- New upstream release 2.049
- Fixed problem caused by typo in the context of session cache (GH#60)
- Updated PublicSuffix information from publicsuffix.org
- New upstream release 2.048
- Fixed small memory leaks during destruction of socket and context
(CPAN RT#120643)
- Drop support for EOL distributions prior to F-13
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %install section
- Drop explicit %clean section
- New upstream release 2.046
- Clean up everything in DESTROY and make sure to start with a fresh
%%{*self} in configure_SSL because it can happen that a GLOB gets used
again without calling DESTROY
(https://github.com/noxxi/p5-io-socket-ssl/issues/56)
- Update patches as needed
- New upstream release 2.045
- Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
objects (GH#55)
- Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
perl is compiled without thread support
- Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
openssl build without SSLv3 support
- When setting SSL_keepSocketOnError to true the socket will not be closed on
fatal error (GH#53, modified)
- Update patches as needed
- New upstream release 2.044
- Protect various 'eval'-based capability detections at startup with a
localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
as done by various third party software should cause less problems even if
there is a global __DIE__ handler that does not properly deal with 'eval'
- Update patches as needed
- New upstream release 2.043
- Enable session ticket callback with Net::SSLeay ≥ 1.80
- Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
session no longer gets reused if it was not properly closed, which is now
done using an explicit close by the client
- Update patches as needed
- New upstream release 2.040
- Fix detection of default CA path for OpenSSL 1.1.x
- Utils::CERT_asHash now includes the signature algorithm used
- Utils::CERT_asHash can now deal with large serial numbers
- Update patches as needed
- New upstream release 2.039
- OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1
on EOF without proper SSL shutdown; since it looks like that this behavior
will be kept at least for 1.1.1+, adapt to the changed API by treating
errno=NOERR on SSL_ERROR_SYSCALL as EOF
- Update patches as needed
- New upstream release 2.038
- Restrict session ticket callback to Net::SSLeay 1.79+ since version before
contains bug; add test for session reuse
- Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
- Fix t/external/ocsp.t to use different server (under my control) to check
OCSP stapling
- Update patches as needed
- New upstream release 2.037
- Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)
- Fix session cache del_session: it freed the session but did not properly
remove it from the cache; further reuse caused crash
- Update patches as needed
- New upstrean release 2.035
- Fixes for issues introduced in 2.034
- Return with error in configure_SSL if context creation failed; this
might otherwise result in an segmentation fault later
- Apply builtin defaults before any (user configurable) global settings
(i.e. done with set_defaults, set_default_context...) so that builtins
don't replace user settings
- Update patches as needed
- New upstream release 2.034
- Move handling of global SSL arguments into creation of context, so that
these get also applied when creating a context only
- Update patches as needed
- New upstream release 2.033
- Support for session ticket reuse over multiple contexts and processes (if
supported by Net::SSLeay)
- Small optimizations, like saving various Net::SSLeay constants into
variables and access variables instead of calling the constant sub all the
time
- Make t/dhe.t work with openssl 1.1.0
- Update patches as needed
- New upstream release 2.032
- Set session id context only on the server side; even if the documentation
for SSL_CTX_set_session_id_context makes clear that this function is server
side only, it actually affects handling of session reuse on the client side
too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session
in different context" at the client
- New upstream release 2.031
- Utils::CERT_create - don't add given extensions again if they were already
added; Firefox croaks with sec_error_extension_value_invalid if (specific?)
extensions are given twice
- Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
with the reverse order as in the PKCS12 file, because that's what it does
- Support for creating ECC keys in Utils once supported by Net::SSLeay
- Remove internal sub session_cache and access cache directly (faster)
- Update patches as needed
- New upstream release 2.029
- Add del_session method to session cache
- Use SSL_session_key as the real key for the cache and not some derivate of
it, so that it works to remove the entry using the same key
- New upstream release 2.024
- Work around issue where the connect fails on systems having only a loopback
interface and where IO::Socket::IP is used as super class (default when
available)
- Update patches as needed
- New upstream release 2.023
- OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS
connection was not fully established, which somehow resulted in
Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless
loop; it will now ignore this result in case the TLS connection was not
yet established and consider the TLS connection closed instead
- Update patches as needed
- New upstream release 2.021
- Fixes for documentation and typos
- Update PublicSuffix with latest version from publicsuffix.org
- Update patches as needed
- New upstream release 2.020
- Support multiple directories in SSL_ca_path (CPAN RT#106711); directories
can be given as array or as string with a path separator
- Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)
- Update patches as needed
- New upstream release 2.019
- Work around different behavior of getnameinfo from Socket and Socket6 by
using a different wrapper depending on which module is used for IPv6
- Update patches as needed
- New upstream release 2.018
- Checks for readability of files/dirs for certificates and CA no longer use
-r because this is not safe when ACLs are used (CPAN RT#106295)
- New method sock_certificate similar to peer_certificate (CPAN RT#105733)
- get_fingerprint can now take optional certificate as argument and compute
the fingerprint of it; useful in connection with sock_certificate
- Check for both EWOULDBLOCK and EAGAIN since these codes are different on
some platforms (CPAN RT#106573)
- Enforce default verification scheme if nothing was specified, i.e. no
longer just warn but accept; if really no verification is wanted, a scheme
of 'none' must be explicitly specified
- Support different cipher suites per SNI hosts
- startssl.t failed on darwin with old openssl since server requested client
certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
- New upstream release 2.016
- Add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
(since 1.02) and available with Net::SSLeay (CPAN RT#104759)
- Work around hanging prompt() with older perl in Makefile.PL
(CPAN RT#104731)
- Make t/memleak_bad_handshake.t work on cygwin and other systems having
/proc/pid/statm (CPAN RT#104659)
- Add better debugging
- New upstream release 2.014
- Utils::CERT_create - work around problems with authorityInfoAccess, where
OpenSSL i2v does not create the same string as v2i expects
- Intercept - don't clone some specific extensions that only make sense with
the original certificate
- New upstream release 2.013
- Assign severities to internal error handling and make sure that follow-up
errors like "configuration failed" or "certificate verify error" don't
replace more specific "hostname verification failed" when reporting in
sub errstr/$SSL_ERROR (CPAN RT#103423)
- Enhanced documentation (https://github.com/noxxi/p5-io-socket-ssl/pull/26)
- New upstream release 2.011
- Fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling
(CPAN RT#101855)
- Added option 'purpose' to Utils::CERT_create to get better control of the
certificate's purpose; default is 'server,client' for non-CA (contrary to
only 'server' before)
- Removed RC4 from default cipher suites on the server side
(https://github.com/noxxi/p5-io-socket-ssl/issues/22)
- Refactoring of some tests using Test::More
- Note that this package still uses system-default cipher and SSL versions,
which may have RC4 enabled
- Update patches as needed
- New upstream release 2.010
- New options SSL_client_ca_file and SSL_client_ca to let the server send the
list of acceptable CAs for the client certificate
- t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay
(CPAN RT#101485)
- New upstream release 2.009
- Remove util/analyze.pl; this tool is now together with other SSL tools at
https://github.com/noxxi/p5-ssl-tools
- Added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) (CPAN RT#101452)
- New upstream release 2.008
- Work around recent OCSP verification errors for revoked.grc.com (badly
signed OCSP response, Firefox also complains about it) in test
t/external/ocsp.t
- util/analyze.pl - report more details about preferred cipher for specific
TLS versions
- New upstream release 2.007
- Make getline/readline fall back to super class if class is not sslified
yet, i.e. behave the same as sysread, syswrite etc. (CPAN RT#100529)
- New upstream release 2.006
- Make SSLv3 available even if the SSL library disables it by default in
SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3
so this will be only done when setting SSL_version explicitly
- Fix possible segmentation fault when trying to use an invalid certificate
- Use only the ICANN part of the default public suffix list and not the
private domains; this makes existing exceptions for s3.amazonaws.com and
googleapis.com obsolete
- Fix t/protocol_version.t to deal with OpenSSL installations that are
compiled without SSLv3 support
- Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead
of EAGAIN; while this is the same on UNIX it is different on Windows and
socket operations return there (WSA)EWOULDBLOCK and not EAGAIN
- Enable non-blocking tests on Windows too
- Make PublicSuffix::_default_data thread safe
- Update PublicSuffix with latest list from publicsuffix.org
- Note that this package still uses system-default cipher and SSL versions,
which may have SSL3.0 enabled
- Classify buildreqs by usage
- New upstream release 2.002
- Fix check for (invalid) IPv4 when validating hostname against certificate;
do not use inet_aton any longer because it can cause DNS lookups for
malformed IP (CPAN RT#99448)
- Update PublicSuffix with latest version from publicsuffix.org - lots of new
top level domains
- Add exception to PublicSuffix for s3.amazonaws.com (CPAN RT#99702)
