- New upstream release 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay ≥ 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay ≥ 1.86)
- New upstream release 2.060
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
see also CPAN RT#126899
- TLS 1.3 support is not complete yet for session resume
- New upstream release 2.058
- Fix memory leak that occured with explicit stop_SSL in connection with
non-blocking sockets or timeout (CPAN RT#125867)
- Fix redefine warnings in case Socket6 is installed but neither
IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
number or callback to create serial number based on the original certificate
- New function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
value
- Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
- New upstream release 2.056
- Intercept: Fix creation of serial number (basing it on binary digest
instead of treating hex fingerprint as binary), allow use of own serial
numbers again
- t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
- Update PublicSuffix
- New upstream release 2.054
- Small behavior fixes
- If SSL_fingerprint is used and matches, don't check for OCSP
- Utils::CERT_create: Small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- Update PublicSuffix
- Updates for documentation, especially regarding pitfalls with forking or
using non-blocking sockets, spelling fixes
- Test fixes and improvements
- Stability improvements for live tests
- Regenerate certificates in certs/ and make sure they are limited to the
correct purpose; check in program used to generate certificates
- Adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
- New upstream release 2.052
- Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced
the functions with dummies instead of removing NPN completly or setting
OPENSSL_NO_NEXTPROTONEG
- t/01loadmodule.t shows more output helpful in debugging problems
- Update fingerprints for external tests
- Update documentation to make behavior of syswrite more clear
- New upstream release 2.051
- syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with
OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up
(GH#62)
- New upstream release 2.050
- Removed unnecessary settings of SSL_version and SSL_cipher_list from tests
- protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not
supported, as is the case with openssl versions in latest Debian (buster)
- New upstream release 2.049
- Fixed problem caused by typo in the context of session cache (GH#60)
- Updated PublicSuffix information from publicsuffix.org
- New upstream release 2.048
- Fixed small memory leaks during destruction of socket and context
(CPAN RT#120643)
- Drop support for EOL distributions prior to F-13
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %install section
- Drop explicit %clean section
- New upstream release 2.046
- Clean up everything in DESTROY and make sure to start with a fresh
%%{*self} in configure_SSL because it can happen that a GLOB gets used
again without calling DESTROY
(https://github.com/noxxi/p5-io-socket-ssl/issues/56)
- Update patches as needed
- New upstream release 2.045
- Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
objects (GH#55)
- Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
perl is compiled without thread support
- Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
openssl build without SSLv3 support
- When setting SSL_keepSocketOnError to true the socket will not be closed on
fatal error (GH#53, modified)
- Update patches as needed
- New upstream release 2.044
- Protect various 'eval'-based capability detections at startup with a
localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
as done by various third party software should cause less problems even if
there is a global __DIE__ handler that does not properly deal with 'eval'
- Update patches as needed
- New upstream release 2.043
- Enable session ticket callback with Net::SSLeay ≥ 1.80
- Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
session no longer gets reused if it was not properly closed, which is now
done using an explicit close by the client
- Update patches as needed
- New upstream release 2.040
- Fix detection of default CA path for OpenSSL 1.1.x
- Utils::CERT_asHash now includes the signature algorithm used
- Utils::CERT_asHash can now deal with large serial numbers
- Update patches as needed
- New upstream release 2.038
- Restrict session ticket callback to Net::SSLeay 1.79+ since version before
contains bug; add test for session reuse
- Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
- Fix t/external/ocsp.t to use different server (under my control) to check
OCSP stapling
- Update patches as needed
- New upstream release 2.037
- Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)
- Fix session cache del_session: it freed the session but did not properly
remove it from the cache; further reuse caused crash
- Update patches as needed
- New upstrean release 2.035
- Fixes for issues introduced in 2.034
- Return with error in configure_SSL if context creation failed; this
might otherwise result in an segmentation fault later
- Apply builtin defaults before any (user configurable) global settings
(i.e. done with set_defaults, set_default_context...) so that builtins
don't replace user settings
- Update patches as needed
- New upstream release 2.034
- Move handling of global SSL arguments into creation of context, so that
these get also applied when creating a context only
- Update patches as needed
- New upstream release 2.033
- Support for session ticket reuse over multiple contexts and processes (if
supported by Net::SSLeay)
- Small optimizations, like saving various Net::SSLeay constants into
variables and access variables instead of calling the constant sub all the
time
- Make t/dhe.t work with openssl 1.1.0
- Update patches as needed
- New upstream release 2.032
- Set session id context only on the server side; even if the documentation
for SSL_CTX_set_session_id_context makes clear that this function is server
side only, it actually affects handling of session reuse on the client side
too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session
in different context" at the client
- New upstream release 2.031
- Utils::CERT_create - don't add given extensions again if they were already
added; Firefox croaks with sec_error_extension_value_invalid if (specific?)
extensions are given twice
- Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
with the reverse order as in the PKCS12 file, because that's what it does
- Support for creating ECC keys in Utils once supported by Net::SSLeay
- Remove internal sub session_cache and access cache directly (faster)
- Update patches as needed
- New upstream release 2.029
- Add del_session method to session cache
- Use SSL_session_key as the real key for the cache and not some derivate of
it, so that it works to remove the entry using the same key
- New upstream release 2.024
- Work around issue where the connect fails on systems having only a loopback
interface and where IO::Socket::IP is used as super class (default when
available)
- Update patches as needed
- New upstream release 2.023
- OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS
connection was not fully established, which somehow resulted in
Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless
loop; it will now ignore this result in case the TLS connection was not
yet established and consider the TLS connection closed instead
- Update patches as needed
- New upstream release 2.021
- Fixes for documentation and typos
- Update PublicSuffix with latest version from publicsuffix.org
- Update patches as needed
- New upstream release 2.020
- Support multiple directories in SSL_ca_path (CPAN RT#106711); directories
can be given as array or as string with a path separator
- Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)
- Update patches as needed
- New upstream release 2.019
- Work around different behavior of getnameinfo from Socket and Socket6 by
using a different wrapper depending on which module is used for IPv6
- Update patches as needed
- New upstream release 2.018
- Checks for readability of files/dirs for certificates and CA no longer use
-r because this is not safe when ACLs are used (CPAN RT#106295)
- New method sock_certificate similar to peer_certificate (CPAN RT#105733)
- get_fingerprint can now take optional certificate as argument and compute
the fingerprint of it; useful in connection with sock_certificate
- Check for both EWOULDBLOCK and EAGAIN since these codes are different on
some platforms (CPAN RT#106573)
- Enforce default verification scheme if nothing was specified, i.e. no
longer just warn but accept; if really no verification is wanted, a scheme
of 'none' must be explicitly specified
- Support different cipher suites per SNI hosts
- startssl.t failed on darwin with old openssl since server requested client
certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
- New upstream release 2.016
- Add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
(since 1.02) and available with Net::SSLeay (CPAN RT#104759)
- Work around hanging prompt() with older perl in Makefile.PL
(CPAN RT#104731)
- Make t/memleak_bad_handshake.t work on cygwin and other systems having
/proc/pid/statm (CPAN RT#104659)
- Add better debugging
- New upstream release 2.014
- Utils::CERT_create - work around problems with authorityInfoAccess, where
OpenSSL i2v does not create the same string as v2i expects
- Intercept - don't clone some specific extensions that only make sense with
the original certificate
- New upstream release 2.013
- Assign severities to internal error handling and make sure that follow-up
errors like "configuration failed" or "certificate verify error" don't
replace more specific "hostname verification failed" when reporting in
sub errstr/$SSL_ERROR (CPAN RT#103423)
- Enhanced documentation (https://github.com/noxxi/p5-io-socket-ssl/pull/26)
- New upstream release 2.010
- New options SSL_client_ca_file and SSL_client_ca to let the server send the
list of acceptable CAs for the client certificate
- t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay
(CPAN RT#101485)
- New upstream release 2.009
- Remove util/analyze.pl; this tool is now together with other SSL tools at
https://github.com/noxxi/p5-ssl-tools
- Added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) (CPAN RT#101452)
- New upstream release 2.008
- Work around recent OCSP verification errors for revoked.grc.com (badly
signed OCSP response, Firefox also complains about it) in test
t/external/ocsp.t
- util/analyze.pl - report more details about preferred cipher for specific
TLS versions
- New upstream release 2.007
- Make getline/readline fall back to super class if class is not sslified
yet, i.e. behave the same as sysread, syswrite etc. (CPAN RT#100529)
- New upstream release 2.006
- Make SSLv3 available even if the SSL library disables it by default in
SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3
so this will be only done when setting SSL_version explicitly
- Fix possible segmentation fault when trying to use an invalid certificate
- Use only the ICANN part of the default public suffix list and not the
private domains; this makes existing exceptions for s3.amazonaws.com and
googleapis.com obsolete
- Fix t/protocol_version.t to deal with OpenSSL installations that are
compiled without SSLv3 support
- Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead
of EAGAIN; while this is the same on UNIX it is different on Windows and
socket operations return there (WSA)EWOULDBLOCK and not EAGAIN
- Enable non-blocking tests on Windows too
- Make PublicSuffix::_default_data thread safe
- Update PublicSuffix with latest list from publicsuffix.org
- Note that this package still uses system-default cipher and SSL versions,
which may have SSL3.0 enabled
- Classify buildreqs by usage
- New upstream release 2.002
- Fix check for (invalid) IPv4 when validating hostname against certificate;
do not use inet_aton any longer because it can cause DNS lookups for
malformed IP (CPAN RT#99448)
- Update PublicSuffix with latest version from publicsuffix.org - lots of new
top level domains
- Add exception to PublicSuffix for s3.amazonaws.com (CPAN RT#99702)
