- New upstream release 1.975
- BEHAVIOR CHANGE: work around TEA misfeature on OS X built-in openssl, e.g.
guarantee that only the explicitly-given CA or the openssl default CA will
be used; this means that certificates inside the OS X keyring will no
longer be used, because there is no way to control the use by openssl
(e.g. certificate pinning etc.)
- Make external tests run by default to make sure default CA works on all
platforms; it skips automatically on network problems like timeouts or SSL
interception, and can also use http(s)_proxy environment variables
- New upstream release 1.974
- New function peer_certificates to get the whole certificate chain; needs
Net::SSLeay ≥ 1.58
- Extended IO::Socket::Utils::CERT_asHash to provide way more information,
like issuer information, cert and pubkey digests, all extensions, CRL
distribution points and OCSP uri
- New upstream release 1.973
- With SSL_ca, certificate handles can now be used in addition to
SSL_ca_file and SSL_ca_path
- No longer complain if SSL_ca_file and SSL_ca_path are both given;
instead, add both as options to the CA store
- Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create
- New upstream release 1.971
- Try to use SSL_hostname for hostname verification if no SSL_verifycn_name
is given; this way, hostname for SNI and verification can be specified in
one step
- New test program example/simulate_proxy.pl
- New upstream release 1.969
- Fix set_defaults to match documentation regarding short names
- New function set_args_filter_hack to make it possible to override bad SSL
settings from other code at the last moment
- Determine default_ca on module load (and not on first use in each thread)
- Don't try default hostname verification if verify_mode 0
- Fix hostname verification when reusing context
- New upstream release 1.968
- BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file; these
defaults were deprecated since 1.951 (July 2013)
- Usable CA verification path on Windows etc.:
- Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
system/build dependent default verification path, because there was no
way to retrieve these default values and check if they contained usable
CA
- Instead, re-implement the same algorithm and export the results with
public function default_ca() and make it possible to overwrite it
- Also check for usable verification path during build; if no usable path
is detected, require Mozilla::CA at build and try to use it at runtime
- New upstream release 1.967
- Verify the hostname inside a certificate by default with a superset of
common verification schemes instead of not verifying identity at all; for
now it will only complain if name verification failed but in the future it
will fail certificate verification, forcing you to set the expected
SSL_verifycn_name if you want to accept the certificate
- New option SSL_fingerprint and new methods get_fingerprint and
get_fingerprint_bin; together they can be used to selectively accept
specific certificates that would otherwise fail verification, like
self-signed, outdated or from unknown CAs
- Utils:
- Default RSA key length 2048
- Digest algorithm to sign certificate in CERT_create can be given;
defaults to SHA-256
- CERT_create can now issue non-CA self-signed certificate
- CERT_create add some more useful constraints to certificate
- Spelling fixes
- New upstream release 1.966
- Fixed bug introduced in 1.964 - disabling TLSv1_2 no longer worked by
specifying !TLSv12; only !TLSv1_2 worked
- Fixed leak of session objects in SessionCache, if another session
replaced an existing session (introduced in 1.965)
- New upstream release 1.965
- New key SSL_session_key to influence how sessions are inserted and looked
up in the client's session cache, which makes it possible to share sessions
over different ip:host (as is required with some FTPS servers)
- t/core.t - handle case where default loopback source is not 127.0.0.1, like
in FreeBSD jails
- New upstream release 1.964
- Disabling TLSv1_1 did not work, because the constant was wrong; now it gets
the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc.
- The new syntax for the protocols is TLSv1_1 instead of TLSv11, which matches
the syntax from OpenSSL (the old syntax continues to work in SSL_version)
- New functions get_sslversion and get_sslversion_int, which get the SSL
version of the established session as string or int
- Disable t/io-socket-inet6.t if Acme::Override::INET is installed
- New upstream release 1.963
- Fix behavior of stop_SSL: for blocking sockets it now enough to call it
once, for non-blocking it should be called again as long as EAGAIN and
SSL_ERROR is set to SSL_WANT_(READ|WRITE)
- Don't call blocking if start_SSL failed and downgraded socket has no
blocking method
- Documentation enhancements:
- Special section for differences to IO::Socket
- Describe problem with blocking accept on non-blocking socket
- Describe arguments to new_from_fd and make clear that for upgrading an
existing IO::Socket, start_SSL should be used directly
- New upstream release 1.962
- Work around problems with older F5 BIG-IP by offering fewer ciphers on the
client side by default, so that the client hello stays below 255 bytes
- New upstream release 1.960
- Only documentation enhancements:
- Clarify with text and example code, that within event loops not only
select/poll should be used, but also pending has to be called
- Better introduction into SSL; at least mention anonymous authentication as
something you don't want and should take care with the right cipher
- Make it more clear that it's better not to change the cipher list unless
you really know what you're doing
- Adopt upstream's versioning scheme
- New upstream release 1.958
Lots of behavior changes for more secure defaults:
- BEHAVIOR CHANGE: make default cipher list more secure, especially:
- No longer support MD5 by default (broken)
- No longer support anonymous authentication by default (vulnerable to
man in the middle attacks)
- Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
that it uses by default forward secrecy, if underlying
Net::SSLeay/openssl supports it
- Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
hopefully have been fixed and now RC4 is considered less safe than 3DES)
- Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
to get the best cipher even if the client prefers other ciphers; PLEASE
NOTE that this might break connections with older, less secure
implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
- BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
and thus gets reused if context gets reused; PLEASE NOTE that using
SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
the ciphers of the context
- Rework hostname verification schemes:
- Add RFC names as scheme (e.g. 'rfc2818', ...)
- Add SIP, SNMP, syslog, netconf, GIST
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
- BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
'www2' etc. but not 'www'
- Anywhere wildcards like x* are no longer applied to IDNA names (which start
with 'xn--')
- Fix crash of Utils::CERT_free
- Support TLSv11, TLSv12 as handshake protocols
- Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
authorization; with the DH param given by default since 1.956, old versions
of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
authorization) instead of AES256-SHA and thus the check for the peer
certificate failed (because ADH does not exchange certificates) - fixed by
explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
- Cleaned up tests:
- Remove ssl_settings.req and 02settings.t, because all tests now create a
simple socket at 127.0.0.1 and thus global settings are no longer needed
- Some tests did not have use strict(!); fixed it
- Removed special handling for older Net::SSLeay versions that are less
than our minimum requirement
- Some syntax enhancements: removed some SSL_version and SSL_cipher_list
options where they were not really needed
- Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
least version 2.55 which is now 5 years old
- Fix t/session.t to work with older openssl versions (CPAN RT#90240)
- New upstream release 1.951
(1.950)
- MAJOR BEHAVIOR CHANGE:
- ssl_verify_mode now defaults to verify_peer for client
- Previously it used verify_none, but loudly complained since 1.79 about it
- It will not complain any longer, but the connection will probably fail
- Please don't simply disable ssl verification; instead, set SSL_ca_file
etc. so that verification succeeds!
- MAJOR BEHAVIOR CHANGE:
- It will now complain if the built-in defaults of certs/my-ca.pem or ca/
for CA and certs/{server,client}-{key,cert}.pem for cert and key are
used, i.e. no certificates are specified explicitly
- In the future these insecure (relative path!) defaults will be removed
and the CA replaced with the system defaults
(1.951)
- Use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's built-in
defaults for CA unless CA path/file was given (or IO::Socket::SSL built-ins
used)
- New upstream release 1.94
- Makefile.PL reported wrong version of openssl if Net::SSLeay was not
installed, instead of reporting a missing dependency of Net::SSLeay
- New upstream release 1.93
- Need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
years ago; remove code to work around older releases
- Changed AUTHOR in Makefile.PL from array back to string, because the array
feature is not available in MakeMaker shipped with 5.8.9 (CPAN RT#85739)
- Set openssl version requirement to 0.9.8
- Drop ExtUtils::MakeMaker version requirement back to 6.46
- New upstream release 1.92
- Intercept: use sha1-fingerprint of original cert for id into cache unless
otherwise given
- Fix pod error in IO::Socket::SSL::Utils (CPAN RT#85733)
- New upstream release 1.91
- Added IO::Socket::SSL::Utils for easier manipulation of certificates and
keys
- Moved SSL interception into IO::Socket::SSL::Intercept and simplified it
using IO::Socket::SSL::Utils
- Enhance meta information in Makefile.PL
- Bump openssl version requirement to 0.9.8a
- Need at least version 6.58 of ExtUtils::MakeMaker (CPAN RT#85739)
- New upstream release 1.90
- Support more digests, especially SHA-2 (CPAN RT#85290)
- Added support for easy SSL interception (man in the middle) based on ideas
found in mojo-mitm proxy
- Make 1.46 the minimal required version for Net::SSLeay, because it
introduced lots of useful functions
- BR:/R: openssl ≥ 0.9.7e for P_ASN1_TIME_(get,set)_isotime in Net::SSLeay
- New upstream release 1.89
- If IO::Socket::IP is used it should be at least version 0.20; otherwise we
get problems with HTTP::Daemon::SSL and maybe others (CPAN RT#81932)
- Spelling corrections
- New upstream release 1.88
- Consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
and SSL_cert* - some apps like Net::LDAP use it that way
- New upstream release 1.87
- Complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are
not readable (CPAN RT#84829)
- Fix use of SSL_key|SSL_file objects instead of files, broken with 1.83
- New upstream release 1.85
- Probe for available modules with local __DIE__ and __WARN__handlers
(CPAN RT#84574)
- Fix warning, when IO::Socket::IP is installed and inet6 support gets explictly
requested (CPAN RT#84619)
- New upstream release 1.84
- Disabled client side SNI for openssl version < 1.0.0 because of
CPAN RT#83289
- Added functions can_client_sni, can_server_sni and can_npn to check
availability of SNI and NPN features
- Added more documentation for SNI and NPN
- New upstream release 1.831
- Separated documention of non-blocking I/O from error handling
- Changed and documented behavior of readline to return the read data on
EAGAIN/EWOULDBLOCK in case of non-blocking socket
(see https://github.com/noxxi/p5-io-socket-ssl/issues/1)
- Bumped release rather than version number to preserve likely upgrade path
and avoid need for epoch or version number ugliness; may revisit this in
light of upstream's future version numbering decisions
- New upstream release 1.83
- Server Name Indication (SNI) support on the server side (CPAN RT#82761)
- Reworked part of the documentation, like providing better examples
- New upstream release 1.82
- sub error sets $SSL_ERROR etc. only if there really is an error; otherwise
it will keep the latest error, which allows IO::Socket::SSL->new to report
the correct problem, even if the problem is deeper in the code (like in
connect)
- Correct spelling (CPAN RT#82790)
- New upstream release 1.81
- Deprecated set_ctx_defaults; new name is set_defaults (the old name is
still available)
- Changed handling of default path for SSL_(ca|cert|key)* keys: if one of
these keys is user defined, don't add defaults for the others, i.e.
don't mix user settings and defaults
- Cleaner handling of module defaults vs. global settings vs. socket
specific settings; global and socket specific settings are both provided
by the user, while module defaults are not
- Make IO::Socket::INET6 and IO::Socket::IP specific tests both run, even
if both modules are installed, by faking a failed load of the other module
- BR: perl(IO::Socket::INET6) and perl(Socket6) unconditionally
- New upstream release 1.79
- Use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort
from sockaddr in _update_peer, because this provides scope too
- Work around systems that don't define AF_INET6 (CPAN RT#81216)
- Prepare transition to a more secure default for SSL_verify_mode; the use of
the current default SSL_VERIFY_NONE will cause a big warning for clients,
unless SSL_verify_mode was explicitly set inside the application to this
insecure value (in the near future the default will be SSL_VERIFY_PEER, and
thus causing verification failures in unchanged applications)
- New upstream release 1.76
- Add support for IO::Socket::IP, which supports inet6 and inet4
(CPAN RT#75218)
- Fix documentation errors (CPAN RT#77690)
- Made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version
- Use inet_pton from either Socket.pm 1.95 or Socket6.pm
- Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6
- Add runtime dependency for appropriate IPv6 support module so that we can
ensure that we run at runtime what we tested with at build time
- New upstream release 1.73
- Set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW
- Make test t/dhe.t hopefully work with more versions of openssl
- New upstream release 1.71
- 1.70 done right: don't disable SSLv2 ciphers; SSLv2 support is better
disabled by the default SSL_version of 'SSLv23:!SSLv2'
- New upstream release 1.69 (changes for CPAN RT#76929)
- If no explicit cipher list is given, default to ALL:!LOW instead of the
openssl default, which usually includes weak ciphers like DES
- New config key SSL_honor_cipher_order and document how to use it to fight
BEAST attack
- Fix behavior for empty cipher list (use default)
- Re-added workaround in t/dhe.t
- New upstream release 1.64
- Ignore die from within eval to make tests more stable on Win32
(CPAN RT#76147)
- Clarify some behavior regarding hostname verfication
- Drop patch for t/dhe.t, no longer needed
- New upstream release 1.60
- Don't make blocking readline if socket was set nonblocking, but return as
soon no more data are available (CPAN RT#75910)
- Fix BUG section about threading so that it shows package as thread safe
as long as Net::SSLeay ≥ 1.43 is used (CPAN RT#75749)
- BR: perl(constant), perl(Exporter) and perl(IO::Socket)
- New upstream release 1.59
- If SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful message
when attempting to use it
- Modify constant declarations so that 5.6.1 should work again
- Drop %defattr, redundant since rpm 4.4
- New upstream release 1.58
- Fix t/dhe.t for openssl 1.0.1 beta by forcing TLSv1, so that it does not
complain about the too small RSA key, which it should not use anyway; this
workaround is not applied for older openssl versions, where it would cause
failures (CPAN RT#75165)
- Add patch to fiddle the openssl version number in the t/dhe.t workaround
because the OPENSSL_VERSION_NUMBER cannot be trusted in Fedora
- One buildreq per line for readability
- Drop redundant buildreq perl(Test::Simple)
- Always run full test suite
- New upstream release 1.56
- Add automatic or explicit (via SSL_hostname) SNI support, needed for
multiple SSL hostnames with the same IP (currently only supported for the
client)
- Use DESTDIR rather than PERL_INSTALL_ROOT
- No need to delete empty directories from buildroot
- New upstream release 1.55:
- Work around IO::Socket's work around for systems returning EISCONN etc. on
connect retry for non-blocking sockets by clearing $! if SUPER::connect
returned true (CPAN RT#75101)
- New upstream release 1.52:
- Fix for t/nonblock.t hangs on AIX (CPAN RT#72305)
- Disable t/memleak_bad_handshake.t on AIX, because it might hang
(CPAN RT#72170)
- Fix syntax error in t/memleak_bad_handshake.t
- New upstream release 1.49:
- Another regression for readline fix: this time it failed to return lines
at EOF that don't end with newline - extended t/readline.t to catch this
case and the fix for 1.48
- New upstream release 1.48:
- Further fix for readline fix in 1.45: if the pending data were false (like
'0'), it failed to read the rest of the line (CPAN RT#71953)
- New upstream release 1.44:
- Fix invalid call to inet_pton in verify_hostname_of_cert when identity
should be verified as ipv6 address because it contains a colon
- New upstream release 1.43:
- Add SSL_create_ctx_callback to have a way to adjust context on creation
(CPAN RT#67799)
- Describe problem of fake memory leak because of big session cache and how
to fix it (CPAN RT#68073)
- Fix t/nonblock.t
- Stability improvements for t/inet6.t
- New upstream release 1.41:
- Fix issue in stop_SSL where it did not issue a shutdown of the SSL
connection if it first received the shutdown from the other side
- Try to make t/nonblock.t more reliable, at least report the real cause of
SSL connection errors
- No longer need to re-code docs to UTF-8
- New upstream release 1.37:
- don't complain about invalid certificate locations if user explicitly set
SSL_ca_path and SSL_ca_file to undef: assume that user knows what they are
doing and will work around the problems themselves (CPAN RT#63741)
- New upstream release 1.35:
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
verified as valid, it will no longer fall back to VERIFY_NONE but throw an
error (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058)
- New upstream release 1.34:
- schema http for certificate verification changed to wildcards_in_cn=1
- if upgrading socket from inet to ssl fails due to handshake problems, the
socket gets downgraded back again but is still open (CPAN RT#61466)
- deprecate kill_socket: just use close()
verify_hostname_of_cert matched only the prefix for the hostname when no
wildcard was given, e.g. www.example.org matched against a certificate
with name www.exam in it
