Commit Graph

92 Commits

Author SHA1 Message Date
Paul Howarth
cb6319f8b2 Update to 1.968
- New upstream release 1.968
  - BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
    for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file; these
    defaults were deprecated since 1.951 (July 2013)
  - Usable CA verification path on Windows etc.:
    - Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
      system/build dependent default verification path, because there was no
      way to retrieve these default values and check if they contained usable
      CA
    - Instead, re-implement the same algorithm and export the results with
      public function default_ca() and make it possible to overwrite it
    - Also check for usable verification path during build; if no usable path
      is detected, require Mozilla::CA at build and try to use it at runtime
2014-03-13 13:28:41 +00:00
Paul Howarth
961f407eff Update to 1.967
- New upstream release 1.967
  - Verify the hostname inside a certificate by default with a superset of
    common verification schemes instead of not verifying identity at all; for
    now it will only complain if name verification failed but in the future it
    will fail certificate verification, forcing you to set the expected
    SSL_verifycn_name if you want to accept the certificate
  - New option SSL_fingerprint and new methods get_fingerprint and
    get_fingerprint_bin; together they can be used to selectively accept
    specific certificates that would otherwise fail verification, like
    self-signed, outdated or from unknown CAs
  - Utils:
    - Default RSA key length 2048
    - Digest algorithm to sign certificate in CERT_create can be given;
      defaults to SHA-256
    - CERT_create can now issue non-CA self-signed certificate
    - CERT_create add some more useful constraints to certificate
  - Spelling fixes
2014-02-07 15:58:48 +00:00
Paul Howarth
5821112cbb Update to 1.966
- New upstream release 1.966
  - Fixed bug introduced in 1.964 - disabling TLSv1_2 no longer worked by
    specifying !TLSv12; only !TLSv1_2 worked
  - Fixed leak of session objects in SessionCache, if another session
    replaced an existing session (introduced in 1.965)
2014-01-22 12:27:31 +00:00
Paul Howarth
eec47bfccf Update to 1.965
- New upstream release 1.965
  - New key SSL_session_key to influence how sessions are inserted and looked
    up in the client's session cache, which makes it possible to share sessions
    over different ip:host (as is required with some FTPS servers)
  - t/core.t - handle case where default loopback source is not 127.0.0.1, like
    in FreeBSD jails
2014-01-17 16:29:16 +00:00
Paul Howarth
158d58aeae Update to 1.964
- New upstream release 1.964
  - Disabling TLSv1_1 did not work, because the constant was wrong; now it gets
    the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc.
  - The new syntax for the protocols is TLSv1_1 instead of TLSv11, which matches
    the syntax from OpenSSL (the old syntax continues to work in SSL_version)
  - New functions get_sslversion and get_sslversion_int, which get the SSL
    version of the established session as string or int
  - Disable t/io-socket-inet6.t if Acme::Override::INET is installed
2014-01-15 18:29:51 +00:00
Paul Howarth
d661fc4239 Update to 1.963
- New upstream release 1.963
  - Fix behavior of stop_SSL: for blocking sockets it now enough to call it
    once, for non-blocking it should be called again as long as EAGAIN and
    SSL_ERROR is set to SSL_WANT_(READ|WRITE)
  - Don't call blocking if start_SSL failed and downgraded socket has no
    blocking method
  - Documentation enhancements:
    - Special section for differences to IO::Socket
    - Describe problem with blocking accept on non-blocking socket
    - Describe arguments to new_from_fd and make clear that for upgrading an
      existing IO::Socket, start_SSL should be used directly
2014-01-14 14:24:20 +00:00
Paul Howarth
e46dec335a Update to 1.962
- New upstream release 1.962
  - Work around problems with older F5 BIG-IP by offering fewer ciphers on the
    client side by default, so that the client hello stays below 255 bytes
2013-11-28 14:10:43 +00:00
Paul Howarth
c150007ab9 Update to 1.961
- New upstream release 1.961
  - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates that
    are not self-signed (by giving issuer_*)
2013-11-26 15:55:35 +00:00
Paul Howarth
3a84e894f4 Update to 1.960
- New upstream release 1.960
  - Only documentation enhancements:
    - Clarify with text and example code, that within event loops not only
      select/poll should be used, but also pending has to be called
    - Better introduction into SSL; at least mention anonymous authentication as
      something you don't want and should take care with the right cipher
    - Make it more clear that it's better not to change the cipher list unless
      you really know what you're doing
- Adopt upstream's versioning scheme
2013-11-13 11:09:07 +00:00
Paul Howarth
08097c42a8 Update to 1.959
- New upstream release 1.959
  - Fix test t/core.t for Windows
2013-11-12 21:53:16 +00:00
Paul Howarth
90171d5ffc Update to 1.958
- New upstream release 1.958
  Lots of behavior changes for more secure defaults:
  - BEHAVIOR CHANGE: make default cipher list more secure, especially:
    - No longer support MD5 by default (broken)
    - No longer support anonymous authentication by default (vulnerable to
      man in the middle attacks)
    - Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
      that it uses by default forward secrecy, if underlying
      Net::SSLeay/openssl supports it
    - Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
      hopefully have been fixed and now RC4 is considered less safe than 3DES)
    - Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
      to get the best cipher even if the client prefers other ciphers; PLEASE
      NOTE that this might break connections with older, less secure
      implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
  - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
    and thus gets reused if context gets reused; PLEASE NOTE that using
    SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
    the ciphers of the context
  - Rework hostname verification schemes:
    - Add RFC names as scheme (e.g. 'rfc2818', ...)
    - Add SIP, SNMP, syslog, netconf, GIST
    - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
    - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
  - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
    'www2' etc.  but not 'www'
  - Anywhere wildcards like x* are no longer applied to IDNA names (which start
    with 'xn--')
  - Fix crash of Utils::CERT_free
  - Support TLSv11, TLSv12 as handshake protocols
  - Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
    authorization; with the DH param given by default since 1.956, old versions
    of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
    authorization) instead of AES256-SHA and thus the check for the peer
    certificate failed (because ADH does not exchange certificates) - fixed by
    explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
  - Cleaned up tests:
    - Remove ssl_settings.req and 02settings.t, because all tests now create a
      simple socket at 127.0.0.1 and thus global settings are no longer needed
    - Some tests did not have use strict(!); fixed it
    - Removed special handling for older Net::SSLeay versions that are less
      than our minimum requirement
    - Some syntax enhancements: removed some SSL_version and SSL_cipher_list
      options where they were not really needed
  - Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
    least version 2.55 which is now 5 years old
  - Fix t/session.t to work with older openssl versions (CPAN RT#90240)
2013-11-11 20:24:58 +00:00
Paul Howarth
ead705628a Update to 1.955
- New upstream release 1.955
  - Support for perfect forward secrecy using ECDH, if the Net::SSLeay version
    supports it
2013-10-11 22:01:07 +01:00
Paul Howarth
3fb0dd63d6 Update to 1.954
- New upstream release 1.954
  - Accept older versions of ExtUtils::MakeMaker and add meta information like
    link to repository only for newer versions
2013-09-15 21:17:10 +01:00
Paul Howarth
a974477abe Update to 1.953
- New upstream release 1.953
  - Precedence fixes for IO::Socket::SSL::Utils (CPAN RT#87052)
2013-07-22 11:30:22 +01:00
Paul Howarth
263c00b81a Update to 1.952
- New upstream release 1.952
  - Fix t/acceptSSL-timeout.t on Win32 (CPAN RT#86862)
2013-07-12 11:08:57 +01:00
Paul Howarth
5289b4544b Update to 1.951
- New upstream release 1.951
  (1.950)
  - MAJOR BEHAVIOR CHANGE:
    - ssl_verify_mode now defaults to verify_peer for client
    - Previously it used verify_none, but loudly complained since 1.79 about it
    - It will not complain any longer, but the connection will probably fail
    - Please don't simply disable ssl verification; instead, set SSL_ca_file
      etc. so that verification succeeds!
  - MAJOR BEHAVIOR CHANGE:
    - It will now complain if the built-in defaults of certs/my-ca.pem or ca/
      for CA and certs/{server,client}-{key,cert}.pem for cert and key are
      used, i.e. no certificates are specified explicitly
    - In the future these insecure (relative path!) defaults will be removed
      and the CA replaced with the system defaults
  (1.951)
  - Use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's built-in
    defaults for CA unless CA path/file was given (or IO::Socket::SSL built-ins
    used)
2013-07-03 13:04:57 +01:00
Paul Howarth
4b2baf4c09 Update to 1.94
- New upstream release 1.94
  - Makefile.PL reported wrong version of openssl if Net::SSLeay was not
    installed, instead of reporting a missing dependency of Net::SSLeay
2013-06-01 18:27:54 +01:00
Paul Howarth
3ed72db8d2 Update to 1.93
- New upstream release 1.93
  - Need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
    years ago; remove code to work around older releases
  - Changed AUTHOR in Makefile.PL from array back to string, because the array
    feature is not available in MakeMaker shipped with 5.8.9 (CPAN RT#85739)
- Set openssl version requirement to 0.9.8
- Drop ExtUtils::MakeMaker version requirement back to 6.46
2013-05-31 13:33:10 +01:00
Paul Howarth
476a8b5c3b Update to 1.92
- New upstream release 1.92
  - Intercept: use sha1-fingerprint of original cert for id into cache unless
    otherwise given
  - Fix pod error in IO::Socket::SSL::Utils (CPAN RT#85733)
2013-05-30 22:10:57 +01:00
Paul Howarth
9a569c9417 Update to 1.91
- New upstream release 1.91
  - Added IO::Socket::SSL::Utils for easier manipulation of certificates and
    keys
  - Moved SSL interception into IO::Socket::SSL::Intercept and simplified it
    using IO::Socket::SSL::Utils
  - Enhance meta information in Makefile.PL
- Bump openssl version requirement to 0.9.8a
- Need at least version 6.58 of ExtUtils::MakeMaker (CPAN RT#85739)
2013-05-30 21:10:19 +01:00
Paul Howarth
805af9d5bf Update to 1.90
- New upstream release 1.90
  - Support more digests, especially SHA-2 (CPAN RT#85290)
  - Added support for easy SSL interception (man in the middle) based on ideas
    found in mojo-mitm proxy
  - Make 1.46 the minimal required version for Net::SSLeay, because it
    introduced lots of useful functions
- BR:/R: openssl ≥ 0.9.7e for P_ASN1_TIME_(get,set)_isotime in Net::SSLeay
2013-05-29 22:14:04 +01:00
Paul Howarth
2f01417e72 Update to 1.89
- New upstream release 1.89
  - If IO::Socket::IP is used it should be at least version 0.20; otherwise we
    get problems with HTTP::Daemon::SSL and maybe others (CPAN RT#81932)
  - Spelling corrections
2013-05-14 15:36:29 +01:00
Paul Howarth
37d1376280 Update to 1.88
- New upstream release 1.88
  - Consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
    and SSL_cert* - some apps like Net::LDAP use it that way
2013-05-02 11:51:31 +01:00
Paul Howarth
ed46e28bc4 Update to 1.87
- New upstream release 1.87
  - Complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are
    not readable (CPAN RT#84829)
  - Fix use of SSL_key|SSL_file objects instead of files, broken with 1.83
2013-04-25 10:07:55 +01:00
Paul Howarth
7e6deb8ea7 Update to 1.86
- New upstream release 1.86
  - Don't warn about SSL_verify_mode when re-using an existing SSL context
    (CPAN RT#84686)
2013-04-17 15:20:05 +01:00
Paul Howarth
ff458068d8 Update to 1.85
- New upstream release 1.85
  - Probe for available modules with local __DIE__ and __WARN__handlers
    (CPAN RT#84574)
  - Fix warning, when IO::Socket::IP is installed and inet6 support gets explictly
    requested (CPAN RT#84619)
2013-04-15 11:12:28 +01:00
Paul Howarth
6f7e6bccfa Update to 1.84
- New upstream release 1.84
  - Disabled client side SNI for openssl version < 1.0.0 because of
    CPAN RT#83289
  - Added functions can_client_sni, can_server_sni and can_npn to check
    availability of SNI and NPN features
  - Added more documentation for SNI and NPN
2013-02-16 10:31:38 +00:00
Paul Howarth
9d6d9c7ce8 Update to 1.831
- New upstream release 1.831
  - Separated documention of non-blocking I/O from error handling
  - Changed and documented behavior of readline to return the read data on
    EAGAIN/EWOULDBLOCK in case of non-blocking socket
    (see https://github.com/noxxi/p5-io-socket-ssl/issues/1)
- Bumped release rather than version number to preserve likely upgrade path
  and avoid need for epoch or version number ugliness; may revisit this in
  light of upstream's future version numbering decisions
2013-02-14 10:00:56 +00:00
Paul Howarth
fa7cfc06c7 Update to 1.83
- New upstream release 1.83
  - Server Name Indication (SNI) support on the server side (CPAN RT#82761)
  - Reworked part of the documentation, like providing better examples
2013-02-04 11:46:28 +00:00
Paul Howarth
5e526125f8 Update to 1.82
- New upstream release 1.82
  - sub error sets $SSL_ERROR etc. only if there really is an error; otherwise
    it will keep the latest error, which allows IO::Socket::SSL->new to report
    the correct problem, even if the problem is deeper in the code (like in
    connect)
  - Correct spelling (CPAN RT#82790)
2013-01-28 13:42:38 +00:00
Paul Howarth
98862c2737 Update to 1.81
- New upstream release 1.81
  - Deprecated set_ctx_defaults; new name is set_defaults (the old name is
    still available)
  - Changed handling of default path for SSL_(ca|cert|key)* keys: if one of
    these keys is user defined, don't add defaults for the others, i.e.
    don't mix user settings and defaults
  - Cleaner handling of module defaults vs. global settings vs. socket
    specific settings; global and socket specific settings are both provided
    by the user, while module defaults are not
  - Make IO::Socket::INET6 and IO::Socket::IP specific tests both run, even
    if both modules are installed, by faking a failed load of the other module
- BR: perl(IO::Socket::INET6) and perl(Socket6) unconditionally
2012-12-06 22:57:42 +00:00
Paul Howarth
0c9239ef2c Update to 1.80
- New upstream release 1.80
  - Removed some warnings in test (missing SSL_verify_mode => 0), which caused
    tests to hang on Windows (CPAN RT#81493)
2012-11-30 12:47:19 +00:00
Paul Howarth
4b03cab2e5 Update to 1.79
- New upstream release 1.79
  - Use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort
    from sockaddr in _update_peer, because this provides scope too
  - Work around systems that don't define AF_INET6 (CPAN RT#81216)
  - Prepare transition to a more secure default for SSL_verify_mode; the use of
    the current default SSL_VERIFY_NONE will cause a big warning for clients,
    unless SSL_verify_mode was explicitly set inside the application to this
    insecure value (in the near future the default will be SSL_VERIFY_PEER, and
    thus causing verification failures in unchanged applications)
2012-11-26 09:30:31 +00:00
Paul Howarth
aee95ecc7b Update to 1.77
- New upstream release 1.77
  - Support _update_peer for IPv6 too (CPAN RT#79916)
2012-10-05 11:04:28 +01:00
Paul Howarth
4146886248 Update to 1.76
- New upstream release 1.76
  - Add support for IO::Socket::IP, which supports inet6 and inet4
    (CPAN RT#75218)
  - Fix documentation errors (CPAN RT#77690)
  - Made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version
  - Use inet_pton from either Socket.pm 1.95 or Socket6.pm
- Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6
- Add runtime dependency for appropriate IPv6 support module so that we can
  ensure that we run at runtime what we tested with at build time
2012-06-18 11:12:47 +01:00
Paul Howarth
600d46f55f Update to 1.74
- New upstream release 1.74
  - Accept a version of SSLv2/3 as SSLv23, because older documentation could
    be interpreted like this
2012-05-14 14:10:36 +01:00
Paul Howarth
7a4ecb3637 Update to 1.73
- New upstream release 1.73
  - Set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW
  - Make test t/dhe.t hopefully work with more versions of openssl
2012-05-11 21:52:04 +01:00
Paul Howarth
a5c27d9e75 Update to 1.71
- New upstream release 1.71
  - 1.70 done right: don't disable SSLv2 ciphers; SSLv2 support is better
    disabled by the default SSL_version of 'SSLv23:!SSLv2'
2012-05-09 12:30:57 +01:00
Paul Howarth
0151f675ec Update to 1.70
- New upstream release 1.70
  - Make it possible to disable protocols using SSL_version, and make
    SSL_version default to 'SSLv23:!SSLv2'
2012-05-08 15:56:19 +01:00
Paul Howarth
cf5770db64 Update to 1.69
- New upstream release 1.69 (changes for CPAN RT#76929)
  - If no explicit cipher list is given, default to ALL:!LOW instead of the
    openssl default, which usually includes weak ciphers like DES
  - New config key SSL_honor_cipher_order and document how to use it to fight
    BEAST attack
  - Fix behavior for empty cipher list (use default)
  - Re-added workaround in t/dhe.t
2012-05-08 12:30:01 +01:00
Paul Howarth
04cfd057ef Update to 1.66
- New upstream release 1.66
  - Make it thread safer (CPAN RT#76538)
2012-04-16 21:55:37 +01:00
Paul Howarth
f7be3459a3 Update to 1.65
- New upstream release 1.65
  - Added NPN (Next Protocol Negotiation) support (CPAN RT#76223)
2012-04-16 21:13:40 +01:00
Paul Howarth
126ee08d7b Update to 1.64
- New upstream release 1.64
  - Ignore die from within eval to make tests more stable on Win32
    (CPAN RT#76147)
  - Clarify some behavior regarding hostname verfication
- Drop patch for t/dhe.t, no longer needed
2012-04-07 10:40:17 +01:00
Paul Howarth
25ec10130c Update to 1.62
- New upstream release 1.62
  - Small fix to last version
2012-03-28 09:59:55 +01:00
Paul Howarth
c823e4faca Update to 1.61
- New upstream release 1.61
  - Call CTX_set_session_id_context so that server's session caching works with
    client certificates too (CPAN RT#76053)
2012-03-27 21:19:50 +01:00
Paul Howarth
8d029778df Update to 1.60
- New upstream release 1.60
  - Don't make blocking readline if socket was set nonblocking, but return as
    soon no more data are available (CPAN RT#75910)
  - Fix BUG section about threading so that it shows package as thread safe
    as long as Net::SSLeay ≥ 1.43 is used (CPAN RT#75749)
- BR: perl(constant), perl(Exporter) and perl(IO::Socket)
2012-03-20 22:25:09 +00:00
Paul Howarth
3e7b01b807 Update to 1.59
- New upstream release 1.59
  - If SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful message
    when attempting to use it
  - Modify constant declarations so that 5.6.1 should work again
- Drop %defattr, redundant since rpm 4.4
2012-03-08 15:59:47 +00:00
Paul Howarth
99c05d2f9b Update to 1.58
- New upstream release 1.58
  - Fix t/dhe.t for openssl 1.0.1 beta by forcing TLSv1, so that it does not
    complain about the too small RSA key, which it should not use anyway; this
    workaround is not applied for older openssl versions, where it would cause
    failures (CPAN RT#75165)
- Add patch to fiddle the openssl version number in the t/dhe.t workaround
  because the OPENSSL_VERSION_NUMBER cannot be trusted in Fedora
- One buildreq per line for readability
- Drop redundant buildreq perl(Test::Simple)
- Always run full test suite
2012-02-27 11:09:47 +00:00
Paul Howarth
fa689fe3b8 Update to 1.56
- New upstream release 1.56
  - Add automatic or explicit (via SSL_hostname) SNI support, needed for
    multiple SSL hostnames with the same IP (currently only supported for the
    client)
- Use DESTDIR rather than PERL_INSTALL_ROOT
- No need to delete empty directories from buildroot
2012-02-22 21:22:09 +00:00
Paul Howarth
4ac798649d Update to 1.55
- New upstream release 1.55:
  - Work around IO::Socket's work around for systems returning EISCONN etc. on
    connect retry for non-blocking sockets by clearing $! if SUPER::connect
    returned true (CPAN RT#75101)
2012-02-20 16:50:20 +00:00