From af52f67378fdd426548656511f6bb513cf206636 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 23 Nov 2014 14:55:09 +0000 Subject: [PATCH] Update to 2.006 - New upstream release 2.006 - Make SSLv3 available even if the SSL library disables it by default in SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3 so this will be only done when setting SSL_version explicitly - Fix possible segmentation fault when trying to use an invalid certificate - Use only the ICANN part of the default public suffix list and not the private domains; this makes existing exceptions for s3.amazonaws.com and googleapis.com obsolete - Fix t/protocol_version.t to deal with OpenSSL installations that are compiled without SSLv3 support - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of EAGAIN; while this is the same on UNIX it is different on Windows and socket operations return there (WSA)EWOULDBLOCK and not EAGAIN - Enable non-blocking tests on Windows too - Make PublicSuffix::_default_data thread safe - Update PublicSuffix with latest list from publicsuffix.org - Note that this package still uses system-default cipher and SSL versions, which may have SSL3.0 enabled - Classify buildreqs by usage --- ...2.006-use-system-default-SSL-version.patch | 7 +-- ...2.006-use-system-default-cipher-list.patch | 2 +- perl-IO-Socket-SSL.spec | 57 +++++++++++++++---- sources | 2 +- 4 files changed, 50 insertions(+), 18 deletions(-) rename IO-Socket-SSL-2.002-use-system-default-SSL-version.patch => IO-Socket-SSL-2.006-use-system-default-SSL-version.patch (87%) rename IO-Socket-SSL-2.000-use-system-default-cipher-list.patch => IO-Socket-SSL-2.006-use-system-default-cipher-list.patch (97%) diff --git a/IO-Socket-SSL-2.002-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.006-use-system-default-SSL-version.patch similarity index 87% rename from IO-Socket-SSL-2.002-use-system-default-SSL-version.patch rename to IO-Socket-SSL-2.006-use-system-default-SSL-version.patch index 3ed26c4..460b0d1 100644 --- a/IO-Socket-SSL-2.002-use-system-default-SSL-version.patch +++ b/IO-Socket-SSL-2.006-use-system-default-SSL-version.patch @@ -9,7 +9,7 @@ SSL_verify_callback => undef, SSL_verifycn_scheme => undef, # fallback cn verification SSL_verifycn_publicsuffix => undef, # fallback default list verification -@@ -2058,7 +2058,7 @@ WARN +@@ -2068,7 +2068,7 @@ WARN $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE; $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh; @@ -20,14 +20,13 @@ or croak("invalid SSL_version specified"); --- lib/IO/Socket/SSL.pod +++ lib/IO/Socket/SSL.pod -@@ -910,11 +910,12 @@ protocol to the specified version. +@@ -911,11 +911,12 @@ protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions of Net::SSLeay and openssl. +The default SSL_version is defined by the underlying cryptographic library. --Independend from the handshake format you can limit to set of accepted SSL -+Independent from the handshake format you can limit the set of accepted SSL + Independent from the handshake format you can limit to set of accepted SSL versions by adding !version separated by ':'. -The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the diff --git a/IO-Socket-SSL-2.000-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.006-use-system-default-cipher-list.patch similarity index 97% rename from IO-Socket-SSL-2.000-use-system-default-cipher-list.patch rename to IO-Socket-SSL-2.006-use-system-default-cipher-list.patch index fb30157..9680c0e 100644 --- a/IO-Socket-SSL-2.000-use-system-default-cipher-list.patch +++ b/IO-Socket-SSL-2.006-use-system-default-cipher-list.patch @@ -56,7 +56,7 @@ # set values inside _init to work with perlcc, RT#95452 --- lib/IO/Socket/SSL.pod +++ lib/IO/Socket/SSL.pod -@@ -936,12 +936,8 @@ documentation (L= 0.9.8 +# Module Build BuildRequires: perl +BuildRequires: perl(ExtUtils::MakeMaker) +# Module Runtime +BuildRequires: openssl >= 0.9.8 BuildRequires: perl(Carp) BuildRequires: perl(constant) -BuildRequires: perl(Data::Dumper) +BuildRequires: perl(Errno) BuildRequires: perl(Exporter) -BuildRequires: perl(ExtUtils::MakeMaker) -BuildRequires: perl(File::Temp) -BuildRequires: perl(IO::Select) +BuildRequires: perl(HTTP::Tiny) BuildRequires: perl(IO::Socket) -BuildRequires: perl(IO::Socket::INET) BuildRequires: perl(IO::Socket::INET6) >= 2.62 BuildRequires: perl(Net::SSLeay) >= 1.46 BuildRequires: perl(Scalar::Util) BuildRequires: perl(Socket) BuildRequires: perl(Socket6) BuildRequires: perl(strict) -BuildRequires: perl(Test::More) +BuildRequires: perl(vars) BuildRequires: perl(warnings) +# Test Suite +BuildRequires: perl(Config) +BuildRequires: perl(Data::Dumper) +BuildRequires: perl(File::Temp) +BuildRequires: perl(FindBin) +BuildRequires: perl(IO::Select) +BuildRequires: perl(IO::Socket::INET) +BuildRequires: perl(Test::More) >= 0.88 +BuildRequires: perl(utf8) BuildRequires: procps +# Runtime +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: openssl >= 0.9.8 +Requires: perl(HTTP::Tiny) + # Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6 %if 0%{?fedora} > 15 || 0%{?rhel} > 6 BuildRequires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95 @@ -37,8 +51,6 @@ Requires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95 %else Requires: perl(IO::Socket::INET6) >= 2.62, perl(Socket6) %endif -Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) -Requires: openssl >= 0.9.8 # IDN back-ends: URI::_idna (from URI ≥ 1.50) is preferred # but Net::IDN::Encode (next pref) and Net::LibIDN are also tested @@ -100,6 +112,27 @@ rm -rf %{buildroot} %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Sun Nov 23 2014 Paul Howarth - 2.006-1 +- Update to 2.006 + - Make SSLv3 available even if the SSL library disables it by default in + SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3 + so this will be only done when setting SSL_version explicitly + - Fix possible segmentation fault when trying to use an invalid certificate + - Use only the ICANN part of the default public suffix list and not the + private domains; this makes existing exceptions for s3.amazonaws.com and + googleapis.com obsolete + - Fix t/protocol_version.t to deal with OpenSSL installations that are + compiled without SSLv3 support + - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead + of EAGAIN; while this is the same on UNIX it is different on Windows and + socket operations return there (WSA)EWOULDBLOCK and not EAGAIN + - Enable non-blocking tests on Windows too + - Make PublicSuffix::_default_data thread safe + - Update PublicSuffix with latest list from publicsuffix.org +- Note that this package still uses system-default cipher and SSL versions, + which may have SSL3.0 enabled +- Classify buildreqs by usage + * Wed Oct 22 2014 Paul Howarth - 2.002-1 - Update to 2.002 - Fix check for (invalid) IPv4 when validating hostname against certificate; diff --git a/sources b/sources index 60aa972..3e584ca 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3b0753495a1ff043bd782a6b876d990f IO-Socket-SSL-2.002.tar.gz +cbb09143c0d697fc44dac1226641eb41 IO-Socket-SSL-2.006.tar.gz