- New upstream release 2.066
- Make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first (CPAN RT#=128716)
- Prefer AES for server side cipher default since it is usually
hardware-accelerated
- Fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
- New upstream release 2.064
- Make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint (CPAN RT#127773)
- Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
- Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
set
- Update fingerprints for live tests
- New upstream release 2.063
- Support for both RSA and ECDSA certificate on same domain
- Update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (i.e. more than just
the patchlevel differs)
- New upstream release 2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
in the trust store be usable as full trust anchors too
- New upstream release 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay ≥ 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay ≥ 1.86)
- New upstream release 2.060
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
see also CPAN RT#126899
- TLS 1.3 support is not complete yet for session resume
This is not a full support. It only makes the tests passing.
Especially it does not document TLSv1.3 support and it does not
support explicit session resumption in TLSv1.3.
To pass the tests with openssl-1.1.1 it requires patched
perl-Net-SSLeay >= 1.85-7.fc29. But it also works with older openssl
regardless of perl-Net-SSLeay. Thus I did not add a dependency on an
explicit perl-Net-SSLeay release.
- New upstream release 2.058
- Fix memory leak that occured with explicit stop_SSL in connection with
non-blocking sockets or timeout (CPAN RT#125867)
- Fix redefine warnings in case Socket6 is installed but neither
IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
number or callback to create serial number based on the original certificate
- New function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
value
- Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
- New upstream release 2.056
- Intercept: Fix creation of serial number (basing it on binary digest
instead of treating hex fingerprint as binary), allow use of own serial
numbers again
- t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
- Update PublicSuffix
- New upstream release 2.055
- Use SNI also if hostname was given all-uppercase
- Utils::CERT_create: Don't add authority key for issuer since Chrome does
not like this
- Intercept:
- Change behavior of code-based cache to better support synchronizing
within multiprocess/threaded set-ups
- Don't use counter for serial number but somehow base it on original
certificate in order to avoid conflicts with reuse of serial numbers
after restart
- Better support platforms without IPv6 (CPAN RT#124431)
- Spelling fixes in documentation (CPAN RT#124306)
- New upstream release 2.054
- Small behavior fixes
- If SSL_fingerprint is used and matches, don't check for OCSP
- Utils::CERT_create: Small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- Update PublicSuffix
- Updates for documentation, especially regarding pitfalls with forking or
using non-blocking sockets, spelling fixes
- Test fixes and improvements
- Stability improvements for live tests
- Regenerate certificates in certs/ and make sure they are limited to the
correct purpose; check in program used to generate certificates
- Adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
- New upstream release 2.052
- Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced
the functions with dummies instead of removing NPN completly or setting
OPENSSL_NO_NEXTPROTONEG
- t/01loadmodule.t shows more output helpful in debugging problems
- Update fingerprints for external tests
- Update documentation to make behavior of syswrite more clear
- New upstream release 2.051
- syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with
OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up
(GH#62)
- New upstream release 2.050
- Removed unnecessary settings of SSL_version and SSL_cipher_list from tests
- protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not
supported, as is the case with openssl versions in latest Debian (buster)
- New upstream release 2.049
- Fixed problem caused by typo in the context of session cache (GH#60)
- Updated PublicSuffix information from publicsuffix.org
- New upstream release 2.048
- Fixed small memory leaks during destruction of socket and context
(CPAN RT#120643)
- Drop support for EOL distributions prior to F-13
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %install section
- Drop explicit %clean section
- New upstream release 2.046
- Clean up everything in DESTROY and make sure to start with a fresh
%%{*self} in configure_SSL because it can happen that a GLOB gets used
again without calling DESTROY
(https://github.com/noxxi/p5-io-socket-ssl/issues/56)
- Update patches as needed
- New upstream release 2.045
- Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
objects (GH#55)
- Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
perl is compiled without thread support
- Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
openssl build without SSLv3 support
- When setting SSL_keepSocketOnError to true the socket will not be closed on
fatal error (GH#53, modified)
- Update patches as needed
- New upstream release 2.044
- Protect various 'eval'-based capability detections at startup with a
localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
as done by various third party software should cause less problems even if
there is a global __DIE__ handler that does not properly deal with 'eval'
- Update patches as needed
- New upstream release 2.043
- Enable session ticket callback with Net::SSLeay ≥ 1.80
- Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
session no longer gets reused if it was not properly closed, which is now
done using an explicit close by the client
- Update patches as needed
- New upstream release 2.040
- Fix detection of default CA path for OpenSSL 1.1.x
- Utils::CERT_asHash now includes the signature algorithm used
- Utils::CERT_asHash can now deal with large serial numbers
- Update patches as needed
- New upstream release 2.039
- OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1
on EOF without proper SSL shutdown; since it looks like that this behavior
will be kept at least for 1.1.1+, adapt to the changed API by treating
errno=NOERR on SSL_ERROR_SYSCALL as EOF
- Update patches as needed
- New upstream release 2.038
- Restrict session ticket callback to Net::SSLeay 1.79+ since version before
contains bug; add test for session reuse
- Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
- Fix t/external/ocsp.t to use different server (under my control) to check
OCSP stapling
- Update patches as needed
- New upstream release 2.037
- Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)
- Fix session cache del_session: it freed the session but did not properly
remove it from the cache; further reuse caused crash
- Update patches as needed
- New upstrean release 2.035
- Fixes for issues introduced in 2.034
- Return with error in configure_SSL if context creation failed; this
might otherwise result in an segmentation fault later
- Apply builtin defaults before any (user configurable) global settings
(i.e. done with set_defaults, set_default_context...) so that builtins
don't replace user settings
- Update patches as needed
- New upstream release 2.034
- Move handling of global SSL arguments into creation of context, so that
these get also applied when creating a context only
- Update patches as needed
- New upstream release 2.033
- Support for session ticket reuse over multiple contexts and processes (if
supported by Net::SSLeay)
- Small optimizations, like saving various Net::SSLeay constants into
variables and access variables instead of calling the constant sub all the
time
- Make t/dhe.t work with openssl 1.1.0
- Update patches as needed
- New upstream release 2.032
- Set session id context only on the server side; even if the documentation
for SSL_CTX_set_session_id_context makes clear that this function is server
side only, it actually affects handling of session reuse on the client side
too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session
in different context" at the client
- New upstream release 2.031
- Utils::CERT_create - don't add given extensions again if they were already
added; Firefox croaks with sec_error_extension_value_invalid if (specific?)
extensions are given twice
- Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
with the reverse order as in the PKCS12 file, because that's what it does
- Support for creating ECC keys in Utils once supported by Net::SSLeay
- Remove internal sub session_cache and access cache directly (faster)
- Update patches as needed
- New upstream release 2.029
- Add del_session method to session cache
- Use SSL_session_key as the real key for the cache and not some derivate of
it, so that it works to remove the entry using the same key
