Commit Graph

195 Commits

Author SHA1 Message Date
Paul Howarth
46a5435ffc Update to 2.045
- New upstream release 2.045
  - Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
    objects (GH#55)
  - Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
    perl is compiled without thread support
  - Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
    openssl build without SSLv3 support
  - When setting SSL_keepSocketOnError to true the socket will not be closed on
    fatal error (GH#53, modified)
- Update patches as needed
2017-02-14 11:52:13 +00:00
Fedora Release Engineering
88d911cebb - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-11 03:37:01 +00:00
Paul Howarth
157e4fc48f Update to 2.044
- New upstream release 2.044
  - Protect various 'eval'-based capability detections at startup with a
    localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
    as done by various third party software should cause less problems even if
    there is a global __DIE__ handler that does not properly deal with 'eval'
- Update patches as needed
2017-01-26 15:59:38 +00:00
Paul Howarth
6a30f8ffc4 Update to 2.043
- New upstream release 2.043
  - Enable session ticket callback with Net::SSLeay ≥ 1.80
  - Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
    session no longer gets reused if it was not properly closed, which is now
    done using an explicit close by the client
- Update patches as needed
2017-01-06 14:34:50 +00:00
Paul Howarth
c290ff8f5b Update to 2.041
- New upstream release 2.041
  - Leave session ticket callback off for now until the needed patch is
    included in Net::SSLeay (see
    https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146)
- Update patches as needed
2017-01-04 11:25:36 +00:00
Paul Howarth
a6f663d8ce Update to 2.040
- New upstream release 2.040
  - Fix detection of default CA path for OpenSSL 1.1.x
  - Utils::CERT_asHash now includes the signature algorithm used
  - Utils::CERT_asHash can now deal with large serial numbers
- Update patches as needed
2016-12-18 12:18:04 +00:00
Paul Howarth
94a62556ae Upload IO-Socket-SSL-2.039.tar.gz 2016-11-21 09:47:32 +00:00
Paul Howarth
48b55376ef Update to 2.039
- New upstream release 2.039
  - OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1
    on EOF without proper SSL shutdown; since it looks like that this behavior
    will be kept at least for 1.1.1+, adapt to the changed API by treating
    errno=NOERR on SSL_ERROR_SYSCALL as EOF
- Update patches as needed
2016-11-21 09:38:46 +00:00
Paul Howarth
4b64c34a03 Update to 2.038
- New upstream release 2.038
  - Restrict session ticket callback to Net::SSLeay 1.79+ since version before
    contains bug; add test for session reuse
  - Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
  - Fix t/external/ocsp.t to use different server (under my control) to check
    OCSP stapling
- Update patches as needed
2016-09-19 14:32:14 +01:00
Paul Howarth
1c9734277a Update to 2.037
- New upstream release 2.037
  - Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)
  - Fix session cache del_session: it freed the session but did not properly
    remove it from the cache; further reuse caused crash
- Update patches as needed
2016-08-23 09:22:35 +01:00
Paul Howarth
5273482db2 Update to 2.035
- New upstrean release 2.035
  - Fixes for issues introduced in 2.034
    - Return with error in configure_SSL if context creation failed; this
      might otherwise result in an segmentation fault later
    - Apply builtin defaults before any (user configurable) global settings
      (i.e. done with set_defaults, set_default_context...) so that builtins
      don't replace user settings
- Update patches as needed
2016-08-11 19:06:10 +01:00
Paul Howarth
669ae1bebf Update to 2.034
- New upstream release 2.034
  - Move handling of global SSL arguments into creation of context, so that
    these get also applied when creating a context only
- Update patches as needed
2016-08-08 14:32:25 +01:00
Paul Howarth
5c5f120ac9 Update to 2.033
- New upstream release 2.033
  - Support for session ticket reuse over multiple contexts and processes (if
    supported by Net::SSLeay)
  - Small optimizations, like saving various Net::SSLeay constants into
    variables and access variables instead of calling the constant sub all the
    time
  - Make t/dhe.t work with openssl 1.1.0
- Update patches as needed
2016-07-16 13:40:15 +01:00
Paul Howarth
ddc83e4abc Update to 2.032
- New upstream release 2.032
  - Set session id context only on the server side; even if the documentation
    for SSL_CTX_set_session_id_context makes clear that this function is server
    side only, it actually affects handling of session reuse on the client side
    too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session
    in different context" at the client
2016-07-12 16:31:13 +01:00
Paul Howarth
5e25984e43 Update to 2.031
- New upstream release 2.031
  - Utils::CERT_create - don't add given extensions again if they were already
    added; Firefox croaks with sec_error_extension_value_invalid if (specific?)
    extensions are given twice
  - Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
    with the reverse order as in the PKCS12 file, because that's what it does
  - Support for creating ECC keys in Utils once supported by Net::SSLeay
  - Remove internal sub session_cache and access cache directly (faster)
- Update patches as needed
2016-07-08 14:49:19 +01:00
Paul Howarth
1bbcd86cf3 Update to 2.029
- New upstream release 2.029
  - Add del_session method to session cache
  - Use SSL_session_key as the real key for the cache and not some derivate of
    it, so that it works to remove the entry using the same key
2016-06-28 10:37:28 +01:00
Petr Písař
456f4340b9 Mandatory Perl build-requires added <https://fedoraproject.org/wiki/Changes/Build_Root_Without_Perl> 2016-06-24 10:48:12 +02:00
Jitka Plesnikova
409527b2d3 Perl 5.24 rebuild 2016-05-16 03:25:35 +02:00
Paul Howarth
6fc3767106 Update to 2.027
- New upstream release 2.027
  - Updated Changes file for 2.026
2016-04-21 11:51:58 +01:00
Paul Howarth
6ed7f418dd Update to 2.026
- New upstream release 2.026
  - Upstream's default cipher lists updated (we use system default though)
- Update patches as needed
2016-04-20 15:24:10 +01:00
Paul Howarth
16cfe40816 Update to 2.025
- New upstream release 2.025
  - Resolved memleak if SSL_crl_file was used (CPAN RT#113257, CPAN RT#113530)
- Simplify find command using -delete
2016-04-04 14:47:57 +01:00
Paul Howarth
1b3e2576a4 Update to 2.024
- New upstream release 2.024
  - Work around issue where the connect fails on systems having only a loopback
    interface and where IO::Socket::IP is used as super class (default when
    available)
- Update patches as needed
2016-02-07 16:11:20 +00:00
Fedora Release Engineering
5dde526491 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 14:09:04 +00:00
Paul Howarth
c1f1b41420 Update to 2.023
- New upstream release 2.023
  - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS
    connection was not fully established, which somehow resulted in
    Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless
    loop; it will now ignore this result in case the TLS connection was not
    yet established and consider the TLS connection closed instead
- Update patches as needed
2016-01-30 19:08:57 +00:00
Paul Howarth
5b16a21796 Update to 2.022
- New upstream release 2.022
  - Fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash
    (CPAN RT#110253)
2015-12-10 10:51:01 +00:00
Paul Howarth
abe772d8a4 Update to 2.021
- New upstream release 2.021
  - Fixes for documentation and typos
  - Update PublicSuffix with latest version from publicsuffix.org
- Update patches as needed
2015-12-03 13:55:07 +00:00
Paul Howarth
1b76ff56a2 Update to 2.020
- New upstream release 2.020
  - Support multiple directories in SSL_ca_path (CPAN RT#106711); directories
    can be given as array or as string with a path separator
  - Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)
- Update patches as needed
2015-09-21 10:56:58 +01:00
Paul Howarth
d23a4091cb Update to 2.019
- New upstream release 2.019
  - Work around different behavior of getnameinfo from Socket and Socket6 by
    using a different wrapper depending on which module is used for IPv6
- Update patches as needed
2015-09-01 20:12:52 +01:00
Paul Howarth
6f9741cacd Update to 2.018
- New upstream release 2.018
  - Checks for readability of files/dirs for certificates and CA no longer use
    -r because this is not safe when ACLs are used (CPAN RT#106295)
  - New method sock_certificate similar to peer_certificate (CPAN RT#105733)
  - get_fingerprint can now take optional certificate as argument and compute
    the fingerprint of it; useful in connection with sock_certificate
  - Check for both EWOULDBLOCK and EAGAIN since these codes are different on
    some platforms (CPAN RT#106573)
  - Enforce default verification scheme if nothing was specified, i.e. no
    longer just warn but accept; if really no verification is wanted, a scheme
    of 'none' must be explicitly specified
  - Support different cipher suites per SNI hosts
  - startssl.t failed on darwin with old openssl since server requested client
    certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
2015-09-01 09:44:25 +01:00
Dennis Gilmore
ff435e5558 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-18 03:49:28 +00:00
Jitka Plesnikova
db7ab5c711 Perl 5.22 rebuild 2015-06-09 19:45:07 +02:00
Paul Howarth
c60a35205c Update to 2.016
- New upstream release 2.016
  - Add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
    (since 1.02) and available with Net::SSLeay (CPAN RT#104759)
  - Work around hanging prompt() with older perl in Makefile.PL
    (CPAN RT#104731)
  - Make t/memleak_bad_handshake.t work on cygwin and other systems having
    /proc/pid/statm (CPAN RT#104659)
  - Add better debugging
2015-06-07 20:43:19 +01:00
Jitka Plesnikova
73b0e3e90c Perl 5.22 rebuild 2015-06-06 13:36:22 +02:00
Paul Howarth
31561d8aa2 Update to 2.015
- New upstream release 2.015
  - Work around problem with IO::Socket::INET6 on Windows, by explicitly using
    Domain AF_INET in the tests (CPAN RT#104226)
2015-05-14 13:33:34 +01:00
Paul Howarth
de67e57f13 Update to 2.014
- New upstream release 2.014
  - Utils::CERT_create - work around problems with authorityInfoAccess, where
    OpenSSL i2v does not create the same string as v2i expects
  - Intercept - don't clone some specific extensions that only make sense with
    the original certificate
2015-05-05 13:25:45 +01:00
Paul Howarth
c709cc0651 Update to 2.013
- New upstream release 2.013
  - Assign severities to internal error handling and make sure that follow-up
    errors like "configuration failed" or "certificate verify error" don't
    replace more specific "hostname verification failed" when reporting in
    sub errstr/$SSL_ERROR (CPAN RT#103423)
  - Enhanced documentation (https://github.com/noxxi/p5-io-socket-ssl/pull/26)
2015-05-01 22:10:38 +01:00
Paul Howarth
21c4d677e1 Update to 2.012
- New upstream release 2.012
  - Fix t/ocsp.t in case no HTTP::Tiny is installed
2015-02-02 15:06:33 +00:00
Paul Howarth
c4b2055412 Upload sources for 2.011 2015-02-02 08:06:02 +00:00
Paul Howarth
8c3e5b5c0f Update to 2.011
- New upstream release 2.011
  - Fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling
    (CPAN RT#101855)
  - Added option 'purpose' to Utils::CERT_create to get better control of the
    certificate's purpose; default is 'server,client' for non-CA (contrary to
    only 'server' before)
  - Removed RC4 from default cipher suites on the server side
    (https://github.com/noxxi/p5-io-socket-ssl/issues/22)
  - Refactoring of some tests using Test::More
- Note that this package still uses system-default cipher and SSL versions,
  which may have RC4 enabled
- Update patches as needed
2015-02-01 19:12:03 +00:00
Paul Howarth
98379599a5 Update to 2.010
- New upstream release 2.010
  - New options SSL_client_ca_file and SSL_client_ca to let the server send the
    list of acceptable CAs for the client certificate
  - t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay
    (CPAN RT#101485)
2015-01-15 11:53:15 +00:00
Paul Howarth
cd80fc16ec Update to 2.009
- New upstream release 2.009
  - Remove util/analyze.pl; this tool is now together with other SSL tools at
    https://github.com/noxxi/p5-ssl-tools
  - Added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) (CPAN RT#101452)
2015-01-12 13:28:46 +00:00
Paul Howarth
714f23ebd9 Update to 2.008
- New upstream release 2.008
  - Work around recent OCSP verification errors for revoked.grc.com (badly
    signed OCSP response, Firefox also complains about it) in test
    t/external/ocsp.t
  - util/analyze.pl - report more details about preferred cipher for specific
    TLS versions
2014-12-18 14:48:45 +00:00
Paul Howarth
bc89e90476 Update to 2.007
- New upstream release 2.007
  - Make getline/readline fall back to super class if class is not sslified
    yet, i.e. behave the same as sysread, syswrite etc. (CPAN RT#100529)
2014-11-27 10:52:47 +00:00
Paul Howarth
af52f67378 Update to 2.006
- New upstream release 2.006
  - Make SSLv3 available even if the SSL library disables it by default in
    SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3
    so this will be only done when setting SSL_version explicitly
  - Fix possible segmentation fault when trying to use an invalid certificate
  - Use only the ICANN part of the default public suffix list and not the
    private domains; this makes existing exceptions for s3.amazonaws.com and
    googleapis.com obsolete
  - Fix t/protocol_version.t to deal with OpenSSL installations that are
    compiled without SSLv3 support
  - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead
    of EAGAIN; while this is the same on UNIX it is different on Windows and
    socket operations return there (WSA)EWOULDBLOCK and not EAGAIN
  - Enable non-blocking tests on Windows too
  - Make PublicSuffix::_default_data thread safe
  - Update PublicSuffix with latest list from publicsuffix.org
- Note that this package still uses system-default cipher and SSL versions,
  which may have SSL3.0 enabled
- Classify buildreqs by usage
2014-11-23 14:55:09 +00:00
Paul Howarth
1e5d92fafe Update to 2.002
- New upstream release 2.002
  - Fix check for (invalid) IPv4 when validating hostname against certificate;
    do not use inet_aton any longer because it can cause DNS lookups for
    malformed IP (CPAN RT#99448)
  - Update PublicSuffix with latest version from publicsuffix.org - lots of new
    top level domains
  - Add exception to PublicSuffix for s3.amazonaws.com (CPAN RT#99702)
2014-10-22 18:29:57 +01:00
Paul Howarth
3c5f052538 Update to 2.001
- New upstream release 2.001
  - Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security
  - Update external tests with currently expected fingerprints of hosts
  - Some fixes to make it still work on 5.8.1
2014-10-21 15:27:58 +01:00
Paul Howarth
0249c6324b Update to 2.000
- New upstream release 2.000
  - Consider SSL3.0 as broken because of POODLE and disable it by default
  - Skip live tests without asking if environment NO_NETWORK_TESTING is set
  - Skip tests that require fork on non-default windows setups without proper
    fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18)
- Note that this package still uses system-default cipher and SSL versions,
  which may have SSL3.0 enabled
2014-10-16 14:10:03 +01:00
Paul Howarth
4c8c768b6e Update to 1.999
- New upstream release 1.999
  - Make sure we don't use version 0.30 of IO::Socket::IP
  - Make sure that PeerHost is checked in all places where PeerAddr is checked,
    because these are synonyms and IO::Socket::IP prefers PeerHost while others
    prefer PeerAddr; also accept PeerService additionally to PeerPort
    (https://github.com/noxxi/p5-io-socket-ssl/issues/16)
  - Add ability to use client certificates and to overwrite hostname with
    util/analyze-ssl.pl
2014-10-10 14:48:05 +01:00
Paul Howarth
449688d154 Update to 1.998
- New upstream release 1.998
  - Make client authentication work at the server side when SNI is in by use
    having CA path and other settings in all SSL contexts instead of only the
    main one (https://github.com/noxxi/p5-io-socket-ssl/pull/15)
2014-09-22 15:21:39 +01:00
Jitka Plesnikova
8950a78dcb Perl 5.20 rebuild 2014-08-28 13:25:33 +02:00