Commit Graph

273 Commits

Author SHA1 Message Date
Fedora Release Engineering
5dde526491 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 14:09:04 +00:00
Paul Howarth
c1f1b41420 Update to 2.023
- New upstream release 2.023
  - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS
    connection was not fully established, which somehow resulted in
    Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless
    loop; it will now ignore this result in case the TLS connection was not
    yet established and consider the TLS connection closed instead
- Update patches as needed
2016-01-30 19:08:57 +00:00
Paul Howarth
5b16a21796 Update to 2.022
- New upstream release 2.022
  - Fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash
    (CPAN RT#110253)
2015-12-10 10:51:01 +00:00
Paul Howarth
abe772d8a4 Update to 2.021
- New upstream release 2.021
  - Fixes for documentation and typos
  - Update PublicSuffix with latest version from publicsuffix.org
- Update patches as needed
2015-12-03 13:55:07 +00:00
Paul Howarth
1b76ff56a2 Update to 2.020
- New upstream release 2.020
  - Support multiple directories in SSL_ca_path (CPAN RT#106711); directories
    can be given as array or as string with a path separator
  - Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)
- Update patches as needed
2015-09-21 10:56:58 +01:00
Paul Howarth
d23a4091cb Update to 2.019
- New upstream release 2.019
  - Work around different behavior of getnameinfo from Socket and Socket6 by
    using a different wrapper depending on which module is used for IPv6
- Update patches as needed
2015-09-01 20:12:52 +01:00
Paul Howarth
6f9741cacd Update to 2.018
- New upstream release 2.018
  - Checks for readability of files/dirs for certificates and CA no longer use
    -r because this is not safe when ACLs are used (CPAN RT#106295)
  - New method sock_certificate similar to peer_certificate (CPAN RT#105733)
  - get_fingerprint can now take optional certificate as argument and compute
    the fingerprint of it; useful in connection with sock_certificate
  - Check for both EWOULDBLOCK and EAGAIN since these codes are different on
    some platforms (CPAN RT#106573)
  - Enforce default verification scheme if nothing was specified, i.e. no
    longer just warn but accept; if really no verification is wanted, a scheme
    of 'none' must be explicitly specified
  - Support different cipher suites per SNI hosts
  - startssl.t failed on darwin with old openssl since server requested client
    certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
2015-09-01 09:44:25 +01:00
Dennis Gilmore
ff435e5558 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-18 03:49:28 +00:00
Jitka Plesnikova
db7ab5c711 Perl 5.22 rebuild 2015-06-09 19:45:07 +02:00
Paul Howarth
c60a35205c Update to 2.016
- New upstream release 2.016
  - Add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
    (since 1.02) and available with Net::SSLeay (CPAN RT#104759)
  - Work around hanging prompt() with older perl in Makefile.PL
    (CPAN RT#104731)
  - Make t/memleak_bad_handshake.t work on cygwin and other systems having
    /proc/pid/statm (CPAN RT#104659)
  - Add better debugging
2015-06-07 20:43:19 +01:00
Jitka Plesnikova
73b0e3e90c Perl 5.22 rebuild 2015-06-06 13:36:22 +02:00
Paul Howarth
31561d8aa2 Update to 2.015
- New upstream release 2.015
  - Work around problem with IO::Socket::INET6 on Windows, by explicitly using
    Domain AF_INET in the tests (CPAN RT#104226)
2015-05-14 13:33:34 +01:00
Paul Howarth
de67e57f13 Update to 2.014
- New upstream release 2.014
  - Utils::CERT_create - work around problems with authorityInfoAccess, where
    OpenSSL i2v does not create the same string as v2i expects
  - Intercept - don't clone some specific extensions that only make sense with
    the original certificate
2015-05-05 13:25:45 +01:00
Paul Howarth
c709cc0651 Update to 2.013
- New upstream release 2.013
  - Assign severities to internal error handling and make sure that follow-up
    errors like "configuration failed" or "certificate verify error" don't
    replace more specific "hostname verification failed" when reporting in
    sub errstr/$SSL_ERROR (CPAN RT#103423)
  - Enhanced documentation (https://github.com/noxxi/p5-io-socket-ssl/pull/26)
2015-05-01 22:10:38 +01:00
Paul Howarth
21c4d677e1 Update to 2.012
- New upstream release 2.012
  - Fix t/ocsp.t in case no HTTP::Tiny is installed
2015-02-02 15:06:33 +00:00
Paul Howarth
c4b2055412 Upload sources for 2.011 2015-02-02 08:06:02 +00:00
Paul Howarth
8c3e5b5c0f Update to 2.011
- New upstream release 2.011
  - Fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling
    (CPAN RT#101855)
  - Added option 'purpose' to Utils::CERT_create to get better control of the
    certificate's purpose; default is 'server,client' for non-CA (contrary to
    only 'server' before)
  - Removed RC4 from default cipher suites on the server side
    (https://github.com/noxxi/p5-io-socket-ssl/issues/22)
  - Refactoring of some tests using Test::More
- Note that this package still uses system-default cipher and SSL versions,
  which may have RC4 enabled
- Update patches as needed
2015-02-01 19:12:03 +00:00
Paul Howarth
98379599a5 Update to 2.010
- New upstream release 2.010
  - New options SSL_client_ca_file and SSL_client_ca to let the server send the
    list of acceptable CAs for the client certificate
  - t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay
    (CPAN RT#101485)
2015-01-15 11:53:15 +00:00
Paul Howarth
cd80fc16ec Update to 2.009
- New upstream release 2.009
  - Remove util/analyze.pl; this tool is now together with other SSL tools at
    https://github.com/noxxi/p5-ssl-tools
  - Added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) (CPAN RT#101452)
2015-01-12 13:28:46 +00:00
Paul Howarth
714f23ebd9 Update to 2.008
- New upstream release 2.008
  - Work around recent OCSP verification errors for revoked.grc.com (badly
    signed OCSP response, Firefox also complains about it) in test
    t/external/ocsp.t
  - util/analyze.pl - report more details about preferred cipher for specific
    TLS versions
2014-12-18 14:48:45 +00:00
Paul Howarth
bc89e90476 Update to 2.007
- New upstream release 2.007
  - Make getline/readline fall back to super class if class is not sslified
    yet, i.e. behave the same as sysread, syswrite etc. (CPAN RT#100529)
2014-11-27 10:52:47 +00:00
Paul Howarth
af52f67378 Update to 2.006
- New upstream release 2.006
  - Make SSLv3 available even if the SSL library disables it by default in
    SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3
    so this will be only done when setting SSL_version explicitly
  - Fix possible segmentation fault when trying to use an invalid certificate
  - Use only the ICANN part of the default public suffix list and not the
    private domains; this makes existing exceptions for s3.amazonaws.com and
    googleapis.com obsolete
  - Fix t/protocol_version.t to deal with OpenSSL installations that are
    compiled without SSLv3 support
  - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead
    of EAGAIN; while this is the same on UNIX it is different on Windows and
    socket operations return there (WSA)EWOULDBLOCK and not EAGAIN
  - Enable non-blocking tests on Windows too
  - Make PublicSuffix::_default_data thread safe
  - Update PublicSuffix with latest list from publicsuffix.org
- Note that this package still uses system-default cipher and SSL versions,
  which may have SSL3.0 enabled
- Classify buildreqs by usage
2014-11-23 14:55:09 +00:00
Paul Howarth
1e5d92fafe Update to 2.002
- New upstream release 2.002
  - Fix check for (invalid) IPv4 when validating hostname against certificate;
    do not use inet_aton any longer because it can cause DNS lookups for
    malformed IP (CPAN RT#99448)
  - Update PublicSuffix with latest version from publicsuffix.org - lots of new
    top level domains
  - Add exception to PublicSuffix for s3.amazonaws.com (CPAN RT#99702)
2014-10-22 18:29:57 +01:00
Paul Howarth
3c5f052538 Update to 2.001
- New upstream release 2.001
  - Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security
  - Update external tests with currently expected fingerprints of hosts
  - Some fixes to make it still work on 5.8.1
2014-10-21 15:27:58 +01:00
Paul Howarth
0249c6324b Update to 2.000
- New upstream release 2.000
  - Consider SSL3.0 as broken because of POODLE and disable it by default
  - Skip live tests without asking if environment NO_NETWORK_TESTING is set
  - Skip tests that require fork on non-default windows setups without proper
    fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18)
- Note that this package still uses system-default cipher and SSL versions,
  which may have SSL3.0 enabled
2014-10-16 14:10:03 +01:00
Paul Howarth
4c8c768b6e Update to 1.999
- New upstream release 1.999
  - Make sure we don't use version 0.30 of IO::Socket::IP
  - Make sure that PeerHost is checked in all places where PeerAddr is checked,
    because these are synonyms and IO::Socket::IP prefers PeerHost while others
    prefer PeerAddr; also accept PeerService additionally to PeerPort
    (https://github.com/noxxi/p5-io-socket-ssl/issues/16)
  - Add ability to use client certificates and to overwrite hostname with
    util/analyze-ssl.pl
2014-10-10 14:48:05 +01:00
Paul Howarth
449688d154 Update to 1.998
- New upstream release 1.998
  - Make client authentication work at the server side when SNI is in by use
    having CA path and other settings in all SSL contexts instead of only the
    main one (https://github.com/noxxi/p5-io-socket-ssl/pull/15)
2014-09-22 15:21:39 +01:00
Jitka Plesnikova
8950a78dcb Perl 5.20 rebuild 2014-08-28 13:25:33 +02:00
Paul Howarth
bdc758a36f Use system-default SSL version too 2014-08-07 16:26:51 +01:00
Paul Howarth
223f2f3a2c Use system-wide default cipher list from OpenSSL
Use system-wide default cipher list to support use of system-wide
crypto policy (#1076390, #1127577, CPAN RT#97816)
https://fedoraproject.org/wiki/Changes/CryptoPolicy
2014-08-07 14:33:34 +01:00
Paul Howarth
bd0d612e4e Update to 1.997
- New upstream release 1.997
  - Fix initialization and creation of OpenSSL-internals for perlcc
    compatibility (CPAN RT#95452)
  - Add refresh option for peer_certificate, so that it checks if the
    certificate changed in the mean time (on renegotiation)
  - Fix fingerprint checking - now applies only to top-most certificate
  - IO::Socket::SSL::Utils - accept extensions within CERT_create
  - Various documentation fixes
2014-07-14 15:45:33 +01:00
Paul Howarth
dd3cfce8d5 Update to 1.994
- New upstream release 1.994
  - IO::Socket::SSL can now be used as dual-use socket, e.g. start plain,
    upgrade to SSL and downgrade again all with the same object; see
    documentation of SSL_startHandshake and chapter Advanced Usage
  - Try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
    fails; this is needed if one wants to explicitly verify OCSP lookups even
    if verification is otherwise off, because otherwise the signature check
    would fail (this is mostly useful for testing)
  - Reorder documentation of attributes for new, so that the more important
    ones are at the top
2014-06-23 15:04:36 +01:00
Paul Howarth
049da7beb6 Update to 1.993
- New upstream release 1.993
  - Major rewrite of documentation, now in separate file
  - Rework error handling to distinguish between SSL errors and internal errors
    (like missing capabilities)
  - Fix handling of default_ca if given during the run of the program
    (Debian #750646)
  - util/analyze-ssl.pl - fix hostname check if SNI does not work
2014-06-15 14:33:33 +01:00
Paul Howarth
e8dc5a3938 Update to 1.992
- New upstream release 1.992
  - Set $! to undef before doing IO (accept, read...); on Windows a connection
    reset could cause an SSL read error without setting $!, so make sure we
    don't keep the old value and maybe thus run into an endless loop
2014-06-10 20:09:12 +01:00
Dennis Gilmore
92741ab3e8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 00:42:56 -05:00
Paul Howarth
bc69fcf260 Update to 1.991
- New upstream release 1.991
  - New option SSL_OCSP_TRY_STAPLE to enforce staple request even if
    VERIFY_NONE
  - Work around for CPAN RT#96013 in peer_certificates
2014-05-28 12:21:25 +01:00
Paul Howarth
ee28fcaeb7 Update to 1.990
- New upstream release 1.990
  - Added option SSL_ocsp_staple_callback to get the stapled OCSP response and
    verify it somewhere else
  - Try to fix warnings on Windows again (CPAN RT#95967)
  - Work around temporary OCSP error in t/external/ocsp.t
2014-05-27 16:17:41 +01:00
Paul Howarth
cfea8ea3f1 Update to 1.989
- New upstream release 1.989
  - Fix warnings on Windows (CPAN RT#95881)
2014-05-25 20:47:07 +01:00
Paul Howarth
5e48e602cd Update to 1.988
- New upstream release 1.988
  - Allow IPv4 in common name, because browsers allow this too; only for scheme
    www/http though, not for rfc2818 (because RC2818 does not allow this; in
    default scheme IPv6 and IPv4 are allowed in CN)
  - Fix handling of public suffix; add exemption for *.googleapis.com
    wildcard, which should not be allowed according to public suffix list but
    actually is used
  - Add hostname verification test based on older test of chromium, but change
    some of the test expectations because we don't want to support IP as SAN
    DNS and because we enforce a public suffix list (and thus *.co.uk should
    not be allowed)
  - Fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6
    (CPAN RT#95719)
  - Enable IPv6 support only if we have a usable inet_pton
  - Remove stale entries from MANIFEST
  - Add transparent support for DER and PKCS#12 files to specify cert and key,
    e.g. it will autodetect the format
  - If SSL_cert_file is PEM and no SSL_key_file is given it will check if the
    key is in SSL_cert_file too
2014-05-18 01:18:49 +01:00
Paul Howarth
e1aa44992f Update to 1.985
- New upstream release 1.985
  - Make OCSP callback return 1 even if it was called on the server side
    because of bad setup of the socket; otherwise we get an endless calling of
    the OCSP callback
  - Consider an OCSP response that is not yet or no longer valid a soft error
    instead of an hard error
  - Fix skip in t/external/ocsp.t in case fingerprint does not match
  - Call EVP_PKEY_free not EVP_KEY_free in IO::Socket::SSL::Utils::KEY_free
    (CPAN RT#95633)
  - util/analyze.pl - with --show-chain check if chain with SNI is different
    from chain w/o SNI
- Drop ExtUtils::MakeMaker version requirement
2014-05-15 13:03:34 +01:00
Paul Howarth
91de4e03c6 Fix typo in Utils.pm (#1097640, CPAN RT#95633)
$ perl -MIO::Socket::SSL::Utils -e 'KEY_free(KEY_create_rsa())'
Can't locate auto/Net/SSLeay/EVP_KEY_fre.al in @INC (@INC contains:
/usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
/usr/share/perl5/vendor_perl/IO/Socket/SSL/Utils.pm line 96.

Net::SSLeay::EVP_KEY_free should be Net::SSLeay::EVP_PKEY_free.
2014-05-14 11:56:53 +01:00
Paul Howarth
cf47cd0114 Update to 1.984
- New upstream release 1.984
  - Added OCSP support:
    - Needs Net::SSLeay ≥ 1.59
    - For usage see documentation of IO::Socket::SSL (examples and anything
      with OCSP in the name)
  - New tool util/analyze-ssl.pl, which is intended to help in debugging of SSL
    problems and to get information about capabilities of server; it works also
    as an example of how to use various features (like OCSP, SNI...)
  - Fix peer_certificates (returns leaf certificate only once on client side)
  - Added timeout for stop_SSL (either with Timeout or with the default timeout
    for IO::Socket)
  - Fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local
    time is not GMT; use Net::SSLeay::ASN1_TIME_timet if available
  - Fix t/external/usable_ca.t for system with junk in CA files
2014-05-10 23:07:40 +01:00
Paul Howarth
e56716ca31 Update to 1.983
- New upstream release 1.983
  - Fix public suffix handling: ajax.googleapis.com should be ok even if
    googleapis.com is in public suffix list (e.g. check one level less)
    (CPAN RT#95317)
  - usable_ca.t - update fingerprints after heartbleed attack
  - usable_ca.t - make sure we have usable CA for tested hosts in CA store
2014-05-04 16:12:34 +01:00
Paul Howarth
c842343c99 Update to 1.982
- New upstream release 1.982
  - Fix for using subroutine as argument to set_args_filter_hack
2014-04-24 23:30:00 +01:00
Paul Howarth
515e50a494 Update to 1.981
- New upstream release 1.981
  - Fix ecdhe test for openssl 1.0.1d (CPAN RT#95432)
  - Fix detection of openssl 1.0.1d (detected 1.0.1e instead)
  - New function can_ecdh in IO::Socket::SSL
2014-04-08 13:59:10 +01:00
Paul Howarth
6e4f1848de Fix typo in spec comment 2014-04-08 11:36:46 +01:00
Paul Howarth
28b9bc71ad Update to 1.980
- New upstream release 1.980
  - Disable elliptic curve support for openssl 1.0.1d on 64-bit
    (http://rt.openssl.org/Ticket/Display.html?id=2975)
  - Fix fingerprint calculation
- Add patch to skip elliptic curve test for openssl 1.0.1d on 64-bit
- Add patch to fix openssl version test
2014-04-08 11:22:31 +01:00
Paul Howarth
2926895385 Update to 1.979
- New upstream release 1.979
  - Hostname checking:
    - Configuration of 'leftmost' is renamed to 'full_label', but the old
      version is kept for compatibility reasons
    - Documentation of predefined schemes fixed to match reality
2014-04-06 12:26:08 +01:00
Paul Howarth
12ec243a1d Update to 1.978
- New upstream release 1.978
  - Added public prefix checking to verification of wildcard certificates, e.g.
    accept *.foo.com but not *.co.uk; see documentation of
    SSL_verifycn_publicsuffix and IO::Socket::SSL::PublicSuffix
  - Fix publicsuffix for IDNA, more tests with various IDNA libs
    (CPAN RT#94424)
  - Reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm
  - Add more checks to external/usable_ca.t; now it is enough that at least one
    of the hosts verifies against the built-in CA store
  - Add openssl and Net::SSLeay version to diagnostics in load test
- Switch preferred IDN back-end from Net::LibIDN to URI::_idna as per upstream,
  falling back to Net::IDN::Encode on older distributions
- Add fix from upstream git to support building with Test::More < 0.88
2014-04-04 18:41:23 +01:00
Paul Howarth
70cd5c8b43 Update to 1.975
- New upstream release 1.975
  - BEHAVIOR CHANGE: work around TEA misfeature on OS X built-in openssl, e.g.
    guarantee that only the explicitly-given CA or the openssl default CA will
    be used; this means that certificates inside the OS X keyring will no
    longer be used, because there is no way to control the use by openssl
    (e.g. certificate pinning etc.)
  - Make external tests run by default to make sure default CA works on all
    platforms; it skips automatically on network problems like timeouts or SSL
    interception, and can also use http(s)_proxy environment variables
2014-04-02 12:02:56 +01:00