Commit Graph

228 Commits

Author SHA1 Message Date
Paul Howarth
ae85d4e223 Fix FTBFS with OpenSSL 1.1.1e
https://github.com/noxxi/p5-io-socket-ssl/issues/93
2020-03-21 18:39:52 +00:00
Paul Howarth
abf3820637 Update to 2.067
- New upstream release 2.067
  - Fix memory leak on incomplete handshake (GH#92)
  - Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
    can decrease memory usage at the costs of more allocations (CPAN RT#129463)
  - More detailed error messages when loading of certificate file failed (GH#89)
  - Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
  - Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
  - Fix warning when no ecdh support is available
  - Documentation update regarding use of select and TLS 1.3
  - Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
  - Stability fix for t/core.t
2020-02-15 15:11:21 +00:00
Petr Písař
ca903e6de7 Conditionalize a test dependency on IO::Socket::INET6 2020-02-13 15:49:10 +01:00
Petr Písař
bac36bfb85 Conditionalize a test dependency on Net::IDN::Encode and Net::LibIDN
Because this package run-requires URI::_idna,
IO::Socket:SSL::PublicSuffix library won't use the two modules and
thus testing a code path for them is questionable.  The condition
allows to prune a dependency chain somewhat.
2020-02-13 15:17:03 +01:00
Paul Howarth
2a35642cbc Don't package certificates used in test suite 2020-01-30 15:22:42 +00:00
Fedora Release Engineering
48cc1a3489 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-30 01:13:31 +00:00
Petr Písař
2ad02b78ad Default to PROFILE=SYSTEM cipher list
An OpenSSL identifier for a system-wide cryptopolicy cipher list is
"PROFILE=SYSTEM". "DEFAULT" is a different list.

<https://fedoraproject.org/wiki/Packaging:CryptoPolicies#C.2FC.2B.2B_applications>
2019-11-25 12:18:23 +01:00
Fedora Release Engineering
3932ca2980 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-26 03:50:49 +00:00
Paul Howarth
d7c2f49e0f Modernize spec
- Modernize spec using %{make_build} and %{make_install}
- Runtime openssl dependency should be on openssl-libs
- Always require preferred IPv6 back-end: IO::Socket::IP ≥ 0.31
- Always require preferred IDN back-end: URI::_idna
2019-06-27 12:30:15 +01:00
Paul Howarth
030559c4b0 PublicSuffix.pm is licensed MPLv2.0 (#1724169) 2019-06-26 16:05:42 +01:00
Petr Písař
a2fab409c1 Skip a PHA test if Net::SSLeay does not expose the PHA 2019-06-17 09:35:43 +02:00
Jitka Plesnikova
e271cbabf5 Perl 5.30 rebuild 2019-05-31 06:53:21 +02:00
Paul Howarth
6e3c20c758 Update to 2.066
- New upstream release 2.066
  - Make sure that Net::SSLeay::CTX_get0_param is defined before using
    X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
    LibreSSL 2.7.4 but not the first (CPAN RT#=128716)
  - Prefer AES for server side cipher default since it is usually
    hardware-accelerated
  - Fix test t/verify_partial_chain.t by using the newly exposed function
    can_partial_chain instead of guessing (wrongly) if the functionality is
    available
2019-03-06 19:49:53 +00:00
Paul Howarth
b66fffb029 Update to 2.064
- New upstream release 2.064
  - Make algorithm for fingerprint optional, i.e. detect based on length of
    fingerprint (CPAN RT#127773)
  - Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
  - Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
    set
  - Update fingerprints for live tests
2019-03-04 16:28:53 +00:00
Paul Howarth
536e7cbbbc Update to 2.063
- New upstream release 2.063
  - Support for both RSA and ECDSA certificate on same domain
  - Update PublicSuffix
  - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
    then linked against another API-incompatible version (i.e. more than just
    the patchlevel differs)
2019-03-02 15:25:22 +00:00
Paul Howarth
ee2bb1ed57 Update to 2.062
- New upstream release 2.062
  - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
    OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
    in the trust store be usable as full trust anchors too
2019-02-25 13:43:35 +00:00
Paul Howarth
62e054c052 Update to 2.061
- New upstream release 2.061
  - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
    the previous (and undocumented) API for the session cache has been changed
  - Support for multiple curves, automatic setting of curves and setting of
    supported curves in client (needs Net::SSLeay ≥ 1.86)
  - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
    client certificates are provided (needs Net::SSLeay ≥ 1.86)
2019-02-23 12:45:00 +00:00
Petr Písař
ddedb553a3 Document Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch was accepted
And correct white spaces in a spec file.
2019-02-22 08:50:38 +01:00
Petr Písař
d0ff533e0b Client sends a post-handshake-authentication extension if a client key and a certificate are available 2019-02-11 08:25:20 +01:00
Fedora Release Engineering
0d52c79ea1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 21:28:50 +00:00
Petr Písař
84d112eedf Correct white spaces in the spec file 2018-09-24 13:45:57 +02:00
Petr Písař
4f1fe6009e Prevent tests from dying on SIGPIPE
Tests randomly fail with bad plan because TCP server receives SIGPIPE.
Reported in
<https://rt.cpan.org/Public/Bug/Display.html?id=126899#txn-1810152>,
I can reproduce it with "while (prove -l); do :; done". Koschei also
spotted it <https://apps.fedoraproject.org/koschei/build/5430532>.
Upstream fix is applied.
2018-09-24 13:34:34 +02:00
Paul Howarth
948f20ded6 Update to 2.060
- New upstream release 2.060
  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
    see also CPAN RT#126899
  - TLS 1.3 support is not complete yet for session resume
2018-09-17 15:59:10 +01:00
Petr Písař
e2609f60d1 Adapt to OpenSSL 1.1.1
This is not a full support. It only makes the tests passing.
Especially it does not document TLSv1.3 support and it does not
support explicit session resumption in TLSv1.3.

To pass the tests with openssl-1.1.1 it requires patched
perl-Net-SSLeay >= 1.85-7.fc29. But it also works with older openssl
regardless of perl-Net-SSLeay. Thus I did not add a dependency on an
explicit perl-Net-SSLeay release.
2018-08-21 17:21:44 +02:00
Paul Howarth
14f244955b Update to 2.059
- New upstream release 2.059
  - Fix memory leak when CRLs are used (CPAN RT#125867)
  - Fix memory leak when using stop_SSL and threads
    (https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)
2018-08-16 11:57:21 +01:00
Paul Howarth
23e698433c Update to 2.058
- New upstream release 2.058
  - Fix memory leak that occured with explicit stop_SSL in connection with
    non-blocking sockets or timeout (CPAN RT#125867)
  - Fix redefine warnings in case Socket6 is installed but neither
    IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
  - IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
    number or callback to create serial number based on the original certificate
  - New function get_session_reused to check if a session got reused
  - IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
    value
  - Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
    expects the extKeyUsage of clientAuth in the client cert also to be allowed
    by the CA if CA uses extKeyUsage
2018-07-19 10:19:21 +01:00
Fedora Release Engineering
bb12c5ada9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 17:57:01 +00:00
Jitka Plesnikova
0def8ec847 Perl 5.28 rebuild 2018-06-28 14:00:51 +02:00
Petr Písař
dbc392e760 cpan.org addresses moved to MetaCPAN <https://fedoraproject.org/wiki/Changes/Perl_Move_to_MetaCPAN> 2018-06-04 14:44:49 +02:00
Paul Howarth
da2796e619 Update to 2.056
- New upstream release 2.056
  - Intercept: Fix creation of serial number (basing it on binary digest
    instead of treating hex fingerprint as binary), allow use of own serial
    numbers again
  - t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
  - Update PublicSuffix
2018-02-19 15:18:27 +00:00
Paul Howarth
9da01c1dfd Update to 2.055
- New upstream release 2.055
  - Use SNI also if hostname was given all-uppercase
  - Utils::CERT_create: Don't add authority key for issuer since Chrome does
    not like this
  - Intercept:
    - Change behavior of code-based cache to better support synchronizing
      within multiprocess/threaded set-ups
    - Don't use counter for serial number but somehow base it on original
      certificate in order to avoid conflicts with reuse of serial numbers
      after restart
  - Better support platforms without IPv6 (CPAN RT#124431)
  - Spelling fixes in documentation (CPAN RT#124306)
2018-02-15 15:08:47 +00:00
Fedora Release Engineering
bf41694601 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-08 21:59:54 +00:00
Paul Howarth
6d1cc77223 Update to 2.054
- New upstream release 2.054
  - Small behavior fixes
    - If SSL_fingerprint is used and matches, don't check for OCSP
    - Utils::CERT_create: Small fixes to properly specific purpose, ability to
      use predefined complex purpose but disable some features
  - Update PublicSuffix
  - Updates for documentation, especially regarding pitfalls with forking or
    using non-blocking sockets, spelling fixes
  - Test fixes and improvements
    - Stability improvements for live tests
    - Regenerate certificates in certs/ and make sure they are limited to the
      correct purpose; check in program used to generate certificates
    - Adjust tests since certificates have changed and some tests used
      certificates intended for client authentication as server certificates,
      which now no longer works
2018-01-22 11:54:36 +00:00
Paul Howarth
1a5e9cfa4d Update to 2.052
- New upstream release 2.052
  - Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced
    the functions with dummies instead of removing NPN completly or setting
    OPENSSL_NO_NEXTPROTONEG
  - t/01loadmodule.t shows more output helpful in debugging problems
  - Update fingerprints for external tests
  - Update documentation to make behavior of syswrite more clear
2017-10-23 18:59:32 +01:00
Paul Howarth
7481a58e0f Update to 2.051
- New upstream release 2.051
  - syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with
    OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up
    (GH#62)
2017-09-05 16:12:26 +01:00
Paul Howarth
bcc0f35452 Update to 2.050
- New upstream release 2.050
  - Removed unnecessary settings of SSL_version and SSL_cipher_list from tests
  - protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not
    supported, as is the case with openssl versions in latest Debian (buster)
2017-08-18 09:50:09 +01:00
Fedora Release Engineering
2b6a4ffa38 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 04:26:31 +00:00
Petr Písař
a8625908ab perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 15:03:19 +02:00
Paul Howarth
0127aa728a Update to 2.049
- New upstream release 2.049
  - Fixed problem caused by typo in the context of session cache (GH#60)
  - Updated PublicSuffix information from publicsuffix.org
2017-06-12 12:02:37 +01:00
Jitka Plesnikova
90d774a9f6 Perl 5.26 rebuild 2017-06-05 03:44:39 +02:00
Paul Howarth
f6474dbc1b Update to 2.048
- New upstream release 2.048
  - Fixed small memory leaks during destruction of socket and context
    (CPAN RT#120643)
- Drop support for EOL distributions prior to F-13
  - Drop BuildRoot: and Group: tags
  - Drop explicit buildroot cleaning in %install section
  - Drop explicit %clean section
2017-04-17 12:58:53 +01:00
Paul Howarth
d3f2356cc9 Update to 2.047
- New upstream release 2.047
  - Better fix for problem which 2.046 tried to fix but broke LWP that way
- Update patches as needed
2017-02-17 08:17:43 +00:00
Paul Howarth
259846ffa3 Update to 2.046
- New upstream release 2.046
  - Clean up everything in DESTROY and make sure to start with a fresh
    %%{*self} in configure_SSL because it can happen that a GLOB gets used
    again without calling DESTROY
    (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
- Update patches as needed
2017-02-16 18:11:06 +00:00
Paul Howarth
46a5435ffc Update to 2.045
- New upstream release 2.045
  - Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
    objects (GH#55)
  - Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
    perl is compiled without thread support
  - Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
    openssl build without SSLv3 support
  - When setting SSL_keepSocketOnError to true the socket will not be closed on
    fatal error (GH#53, modified)
- Update patches as needed
2017-02-14 11:52:13 +00:00
Fedora Release Engineering
88d911cebb - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-11 03:37:01 +00:00
Paul Howarth
157e4fc48f Update to 2.044
- New upstream release 2.044
  - Protect various 'eval'-based capability detections at startup with a
    localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
    as done by various third party software should cause less problems even if
    there is a global __DIE__ handler that does not properly deal with 'eval'
- Update patches as needed
2017-01-26 15:59:38 +00:00
Paul Howarth
6a30f8ffc4 Update to 2.043
- New upstream release 2.043
  - Enable session ticket callback with Net::SSLeay ≥ 1.80
  - Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
    session no longer gets reused if it was not properly closed, which is now
    done using an explicit close by the client
- Update patches as needed
2017-01-06 14:34:50 +00:00
Paul Howarth
c290ff8f5b Update to 2.041
- New upstream release 2.041
  - Leave session ticket callback off for now until the needed patch is
    included in Net::SSLeay (see
    https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146)
- Update patches as needed
2017-01-04 11:25:36 +00:00
Paul Howarth
a6f663d8ce Update to 2.040
- New upstream release 2.040
  - Fix detection of default CA path for OpenSSL 1.1.x
  - Utils::CERT_asHash now includes the signature algorithm used
  - Utils::CERT_asHash can now deal with large serial numbers
- Update patches as needed
2016-12-18 12:18:04 +00:00
Paul Howarth
48b55376ef Update to 2.039
- New upstream release 2.039
  - OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1
    on EOF without proper SSL shutdown; since it looks like that this behavior
    will be kept at least for 1.1.1+, adapt to the changed API by treating
    errno=NOERR on SSL_ERROR_SYSCALL as EOF
- Update patches as needed
2016-11-21 09:38:46 +00:00