- New upstream release 2.081
- New function set_msg_callback for user defined callback on each SSL message
- Showcase function in example/ssl_client.pl and example/ssl_server.pl for
computing JA3S/JA3 fingerprints
- Fix tracing added in 2.076 to no longer include SSL3_RT_HEADER (noise)
- New upstream release 2.078
- Revert decision from 2014 to not verify hostname by default if hostname is
IP address but no explicit verification scheme given (GH#121)
- New upstream release 2.075
- Treat SSL_write returning 0 same as previously -1, as suggested by both
OpenSSL and LibreSSL documentation
- Propagate error from SSL_shutdown, unless the shutdown is caused by an outer
SSL error, in which case keep the original error
- Small test fixes
- Use SPDX-format license tag
- New upstream release 2.074
- Add SSL_ciphersuites option for TLS 1.3 ciphers
- No longer use own default for ciphers: instead, use system default but
disable some weak ciphers that might still be enabled on older systems
- New upstream release 2.072
- Add PEM_certs2file and PEM_file2certs in IO::Socket::SSL::Utils based on
idea in GH#101
- certs/*.p12 used for testing should now work with OpenSSL 3.0 too (GH#108)
- Update public suffix database
- Drop patch for building with OpenSSL 1.1.1e
- New upstream release 2.069
- IO::Socket::Utils CERT_asHash and CERT_create now support subject and
issuer with multiple same parts (like multiple OU); in this case an array
ref instead of a scalar is used as hash value (GH#95)
- New upstream release 2.067
- Fix memory leak on incomplete handshake (GH#92)
- Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
can decrease memory usage at the costs of more allocations (CPAN RT#129463)
- More detailed error messages when loading of certificate file failed (GH#89)
- Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
- Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
- Fix warning when no ecdh support is available
- Documentation update regarding use of select and TLS 1.3
- Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
- Stability fix for t/core.t
Because this package run-requires URI::_idna,
IO::Socket:SSL::PublicSuffix library won't use the two modules and
thus testing a code path for them is questionable. The condition
allows to prune a dependency chain somewhat.
- New upstream release 2.066
- Make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first (CPAN RT#=128716)
- Prefer AES for server side cipher default since it is usually
hardware-accelerated
- Fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
- New upstream release 2.064
- Make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint (CPAN RT#127773)
- Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
- Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
set
- Update fingerprints for live tests
- New upstream release 2.063
- Support for both RSA and ECDSA certificate on same domain
- Update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (i.e. more than just
the patchlevel differs)
- New upstream release 2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
in the trust store be usable as full trust anchors too
- New upstream release 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay ≥ 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay ≥ 1.86)
- New upstream release 2.060
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
see also CPAN RT#126899
- TLS 1.3 support is not complete yet for session resume
This is not a full support. It only makes the tests passing.
Especially it does not document TLSv1.3 support and it does not
support explicit session resumption in TLSv1.3.
To pass the tests with openssl-1.1.1 it requires patched
perl-Net-SSLeay >= 1.85-7.fc29. But it also works with older openssl
regardless of perl-Net-SSLeay. Thus I did not add a dependency on an
explicit perl-Net-SSLeay release.
