Commit Graph

196 Commits

Author SHA1 Message Date
Paul Howarth
714f23ebd9 Update to 2.008
- New upstream release 2.008
  - Work around recent OCSP verification errors for revoked.grc.com (badly
    signed OCSP response, Firefox also complains about it) in test
    t/external/ocsp.t
  - util/analyze.pl - report more details about preferred cipher for specific
    TLS versions
2014-12-18 14:48:45 +00:00
Paul Howarth
bc89e90476 Update to 2.007
- New upstream release 2.007
  - Make getline/readline fall back to super class if class is not sslified
    yet, i.e. behave the same as sysread, syswrite etc. (CPAN RT#100529)
2014-11-27 10:52:47 +00:00
Paul Howarth
af52f67378 Update to 2.006
- New upstream release 2.006
  - Make SSLv3 available even if the SSL library disables it by default in
    SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3
    so this will be only done when setting SSL_version explicitly
  - Fix possible segmentation fault when trying to use an invalid certificate
  - Use only the ICANN part of the default public suffix list and not the
    private domains; this makes existing exceptions for s3.amazonaws.com and
    googleapis.com obsolete
  - Fix t/protocol_version.t to deal with OpenSSL installations that are
    compiled without SSLv3 support
  - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead
    of EAGAIN; while this is the same on UNIX it is different on Windows and
    socket operations return there (WSA)EWOULDBLOCK and not EAGAIN
  - Enable non-blocking tests on Windows too
  - Make PublicSuffix::_default_data thread safe
  - Update PublicSuffix with latest list from publicsuffix.org
- Note that this package still uses system-default cipher and SSL versions,
  which may have SSL3.0 enabled
- Classify buildreqs by usage
2014-11-23 14:55:09 +00:00
Paul Howarth
1e5d92fafe Update to 2.002
- New upstream release 2.002
  - Fix check for (invalid) IPv4 when validating hostname against certificate;
    do not use inet_aton any longer because it can cause DNS lookups for
    malformed IP (CPAN RT#99448)
  - Update PublicSuffix with latest version from publicsuffix.org - lots of new
    top level domains
  - Add exception to PublicSuffix for s3.amazonaws.com (CPAN RT#99702)
2014-10-22 18:29:57 +01:00
Paul Howarth
3c5f052538 Update to 2.001
- New upstream release 2.001
  - Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security
  - Update external tests with currently expected fingerprints of hosts
  - Some fixes to make it still work on 5.8.1
2014-10-21 15:27:58 +01:00
Paul Howarth
0249c6324b Update to 2.000
- New upstream release 2.000
  - Consider SSL3.0 as broken because of POODLE and disable it by default
  - Skip live tests without asking if environment NO_NETWORK_TESTING is set
  - Skip tests that require fork on non-default windows setups without proper
    fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18)
- Note that this package still uses system-default cipher and SSL versions,
  which may have SSL3.0 enabled
2014-10-16 14:10:03 +01:00
Paul Howarth
4c8c768b6e Update to 1.999
- New upstream release 1.999
  - Make sure we don't use version 0.30 of IO::Socket::IP
  - Make sure that PeerHost is checked in all places where PeerAddr is checked,
    because these are synonyms and IO::Socket::IP prefers PeerHost while others
    prefer PeerAddr; also accept PeerService additionally to PeerPort
    (https://github.com/noxxi/p5-io-socket-ssl/issues/16)
  - Add ability to use client certificates and to overwrite hostname with
    util/analyze-ssl.pl
2014-10-10 14:48:05 +01:00
Paul Howarth
449688d154 Update to 1.998
- New upstream release 1.998
  - Make client authentication work at the server side when SNI is in by use
    having CA path and other settings in all SSL contexts instead of only the
    main one (https://github.com/noxxi/p5-io-socket-ssl/pull/15)
2014-09-22 15:21:39 +01:00
Jitka Plesnikova
8950a78dcb Perl 5.20 rebuild 2014-08-28 13:25:33 +02:00
Paul Howarth
bdc758a36f Use system-default SSL version too 2014-08-07 16:26:51 +01:00
Paul Howarth
223f2f3a2c Use system-wide default cipher list from OpenSSL
Use system-wide default cipher list to support use of system-wide
crypto policy (#1076390, #1127577, CPAN RT#97816)
https://fedoraproject.org/wiki/Changes/CryptoPolicy
2014-08-07 14:33:34 +01:00
Paul Howarth
bd0d612e4e Update to 1.997
- New upstream release 1.997
  - Fix initialization and creation of OpenSSL-internals for perlcc
    compatibility (CPAN RT#95452)
  - Add refresh option for peer_certificate, so that it checks if the
    certificate changed in the mean time (on renegotiation)
  - Fix fingerprint checking - now applies only to top-most certificate
  - IO::Socket::SSL::Utils - accept extensions within CERT_create
  - Various documentation fixes
2014-07-14 15:45:33 +01:00
Paul Howarth
dd3cfce8d5 Update to 1.994
- New upstream release 1.994
  - IO::Socket::SSL can now be used as dual-use socket, e.g. start plain,
    upgrade to SSL and downgrade again all with the same object; see
    documentation of SSL_startHandshake and chapter Advanced Usage
  - Try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
    fails; this is needed if one wants to explicitly verify OCSP lookups even
    if verification is otherwise off, because otherwise the signature check
    would fail (this is mostly useful for testing)
  - Reorder documentation of attributes for new, so that the more important
    ones are at the top
2014-06-23 15:04:36 +01:00
Paul Howarth
049da7beb6 Update to 1.993
- New upstream release 1.993
  - Major rewrite of documentation, now in separate file
  - Rework error handling to distinguish between SSL errors and internal errors
    (like missing capabilities)
  - Fix handling of default_ca if given during the run of the program
    (Debian #750646)
  - util/analyze-ssl.pl - fix hostname check if SNI does not work
2014-06-15 14:33:33 +01:00
Paul Howarth
e8dc5a3938 Update to 1.992
- New upstream release 1.992
  - Set $! to undef before doing IO (accept, read...); on Windows a connection
    reset could cause an SSL read error without setting $!, so make sure we
    don't keep the old value and maybe thus run into an endless loop
2014-06-10 20:09:12 +01:00
Dennis Gilmore
92741ab3e8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 00:42:56 -05:00
Paul Howarth
bc69fcf260 Update to 1.991
- New upstream release 1.991
  - New option SSL_OCSP_TRY_STAPLE to enforce staple request even if
    VERIFY_NONE
  - Work around for CPAN RT#96013 in peer_certificates
2014-05-28 12:21:25 +01:00
Paul Howarth
ee28fcaeb7 Update to 1.990
- New upstream release 1.990
  - Added option SSL_ocsp_staple_callback to get the stapled OCSP response and
    verify it somewhere else
  - Try to fix warnings on Windows again (CPAN RT#95967)
  - Work around temporary OCSP error in t/external/ocsp.t
2014-05-27 16:17:41 +01:00
Paul Howarth
cfea8ea3f1 Update to 1.989
- New upstream release 1.989
  - Fix warnings on Windows (CPAN RT#95881)
2014-05-25 20:47:07 +01:00
Paul Howarth
5e48e602cd Update to 1.988
- New upstream release 1.988
  - Allow IPv4 in common name, because browsers allow this too; only for scheme
    www/http though, not for rfc2818 (because RC2818 does not allow this; in
    default scheme IPv6 and IPv4 are allowed in CN)
  - Fix handling of public suffix; add exemption for *.googleapis.com
    wildcard, which should not be allowed according to public suffix list but
    actually is used
  - Add hostname verification test based on older test of chromium, but change
    some of the test expectations because we don't want to support IP as SAN
    DNS and because we enforce a public suffix list (and thus *.co.uk should
    not be allowed)
  - Fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6
    (CPAN RT#95719)
  - Enable IPv6 support only if we have a usable inet_pton
  - Remove stale entries from MANIFEST
  - Add transparent support for DER and PKCS#12 files to specify cert and key,
    e.g. it will autodetect the format
  - If SSL_cert_file is PEM and no SSL_key_file is given it will check if the
    key is in SSL_cert_file too
2014-05-18 01:18:49 +01:00
Paul Howarth
e1aa44992f Update to 1.985
- New upstream release 1.985
  - Make OCSP callback return 1 even if it was called on the server side
    because of bad setup of the socket; otherwise we get an endless calling of
    the OCSP callback
  - Consider an OCSP response that is not yet or no longer valid a soft error
    instead of an hard error
  - Fix skip in t/external/ocsp.t in case fingerprint does not match
  - Call EVP_PKEY_free not EVP_KEY_free in IO::Socket::SSL::Utils::KEY_free
    (CPAN RT#95633)
  - util/analyze.pl - with --show-chain check if chain with SNI is different
    from chain w/o SNI
- Drop ExtUtils::MakeMaker version requirement
2014-05-15 13:03:34 +01:00
Paul Howarth
91de4e03c6 Fix typo in Utils.pm (#1097640, CPAN RT#95633)
$ perl -MIO::Socket::SSL::Utils -e 'KEY_free(KEY_create_rsa())'
Can't locate auto/Net/SSLeay/EVP_KEY_fre.al in @INC (@INC contains:
/usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
/usr/share/perl5/vendor_perl/IO/Socket/SSL/Utils.pm line 96.

Net::SSLeay::EVP_KEY_free should be Net::SSLeay::EVP_PKEY_free.
2014-05-14 11:56:53 +01:00
Paul Howarth
cf47cd0114 Update to 1.984
- New upstream release 1.984
  - Added OCSP support:
    - Needs Net::SSLeay ≥ 1.59
    - For usage see documentation of IO::Socket::SSL (examples and anything
      with OCSP in the name)
  - New tool util/analyze-ssl.pl, which is intended to help in debugging of SSL
    problems and to get information about capabilities of server; it works also
    as an example of how to use various features (like OCSP, SNI...)
  - Fix peer_certificates (returns leaf certificate only once on client side)
  - Added timeout for stop_SSL (either with Timeout or with the default timeout
    for IO::Socket)
  - Fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local
    time is not GMT; use Net::SSLeay::ASN1_TIME_timet if available
  - Fix t/external/usable_ca.t for system with junk in CA files
2014-05-10 23:07:40 +01:00
Paul Howarth
e56716ca31 Update to 1.983
- New upstream release 1.983
  - Fix public suffix handling: ajax.googleapis.com should be ok even if
    googleapis.com is in public suffix list (e.g. check one level less)
    (CPAN RT#95317)
  - usable_ca.t - update fingerprints after heartbleed attack
  - usable_ca.t - make sure we have usable CA for tested hosts in CA store
2014-05-04 16:12:34 +01:00
Paul Howarth
c842343c99 Update to 1.982
- New upstream release 1.982
  - Fix for using subroutine as argument to set_args_filter_hack
2014-04-24 23:30:00 +01:00
Paul Howarth
515e50a494 Update to 1.981
- New upstream release 1.981
  - Fix ecdhe test for openssl 1.0.1d (CPAN RT#95432)
  - Fix detection of openssl 1.0.1d (detected 1.0.1e instead)
  - New function can_ecdh in IO::Socket::SSL
2014-04-08 13:59:10 +01:00
Paul Howarth
6e4f1848de Fix typo in spec comment 2014-04-08 11:36:46 +01:00
Paul Howarth
28b9bc71ad Update to 1.980
- New upstream release 1.980
  - Disable elliptic curve support for openssl 1.0.1d on 64-bit
    (http://rt.openssl.org/Ticket/Display.html?id=2975)
  - Fix fingerprint calculation
- Add patch to skip elliptic curve test for openssl 1.0.1d on 64-bit
- Add patch to fix openssl version test
2014-04-08 11:22:31 +01:00
Paul Howarth
2926895385 Update to 1.979
- New upstream release 1.979
  - Hostname checking:
    - Configuration of 'leftmost' is renamed to 'full_label', but the old
      version is kept for compatibility reasons
    - Documentation of predefined schemes fixed to match reality
2014-04-06 12:26:08 +01:00
Paul Howarth
12ec243a1d Update to 1.978
- New upstream release 1.978
  - Added public prefix checking to verification of wildcard certificates, e.g.
    accept *.foo.com but not *.co.uk; see documentation of
    SSL_verifycn_publicsuffix and IO::Socket::SSL::PublicSuffix
  - Fix publicsuffix for IDNA, more tests with various IDNA libs
    (CPAN RT#94424)
  - Reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm
  - Add more checks to external/usable_ca.t; now it is enough that at least one
    of the hosts verifies against the built-in CA store
  - Add openssl and Net::SSLeay version to diagnostics in load test
- Switch preferred IDN back-end from Net::LibIDN to URI::_idna as per upstream,
  falling back to Net::IDN::Encode on older distributions
- Add fix from upstream git to support building with Test::More < 0.88
2014-04-04 18:41:23 +01:00
Paul Howarth
70cd5c8b43 Update to 1.975
- New upstream release 1.975
  - BEHAVIOR CHANGE: work around TEA misfeature on OS X built-in openssl, e.g.
    guarantee that only the explicitly-given CA or the openssl default CA will
    be used; this means that certificates inside the OS X keyring will no
    longer be used, because there is no way to control the use by openssl
    (e.g. certificate pinning etc.)
  - Make external tests run by default to make sure default CA works on all
    platforms; it skips automatically on network problems like timeouts or SSL
    interception, and can also use http(s)_proxy environment variables
2014-04-02 12:02:56 +01:00
Paul Howarth
6156255fa4 Update to 1.974
- New upstream release 1.974
  - New function peer_certificates to get the whole certificate chain; needs
    Net::SSLeay ≥ 1.58
  - Extended IO::Socket::Utils::CERT_asHash to provide way more information,
    like issuer information, cert and pubkey digests, all extensions, CRL
    distribution points and OCSP uri
2014-04-02 10:09:58 +01:00
Paul Howarth
ee789045bb Update to 1.973
- New upstream release 1.973
  - With SSL_ca, certificate handles can now be used in addition to
    SSL_ca_file and SSL_ca_path
  - No longer complain if SSL_ca_file and SSL_ca_path are both given;
    instead, add both as options to the CA store
  - Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create
2014-03-26 10:18:48 +00:00
Paul Howarth
fe07bb8ee1 Update to 1.972
- New upstream release 1.972
  - Make sure t/external/usable_ca.t works also with older openssl without
    support for SNI (CPAN RT#94117)
2014-03-23 10:57:06 +00:00
Paul Howarth
04c77f6f73 Update to 1.971
- New upstream release 1.971
  - Try to use SSL_hostname for hostname verification if no SSL_verifycn_name
    is given; this way, hostname for SNI and verification can be specified in
    one step
  - New test program example/simulate_proxy.pl
2014-03-22 21:38:07 +00:00
Paul Howarth
e9d0d15908 Update to 1.970
- New upstream release 1.970
  - Make sure sub default_ca uses a local $_ and not a version of an outer
    scope that might be read-only (CPAN RT#93987)
2014-03-19 10:34:56 +00:00
Paul Howarth
50d7fbb55f Update to 1.969
- New upstream release 1.969
  - Fix set_defaults to match documentation regarding short names
  - New function set_args_filter_hack to make it possible to override bad SSL
    settings from other code at the last moment
  - Determine default_ca on module load (and not on first use in each thread)
  - Don't try default hostname verification if verify_mode 0
  - Fix hostname verification when reusing context
2014-03-16 20:06:13 +00:00
Paul Howarth
cb6319f8b2 Update to 1.968
- New upstream release 1.968
  - BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
    for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file; these
    defaults were deprecated since 1.951 (July 2013)
  - Usable CA verification path on Windows etc.:
    - Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
      system/build dependent default verification path, because there was no
      way to retrieve these default values and check if they contained usable
      CA
    - Instead, re-implement the same algorithm and export the results with
      public function default_ca() and make it possible to overwrite it
    - Also check for usable verification path during build; if no usable path
      is detected, require Mozilla::CA at build and try to use it at runtime
2014-03-13 13:28:41 +00:00
Paul Howarth
961f407eff Update to 1.967
- New upstream release 1.967
  - Verify the hostname inside a certificate by default with a superset of
    common verification schemes instead of not verifying identity at all; for
    now it will only complain if name verification failed but in the future it
    will fail certificate verification, forcing you to set the expected
    SSL_verifycn_name if you want to accept the certificate
  - New option SSL_fingerprint and new methods get_fingerprint and
    get_fingerprint_bin; together they can be used to selectively accept
    specific certificates that would otherwise fail verification, like
    self-signed, outdated or from unknown CAs
  - Utils:
    - Default RSA key length 2048
    - Digest algorithm to sign certificate in CERT_create can be given;
      defaults to SHA-256
    - CERT_create can now issue non-CA self-signed certificate
    - CERT_create add some more useful constraints to certificate
  - Spelling fixes
2014-02-07 15:58:48 +00:00
Paul Howarth
5821112cbb Update to 1.966
- New upstream release 1.966
  - Fixed bug introduced in 1.964 - disabling TLSv1_2 no longer worked by
    specifying !TLSv12; only !TLSv1_2 worked
  - Fixed leak of session objects in SessionCache, if another session
    replaced an existing session (introduced in 1.965)
2014-01-22 12:27:31 +00:00
Paul Howarth
eec47bfccf Update to 1.965
- New upstream release 1.965
  - New key SSL_session_key to influence how sessions are inserted and looked
    up in the client's session cache, which makes it possible to share sessions
    over different ip:host (as is required with some FTPS servers)
  - t/core.t - handle case where default loopback source is not 127.0.0.1, like
    in FreeBSD jails
2014-01-17 16:29:16 +00:00
Paul Howarth
158d58aeae Update to 1.964
- New upstream release 1.964
  - Disabling TLSv1_1 did not work, because the constant was wrong; now it gets
    the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc.
  - The new syntax for the protocols is TLSv1_1 instead of TLSv11, which matches
    the syntax from OpenSSL (the old syntax continues to work in SSL_version)
  - New functions get_sslversion and get_sslversion_int, which get the SSL
    version of the established session as string or int
  - Disable t/io-socket-inet6.t if Acme::Override::INET is installed
2014-01-15 18:29:51 +00:00
Paul Howarth
d661fc4239 Update to 1.963
- New upstream release 1.963
  - Fix behavior of stop_SSL: for blocking sockets it now enough to call it
    once, for non-blocking it should be called again as long as EAGAIN and
    SSL_ERROR is set to SSL_WANT_(READ|WRITE)
  - Don't call blocking if start_SSL failed and downgraded socket has no
    blocking method
  - Documentation enhancements:
    - Special section for differences to IO::Socket
    - Describe problem with blocking accept on non-blocking socket
    - Describe arguments to new_from_fd and make clear that for upgrading an
      existing IO::Socket, start_SSL should be used directly
2014-01-14 14:24:20 +00:00
Paul Howarth
e46dec335a Update to 1.962
- New upstream release 1.962
  - Work around problems with older F5 BIG-IP by offering fewer ciphers on the
    client side by default, so that the client hello stays below 255 bytes
2013-11-28 14:10:43 +00:00
Paul Howarth
c150007ab9 Update to 1.961
- New upstream release 1.961
  - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates that
    are not self-signed (by giving issuer_*)
2013-11-26 15:55:35 +00:00
Paul Howarth
3a84e894f4 Update to 1.960
- New upstream release 1.960
  - Only documentation enhancements:
    - Clarify with text and example code, that within event loops not only
      select/poll should be used, but also pending has to be called
    - Better introduction into SSL; at least mention anonymous authentication as
      something you don't want and should take care with the right cipher
    - Make it more clear that it's better not to change the cipher list unless
      you really know what you're doing
- Adopt upstream's versioning scheme
2013-11-13 11:09:07 +00:00
Paul Howarth
08097c42a8 Update to 1.959
- New upstream release 1.959
  - Fix test t/core.t for Windows
2013-11-12 21:53:16 +00:00
Paul Howarth
90171d5ffc Update to 1.958
- New upstream release 1.958
  Lots of behavior changes for more secure defaults:
  - BEHAVIOR CHANGE: make default cipher list more secure, especially:
    - No longer support MD5 by default (broken)
    - No longer support anonymous authentication by default (vulnerable to
      man in the middle attacks)
    - Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
      that it uses by default forward secrecy, if underlying
      Net::SSLeay/openssl supports it
    - Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
      hopefully have been fixed and now RC4 is considered less safe than 3DES)
    - Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
      to get the best cipher even if the client prefers other ciphers; PLEASE
      NOTE that this might break connections with older, less secure
      implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
  - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
    and thus gets reused if context gets reused; PLEASE NOTE that using
    SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
    the ciphers of the context
  - Rework hostname verification schemes:
    - Add RFC names as scheme (e.g. 'rfc2818', ...)
    - Add SIP, SNMP, syslog, netconf, GIST
    - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
    - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
  - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
    'www2' etc.  but not 'www'
  - Anywhere wildcards like x* are no longer applied to IDNA names (which start
    with 'xn--')
  - Fix crash of Utils::CERT_free
  - Support TLSv11, TLSv12 as handshake protocols
  - Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
    authorization; with the DH param given by default since 1.956, old versions
    of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
    authorization) instead of AES256-SHA and thus the check for the peer
    certificate failed (because ADH does not exchange certificates) - fixed by
    explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
  - Cleaned up tests:
    - Remove ssl_settings.req and 02settings.t, because all tests now create a
      simple socket at 127.0.0.1 and thus global settings are no longer needed
    - Some tests did not have use strict(!); fixed it
    - Removed special handling for older Net::SSLeay versions that are less
      than our minimum requirement
    - Some syntax enhancements: removed some SSL_version and SSL_cipher_list
      options where they were not really needed
  - Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
    least version 2.55 which is now 5 years old
  - Fix t/session.t to work with older openssl versions (CPAN RT#90240)
2013-11-11 20:24:58 +00:00
Paul Howarth
ead705628a Update to 1.955
- New upstream release 1.955
  - Support for perfect forward secrecy using ECDH, if the Net::SSLeay version
    supports it
2013-10-11 22:01:07 +01:00
Paul Howarth
3fb0dd63d6 Update to 1.954
- New upstream release 1.954
  - Accept older versions of ExtUtils::MakeMaker and add meta information like
    link to repository only for newer versions
2013-09-15 21:17:10 +01:00
Dennis Gilmore
a4966be6b9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-03 17:11:06 -05:00
Petr Písař
e7382a4aba Perl 5.18 rebuild 2013-07-22 21:52:10 +02:00
Paul Howarth
a974477abe Update to 1.953
- New upstream release 1.953
  - Precedence fixes for IO::Socket::SSL::Utils (CPAN RT#87052)
2013-07-22 11:30:22 +01:00
Jochen Schmitt
715fbf7cf8 Rebuilt for perl 5.18 2013-07-18 17:11:29 +02:00
Paul Howarth
263c00b81a Update to 1.952
- New upstream release 1.952
  - Fix t/acceptSSL-timeout.t on Win32 (CPAN RT#86862)
2013-07-12 11:08:57 +01:00
Paul Howarth
5289b4544b Update to 1.951
- New upstream release 1.951
  (1.950)
  - MAJOR BEHAVIOR CHANGE:
    - ssl_verify_mode now defaults to verify_peer for client
    - Previously it used verify_none, but loudly complained since 1.79 about it
    - It will not complain any longer, but the connection will probably fail
    - Please don't simply disable ssl verification; instead, set SSL_ca_file
      etc. so that verification succeeds!
  - MAJOR BEHAVIOR CHANGE:
    - It will now complain if the built-in defaults of certs/my-ca.pem or ca/
      for CA and certs/{server,client}-{key,cert}.pem for cert and key are
      used, i.e. no certificates are specified explicitly
    - In the future these insecure (relative path!) defaults will be removed
      and the CA replaced with the system defaults
  (1.951)
  - Use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's built-in
    defaults for CA unless CA path/file was given (or IO::Socket::SSL built-ins
    used)
2013-07-03 13:04:57 +01:00
Paul Howarth
4b2baf4c09 Update to 1.94
- New upstream release 1.94
  - Makefile.PL reported wrong version of openssl if Net::SSLeay was not
    installed, instead of reporting a missing dependency of Net::SSLeay
2013-06-01 18:27:54 +01:00
Paul Howarth
3ed72db8d2 Update to 1.93
- New upstream release 1.93
  - Need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
    years ago; remove code to work around older releases
  - Changed AUTHOR in Makefile.PL from array back to string, because the array
    feature is not available in MakeMaker shipped with 5.8.9 (CPAN RT#85739)
- Set openssl version requirement to 0.9.8
- Drop ExtUtils::MakeMaker version requirement back to 6.46
2013-05-31 13:33:10 +01:00
Paul Howarth
476a8b5c3b Update to 1.92
- New upstream release 1.92
  - Intercept: use sha1-fingerprint of original cert for id into cache unless
    otherwise given
  - Fix pod error in IO::Socket::SSL::Utils (CPAN RT#85733)
2013-05-30 22:10:57 +01:00
Paul Howarth
9a569c9417 Update to 1.91
- New upstream release 1.91
  - Added IO::Socket::SSL::Utils for easier manipulation of certificates and
    keys
  - Moved SSL interception into IO::Socket::SSL::Intercept and simplified it
    using IO::Socket::SSL::Utils
  - Enhance meta information in Makefile.PL
- Bump openssl version requirement to 0.9.8a
- Need at least version 6.58 of ExtUtils::MakeMaker (CPAN RT#85739)
2013-05-30 21:10:19 +01:00
Paul Howarth
805af9d5bf Update to 1.90
- New upstream release 1.90
  - Support more digests, especially SHA-2 (CPAN RT#85290)
  - Added support for easy SSL interception (man in the middle) based on ideas
    found in mojo-mitm proxy
  - Make 1.46 the minimal required version for Net::SSLeay, because it
    introduced lots of useful functions
- BR:/R: openssl ≥ 0.9.7e for P_ASN1_TIME_(get,set)_isotime in Net::SSLeay
2013-05-29 22:14:04 +01:00
Paul Howarth
2f01417e72 Update to 1.89
- New upstream release 1.89
  - If IO::Socket::IP is used it should be at least version 0.20; otherwise we
    get problems with HTTP::Daemon::SSL and maybe others (CPAN RT#81932)
  - Spelling corrections
2013-05-14 15:36:29 +01:00
Paul Howarth
37d1376280 Update to 1.88
- New upstream release 1.88
  - Consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
    and SSL_cert* - some apps like Net::LDAP use it that way
2013-05-02 11:51:31 +01:00
Paul Howarth
ed46e28bc4 Update to 1.87
- New upstream release 1.87
  - Complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are
    not readable (CPAN RT#84829)
  - Fix use of SSL_key|SSL_file objects instead of files, broken with 1.83
2013-04-25 10:07:55 +01:00
Paul Howarth
7e6deb8ea7 Update to 1.86
- New upstream release 1.86
  - Don't warn about SSL_verify_mode when re-using an existing SSL context
    (CPAN RT#84686)
2013-04-17 15:20:05 +01:00
Paul Howarth
883dd48f04 Fix typo in changelog 2013-04-15 12:57:45 +01:00
Paul Howarth
ff458068d8 Update to 1.85
- New upstream release 1.85
  - Probe for available modules with local __DIE__ and __WARN__handlers
    (CPAN RT#84574)
  - Fix warning, when IO::Socket::IP is installed and inet6 support gets explictly
    requested (CPAN RT#84619)
2013-04-15 11:12:28 +01:00
Paul Howarth
6f7e6bccfa Update to 1.84
- New upstream release 1.84
  - Disabled client side SNI for openssl version < 1.0.0 because of
    CPAN RT#83289
  - Added functions can_client_sni, can_server_sni and can_npn to check
    availability of SNI and NPN features
  - Added more documentation for SNI and NPN
2013-02-16 10:31:38 +00:00
Paul Howarth
9d6d9c7ce8 Update to 1.831
- New upstream release 1.831
  - Separated documention of non-blocking I/O from error handling
  - Changed and documented behavior of readline to return the read data on
    EAGAIN/EWOULDBLOCK in case of non-blocking socket
    (see https://github.com/noxxi/p5-io-socket-ssl/issues/1)
- Bumped release rather than version number to preserve likely upgrade path
  and avoid need for epoch or version number ugliness; may revisit this in
  light of upstream's future version numbering decisions
2013-02-14 10:00:56 +00:00
Paul Howarth
fa7cfc06c7 Update to 1.83
- New upstream release 1.83
  - Server Name Indication (SNI) support on the server side (CPAN RT#82761)
  - Reworked part of the documentation, like providing better examples
2013-02-04 11:46:28 +00:00
Paul Howarth
5e526125f8 Update to 1.82
- New upstream release 1.82
  - sub error sets $SSL_ERROR etc. only if there really is an error; otherwise
    it will keep the latest error, which allows IO::Socket::SSL->new to report
    the correct problem, even if the problem is deeper in the code (like in
    connect)
  - Correct spelling (CPAN RT#82790)
2013-01-28 13:42:38 +00:00
Paul Howarth
98862c2737 Update to 1.81
- New upstream release 1.81
  - Deprecated set_ctx_defaults; new name is set_defaults (the old name is
    still available)
  - Changed handling of default path for SSL_(ca|cert|key)* keys: if one of
    these keys is user defined, don't add defaults for the others, i.e.
    don't mix user settings and defaults
  - Cleaner handling of module defaults vs. global settings vs. socket
    specific settings; global and socket specific settings are both provided
    by the user, while module defaults are not
  - Make IO::Socket::INET6 and IO::Socket::IP specific tests both run, even
    if both modules are installed, by faking a failed load of the other module
- BR: perl(IO::Socket::INET6) and perl(Socket6) unconditionally
2012-12-06 22:57:42 +00:00
Paul Howarth
0c9239ef2c Update to 1.80
- New upstream release 1.80
  - Removed some warnings in test (missing SSL_verify_mode => 0), which caused
    tests to hang on Windows (CPAN RT#81493)
2012-11-30 12:47:19 +00:00
Paul Howarth
4b03cab2e5 Update to 1.79
- New upstream release 1.79
  - Use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort
    from sockaddr in _update_peer, because this provides scope too
  - Work around systems that don't define AF_INET6 (CPAN RT#81216)
  - Prepare transition to a more secure default for SSL_verify_mode; the use of
    the current default SSL_VERIFY_NONE will cause a big warning for clients,
    unless SSL_verify_mode was explicitly set inside the application to this
    insecure value (in the near future the default will be SSL_VERIFY_PEER, and
    thus causing verification failures in unchanged applications)
2012-11-26 09:30:31 +00:00
Petr Šabata
afe37c043b Added some missing build dependencies 2012-11-15 16:10:08 +01:00
Paul Howarth
aee95ecc7b Update to 1.77
- New upstream release 1.77
  - Support _update_peer for IPv6 too (CPAN RT#79916)
2012-10-05 11:04:28 +01:00
Dennis Gilmore
46462b9f96 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-20 11:13:24 -05:00
Petr Písař
8edacfa03a Perl 5.16 rebuild 2012-06-28 16:30:45 +02:00
Paul Howarth
4146886248 Update to 1.76
- New upstream release 1.76
  - Add support for IO::Socket::IP, which supports inet6 and inet4
    (CPAN RT#75218)
  - Fix documentation errors (CPAN RT#77690)
  - Made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version
  - Use inet_pton from either Socket.pm 1.95 or Socket6.pm
- Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6
- Add runtime dependency for appropriate IPv6 support module so that we can
  ensure that we run at runtime what we tested with at build time
2012-06-18 11:12:47 +01:00
Petr Písař
f4074b9cee Perl 5.16 rebuild 2012-06-14 16:18:52 +02:00
Paul Howarth
600d46f55f Update to 1.74
- New upstream release 1.74
  - Accept a version of SSLv2/3 as SSLv23, because older documentation could
    be interpreted like this
2012-05-14 14:10:36 +01:00
Paul Howarth
7a4ecb3637 Update to 1.73
- New upstream release 1.73
  - Set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW
  - Make test t/dhe.t hopefully work with more versions of openssl
2012-05-11 21:52:04 +01:00
Paul Howarth
a5c27d9e75 Update to 1.71
- New upstream release 1.71
  - 1.70 done right: don't disable SSLv2 ciphers; SSLv2 support is better
    disabled by the default SSL_version of 'SSLv23:!SSLv2'
2012-05-09 12:30:57 +01:00
Paul Howarth
0151f675ec Update to 1.70
- New upstream release 1.70
  - Make it possible to disable protocols using SSL_version, and make
    SSL_version default to 'SSLv23:!SSLv2'
2012-05-08 15:56:19 +01:00
Paul Howarth
cf5770db64 Update to 1.69
- New upstream release 1.69 (changes for CPAN RT#76929)
  - If no explicit cipher list is given, default to ALL:!LOW instead of the
    openssl default, which usually includes weak ciphers like DES
  - New config key SSL_honor_cipher_order and document how to use it to fight
    BEAST attack
  - Fix behavior for empty cipher list (use default)
  - Re-added workaround in t/dhe.t
2012-05-08 12:30:01 +01:00
Paul Howarth
04cfd057ef Update to 1.66
- New upstream release 1.66
  - Make it thread safer (CPAN RT#76538)
2012-04-16 21:55:37 +01:00
Paul Howarth
f7be3459a3 Update to 1.65
- New upstream release 1.65
  - Added NPN (Next Protocol Negotiation) support (CPAN RT#76223)
2012-04-16 21:13:40 +01:00
Paul Howarth
126ee08d7b Update to 1.64
- New upstream release 1.64
  - Ignore die from within eval to make tests more stable on Win32
    (CPAN RT#76147)
  - Clarify some behavior regarding hostname verfication
- Drop patch for t/dhe.t, no longer needed
2012-04-07 10:40:17 +01:00
Paul Howarth
25ec10130c Update to 1.62
- New upstream release 1.62
  - Small fix to last version
2012-03-28 09:59:55 +01:00
Paul Howarth
c823e4faca Update to 1.61
- New upstream release 1.61
  - Call CTX_set_session_id_context so that server's session caching works with
    client certificates too (CPAN RT#76053)
2012-03-27 21:19:50 +01:00
Paul Howarth
8d029778df Update to 1.60
- New upstream release 1.60
  - Don't make blocking readline if socket was set nonblocking, but return as
    soon no more data are available (CPAN RT#75910)
  - Fix BUG section about threading so that it shows package as thread safe
    as long as Net::SSLeay ≥ 1.43 is used (CPAN RT#75749)
- BR: perl(constant), perl(Exporter) and perl(IO::Socket)
2012-03-20 22:25:09 +00:00
Paul Howarth
3e7b01b807 Update to 1.59
- New upstream release 1.59
  - If SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful message
    when attempting to use it
  - Modify constant declarations so that 5.6.1 should work again
- Drop %defattr, redundant since rpm 4.4
2012-03-08 15:59:47 +00:00
Paul Howarth
99c05d2f9b Update to 1.58
- New upstream release 1.58
  - Fix t/dhe.t for openssl 1.0.1 beta by forcing TLSv1, so that it does not
    complain about the too small RSA key, which it should not use anyway; this
    workaround is not applied for older openssl versions, where it would cause
    failures (CPAN RT#75165)
- Add patch to fiddle the openssl version number in the t/dhe.t workaround
  because the OPENSSL_VERSION_NUMBER cannot be trusted in Fedora
- One buildreq per line for readability
- Drop redundant buildreq perl(Test::Simple)
- Always run full test suite
2012-02-27 11:09:47 +00:00
Paul Howarth
fa689fe3b8 Update to 1.56
- New upstream release 1.56
  - Add automatic or explicit (via SSL_hostname) SNI support, needed for
    multiple SSL hostnames with the same IP (currently only supported for the
    client)
- Use DESTDIR rather than PERL_INSTALL_ROOT
- No need to delete empty directories from buildroot
2012-02-22 21:22:09 +00:00
Paul Howarth
4ac798649d Update to 1.55
- New upstream release 1.55:
  - Work around IO::Socket's work around for systems returning EISCONN etc. on
    connect retry for non-blocking sockets by clearing $! if SUPER::connect
    returned true (CPAN RT#75101)
2012-02-20 16:50:20 +00:00
Paul Howarth
5ceb5a161a Update to 1.54
- New upstream release 1.54:
  - return 0 instead of undef in SSL_verify_callback to fix uninitialized
    warnings (CPAN RT#73629)
2012-01-11 12:56:03 +00:00
Paul Howarth
f032fb52a6 Update to 1.53
- New upstream release 1.53:
  - Kill child in t/memleak_bad_handshake.t if test fails (CPAN RT#73146)
2011-12-12 10:13:39 +00:00
Paul Howarth
f26c71c8d4 Update to 1.52
- New upstream release 1.52:
  - Fix for t/nonblock.t hangs on AIX (CPAN RT#72305)
  - Disable t/memleak_bad_handshake.t on AIX, because it might hang
    (CPAN RT#72170)
  - Fix syntax error in t/memleak_bad_handshake.t
2011-12-07 11:14:08 +00:00
Paul Howarth
edb47ab0e1 Update to 1.49
- New upstream release 1.49:
  - Another regression for readline fix: this time it failed to return lines
    at EOF that don't end with newline - extended t/readline.t to catch this
    case and the fix for 1.48
2011-10-28 12:38:35 +01:00
Paul Howarth
fa11cf0c50 Update to 1.48
- New upstream release 1.48:
  - Further fix for readline fix in 1.45: if the pending data were false (like
    '0'), it failed to read the rest of the line (CPAN RT#71953)
2011-10-26 19:44:56 +01:00