33c73ece1b47b9d18eadc59e65fe1c584f9ccd3c7655948710fb4a57a
+SHA512 (IO-Socket-SSL-2.067.tar.gz) = b7b9edc470f2283c363a6296d3ce23f8754cc1b1a763329ccc8a0bc81dca7ffbaf9a833fc8ac31e62f5f72cab7c689ea0d4d0e293f75fe176d1b5c71ed723516