- New upstream release 2.074
- Add SSL_ciphersuites option for TLS 1.3 ciphers
- No longer use own default for ciphers: instead, use system default but
disable some weak ciphers that might still be enabled on older systems
- New upstream release 2.072
- Add PEM_certs2file and PEM_file2certs in IO::Socket::SSL::Utils based on
idea in GH#101
- certs/*.p12 used for testing should now work with OpenSSL 3.0 too (GH#108)
- Update public suffix database
- Drop patch for building with OpenSSL 1.1.1e
- New upstream release 2.069
- IO::Socket::Utils CERT_asHash and CERT_create now support subject and
issuer with multiple same parts (like multiple OU); in this case an array
ref instead of a scalar is used as hash value (GH#95)
- New upstream release 2.067
- Fix memory leak on incomplete handshake (GH#92)
- Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
can decrease memory usage at the costs of more allocations (CPAN RT#129463)
- More detailed error messages when loading of certificate file failed (GH#89)
- Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
- Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
- Fix warning when no ecdh support is available
- Documentation update regarding use of select and TLS 1.3
- Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
- Stability fix for t/core.t
Because this package run-requires URI::_idna,
IO::Socket:SSL::PublicSuffix library won't use the two modules and
thus testing a code path for them is questionable. The condition
allows to prune a dependency chain somewhat.
- New upstream release 2.066
- Make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first (CPAN RT#=128716)
- Prefer AES for server side cipher default since it is usually
hardware-accelerated
- Fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
- New upstream release 2.064
- Make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint (CPAN RT#127773)
- Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
- Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
set
- Update fingerprints for live tests
- New upstream release 2.063
- Support for both RSA and ECDSA certificate on same domain
- Update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (i.e. more than just
the patchlevel differs)
- New upstream release 2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
in the trust store be usable as full trust anchors too
- New upstream release 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay ≥ 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay ≥ 1.86)
- New upstream release 2.060
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
see also CPAN RT#126899
- TLS 1.3 support is not complete yet for session resume
This is not a full support. It only makes the tests passing.
Especially it does not document TLSv1.3 support and it does not
support explicit session resumption in TLSv1.3.
To pass the tests with openssl-1.1.1 it requires patched
perl-Net-SSLeay >= 1.85-7.fc29. But it also works with older openssl
regardless of perl-Net-SSLeay. Thus I did not add a dependency on an
explicit perl-Net-SSLeay release.
- New upstream release 2.058
- Fix memory leak that occured with explicit stop_SSL in connection with
non-blocking sockets or timeout (CPAN RT#125867)
- Fix redefine warnings in case Socket6 is installed but neither
IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
number or callback to create serial number based on the original certificate
- New function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
value
- Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
- New upstream release 2.056
- Intercept: Fix creation of serial number (basing it on binary digest
instead of treating hex fingerprint as binary), allow use of own serial
numbers again
- t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
- Update PublicSuffix
- New upstream release 2.055
- Use SNI also if hostname was given all-uppercase
- Utils::CERT_create: Don't add authority key for issuer since Chrome does
not like this
- Intercept:
- Change behavior of code-based cache to better support synchronizing
within multiprocess/threaded set-ups
- Don't use counter for serial number but somehow base it on original
certificate in order to avoid conflicts with reuse of serial numbers
after restart
- Better support platforms without IPv6 (CPAN RT#124431)
- Spelling fixes in documentation (CPAN RT#124306)
- New upstream release 2.054
- Small behavior fixes
- If SSL_fingerprint is used and matches, don't check for OCSP
- Utils::CERT_create: Small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- Update PublicSuffix
- Updates for documentation, especially regarding pitfalls with forking or
using non-blocking sockets, spelling fixes
- Test fixes and improvements
- Stability improvements for live tests
- Regenerate certificates in certs/ and make sure they are limited to the
correct purpose; check in program used to generate certificates
- Adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
