Commit Graph

216 Commits

Author SHA1 Message Date
Petr Písař
e2609f60d1 Adapt to OpenSSL 1.1.1
This is not a full support. It only makes the tests passing.
Especially it does not document TLSv1.3 support and it does not
support explicit session resumption in TLSv1.3.

To pass the tests with openssl-1.1.1 it requires patched
perl-Net-SSLeay >= 1.85-7.fc29. But it also works with older openssl
regardless of perl-Net-SSLeay. Thus I did not add a dependency on an
explicit perl-Net-SSLeay release.
2018-08-21 17:21:44 +02:00
Paul Howarth
14f244955b Update to 2.059
- New upstream release 2.059
  - Fix memory leak when CRLs are used (CPAN RT#125867)
  - Fix memory leak when using stop_SSL and threads
    (https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)
2018-08-16 11:57:21 +01:00
Paul Howarth
23e698433c Update to 2.058
- New upstream release 2.058
  - Fix memory leak that occured with explicit stop_SSL in connection with
    non-blocking sockets or timeout (CPAN RT#125867)
  - Fix redefine warnings in case Socket6 is installed but neither
    IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
  - IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
    number or callback to create serial number based on the original certificate
  - New function get_session_reused to check if a session got reused
  - IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
    value
  - Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
    expects the extKeyUsage of clientAuth in the client cert also to be allowed
    by the CA if CA uses extKeyUsage
2018-07-19 10:19:21 +01:00
Fedora Release Engineering
bb12c5ada9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 17:57:01 +00:00
Jitka Plesnikova
0def8ec847 Perl 5.28 rebuild 2018-06-28 14:00:51 +02:00
Petr Písař
dbc392e760 cpan.org addresses moved to MetaCPAN <https://fedoraproject.org/wiki/Changes/Perl_Move_to_MetaCPAN> 2018-06-04 14:44:49 +02:00
Paul Howarth
da2796e619 Update to 2.056
- New upstream release 2.056
  - Intercept: Fix creation of serial number (basing it on binary digest
    instead of treating hex fingerprint as binary), allow use of own serial
    numbers again
  - t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
  - Update PublicSuffix
2018-02-19 15:18:27 +00:00
Paul Howarth
8f2d1aa851 IO-Socket-SSL-2.055.tar.gz 2018-02-16 12:30:20 +00:00
Paul Howarth
9da01c1dfd Update to 2.055
- New upstream release 2.055
  - Use SNI also if hostname was given all-uppercase
  - Utils::CERT_create: Don't add authority key for issuer since Chrome does
    not like this
  - Intercept:
    - Change behavior of code-based cache to better support synchronizing
      within multiprocess/threaded set-ups
    - Don't use counter for serial number but somehow base it on original
      certificate in order to avoid conflicts with reuse of serial numbers
      after restart
  - Better support platforms without IPv6 (CPAN RT#124431)
  - Spelling fixes in documentation (CPAN RT#124306)
2018-02-15 15:08:47 +00:00
Fedora Release Engineering
bf41694601 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-08 21:59:54 +00:00
Paul Howarth
6d1cc77223 Update to 2.054
- New upstream release 2.054
  - Small behavior fixes
    - If SSL_fingerprint is used and matches, don't check for OCSP
    - Utils::CERT_create: Small fixes to properly specific purpose, ability to
      use predefined complex purpose but disable some features
  - Update PublicSuffix
  - Updates for documentation, especially regarding pitfalls with forking or
    using non-blocking sockets, spelling fixes
  - Test fixes and improvements
    - Stability improvements for live tests
    - Regenerate certificates in certs/ and make sure they are limited to the
      correct purpose; check in program used to generate certificates
    - Adjust tests since certificates have changed and some tests used
      certificates intended for client authentication as server certificates,
      which now no longer works
2018-01-22 11:54:36 +00:00
Paul Howarth
1a5e9cfa4d Update to 2.052
- New upstream release 2.052
  - Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced
    the functions with dummies instead of removing NPN completly or setting
    OPENSSL_NO_NEXTPROTONEG
  - t/01loadmodule.t shows more output helpful in debugging problems
  - Update fingerprints for external tests
  - Update documentation to make behavior of syswrite more clear
2017-10-23 18:59:32 +01:00
Paul Howarth
7481a58e0f Update to 2.051
- New upstream release 2.051
  - syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with
    OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up
    (GH#62)
2017-09-05 16:12:26 +01:00
Paul Howarth
bcc0f35452 Update to 2.050
- New upstream release 2.050
  - Removed unnecessary settings of SSL_version and SSL_cipher_list from tests
  - protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not
    supported, as is the case with openssl versions in latest Debian (buster)
2017-08-18 09:50:09 +01:00
Fedora Release Engineering
2b6a4ffa38 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 04:26:31 +00:00
Petr Písař
a8625908ab perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 15:03:19 +02:00
Paul Howarth
0127aa728a Update to 2.049
- New upstream release 2.049
  - Fixed problem caused by typo in the context of session cache (GH#60)
  - Updated PublicSuffix information from publicsuffix.org
2017-06-12 12:02:37 +01:00
Jitka Plesnikova
90d774a9f6 Perl 5.26 rebuild 2017-06-05 03:44:39 +02:00
Paul Howarth
f6474dbc1b Update to 2.048
- New upstream release 2.048
  - Fixed small memory leaks during destruction of socket and context
    (CPAN RT#120643)
- Drop support for EOL distributions prior to F-13
  - Drop BuildRoot: and Group: tags
  - Drop explicit buildroot cleaning in %install section
  - Drop explicit %clean section
2017-04-17 12:58:53 +01:00
Paul Howarth
d3f2356cc9 Update to 2.047
- New upstream release 2.047
  - Better fix for problem which 2.046 tried to fix but broke LWP that way
- Update patches as needed
2017-02-17 08:17:43 +00:00
Paul Howarth
259846ffa3 Update to 2.046
- New upstream release 2.046
  - Clean up everything in DESTROY and make sure to start with a fresh
    %%{*self} in configure_SSL because it can happen that a GLOB gets used
    again without calling DESTROY
    (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
- Update patches as needed
2017-02-16 18:11:06 +00:00
Paul Howarth
46a5435ffc Update to 2.045
- New upstream release 2.045
  - Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
    objects (GH#55)
  - Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
    perl is compiled without thread support
  - Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
    openssl build without SSLv3 support
  - When setting SSL_keepSocketOnError to true the socket will not be closed on
    fatal error (GH#53, modified)
- Update patches as needed
2017-02-14 11:52:13 +00:00
Fedora Release Engineering
88d911cebb - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-11 03:37:01 +00:00
Paul Howarth
157e4fc48f Update to 2.044
- New upstream release 2.044
  - Protect various 'eval'-based capability detections at startup with a
    localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
    as done by various third party software should cause less problems even if
    there is a global __DIE__ handler that does not properly deal with 'eval'
- Update patches as needed
2017-01-26 15:59:38 +00:00
Paul Howarth
6a30f8ffc4 Update to 2.043
- New upstream release 2.043
  - Enable session ticket callback with Net::SSLeay ≥ 1.80
  - Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
    session no longer gets reused if it was not properly closed, which is now
    done using an explicit close by the client
- Update patches as needed
2017-01-06 14:34:50 +00:00
Paul Howarth
c290ff8f5b Update to 2.041
- New upstream release 2.041
  - Leave session ticket callback off for now until the needed patch is
    included in Net::SSLeay (see
    https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146)
- Update patches as needed
2017-01-04 11:25:36 +00:00
Paul Howarth
a6f663d8ce Update to 2.040
- New upstream release 2.040
  - Fix detection of default CA path for OpenSSL 1.1.x
  - Utils::CERT_asHash now includes the signature algorithm used
  - Utils::CERT_asHash can now deal with large serial numbers
- Update patches as needed
2016-12-18 12:18:04 +00:00
Paul Howarth
94a62556ae Upload IO-Socket-SSL-2.039.tar.gz 2016-11-21 09:47:32 +00:00
Paul Howarth
48b55376ef Update to 2.039
- New upstream release 2.039
  - OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1
    on EOF without proper SSL shutdown; since it looks like that this behavior
    will be kept at least for 1.1.1+, adapt to the changed API by treating
    errno=NOERR on SSL_ERROR_SYSCALL as EOF
- Update patches as needed
2016-11-21 09:38:46 +00:00
Paul Howarth
4b64c34a03 Update to 2.038
- New upstream release 2.038
  - Restrict session ticket callback to Net::SSLeay 1.79+ since version before
    contains bug; add test for session reuse
  - Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
  - Fix t/external/ocsp.t to use different server (under my control) to check
    OCSP stapling
- Update patches as needed
2016-09-19 14:32:14 +01:00
Paul Howarth
1c9734277a Update to 2.037
- New upstream release 2.037
  - Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)
  - Fix session cache del_session: it freed the session but did not properly
    remove it from the cache; further reuse caused crash
- Update patches as needed
2016-08-23 09:22:35 +01:00
Paul Howarth
5273482db2 Update to 2.035
- New upstrean release 2.035
  - Fixes for issues introduced in 2.034
    - Return with error in configure_SSL if context creation failed; this
      might otherwise result in an segmentation fault later
    - Apply builtin defaults before any (user configurable) global settings
      (i.e. done with set_defaults, set_default_context...) so that builtins
      don't replace user settings
- Update patches as needed
2016-08-11 19:06:10 +01:00
Paul Howarth
669ae1bebf Update to 2.034
- New upstream release 2.034
  - Move handling of global SSL arguments into creation of context, so that
    these get also applied when creating a context only
- Update patches as needed
2016-08-08 14:32:25 +01:00
Paul Howarth
5c5f120ac9 Update to 2.033
- New upstream release 2.033
  - Support for session ticket reuse over multiple contexts and processes (if
    supported by Net::SSLeay)
  - Small optimizations, like saving various Net::SSLeay constants into
    variables and access variables instead of calling the constant sub all the
    time
  - Make t/dhe.t work with openssl 1.1.0
- Update patches as needed
2016-07-16 13:40:15 +01:00
Paul Howarth
ddc83e4abc Update to 2.032
- New upstream release 2.032
  - Set session id context only on the server side; even if the documentation
    for SSL_CTX_set_session_id_context makes clear that this function is server
    side only, it actually affects handling of session reuse on the client side
    too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session
    in different context" at the client
2016-07-12 16:31:13 +01:00
Paul Howarth
5e25984e43 Update to 2.031
- New upstream release 2.031
  - Utils::CERT_create - don't add given extensions again if they were already
    added; Firefox croaks with sec_error_extension_value_invalid if (specific?)
    extensions are given twice
  - Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
    with the reverse order as in the PKCS12 file, because that's what it does
  - Support for creating ECC keys in Utils once supported by Net::SSLeay
  - Remove internal sub session_cache and access cache directly (faster)
- Update patches as needed
2016-07-08 14:49:19 +01:00
Paul Howarth
1bbcd86cf3 Update to 2.029
- New upstream release 2.029
  - Add del_session method to session cache
  - Use SSL_session_key as the real key for the cache and not some derivate of
    it, so that it works to remove the entry using the same key
2016-06-28 10:37:28 +01:00
Petr Písař
456f4340b9 Mandatory Perl build-requires added <https://fedoraproject.org/wiki/Changes/Build_Root_Without_Perl> 2016-06-24 10:48:12 +02:00
Jitka Plesnikova
409527b2d3 Perl 5.24 rebuild 2016-05-16 03:25:35 +02:00
Paul Howarth
6fc3767106 Update to 2.027
- New upstream release 2.027
  - Updated Changes file for 2.026
2016-04-21 11:51:58 +01:00
Paul Howarth
6ed7f418dd Update to 2.026
- New upstream release 2.026
  - Upstream's default cipher lists updated (we use system default though)
- Update patches as needed
2016-04-20 15:24:10 +01:00
Paul Howarth
16cfe40816 Update to 2.025
- New upstream release 2.025
  - Resolved memleak if SSL_crl_file was used (CPAN RT#113257, CPAN RT#113530)
- Simplify find command using -delete
2016-04-04 14:47:57 +01:00
Paul Howarth
1b3e2576a4 Update to 2.024
- New upstream release 2.024
  - Work around issue where the connect fails on systems having only a loopback
    interface and where IO::Socket::IP is used as super class (default when
    available)
- Update patches as needed
2016-02-07 16:11:20 +00:00
Fedora Release Engineering
5dde526491 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 14:09:04 +00:00
Paul Howarth
c1f1b41420 Update to 2.023
- New upstream release 2.023
  - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS
    connection was not fully established, which somehow resulted in
    Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless
    loop; it will now ignore this result in case the TLS connection was not
    yet established and consider the TLS connection closed instead
- Update patches as needed
2016-01-30 19:08:57 +00:00
Paul Howarth
5b16a21796 Update to 2.022
- New upstream release 2.022
  - Fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash
    (CPAN RT#110253)
2015-12-10 10:51:01 +00:00
Paul Howarth
abe772d8a4 Update to 2.021
- New upstream release 2.021
  - Fixes for documentation and typos
  - Update PublicSuffix with latest version from publicsuffix.org
- Update patches as needed
2015-12-03 13:55:07 +00:00
Paul Howarth
1b76ff56a2 Update to 2.020
- New upstream release 2.020
  - Support multiple directories in SSL_ca_path (CPAN RT#106711); directories
    can be given as array or as string with a path separator
  - Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)
- Update patches as needed
2015-09-21 10:56:58 +01:00
Paul Howarth
d23a4091cb Update to 2.019
- New upstream release 2.019
  - Work around different behavior of getnameinfo from Socket and Socket6 by
    using a different wrapper depending on which module is used for IPv6
- Update patches as needed
2015-09-01 20:12:52 +01:00
Paul Howarth
6f9741cacd Update to 2.018
- New upstream release 2.018
  - Checks for readability of files/dirs for certificates and CA no longer use
    -r because this is not safe when ACLs are used (CPAN RT#106295)
  - New method sock_certificate similar to peer_certificate (CPAN RT#105733)
  - get_fingerprint can now take optional certificate as argument and compute
    the fingerprint of it; useful in connection with sock_certificate
  - Check for both EWOULDBLOCK and EAGAIN since these codes are different on
    some platforms (CPAN RT#106573)
  - Enforce default verification scheme if nothing was specified, i.e. no
    longer just warn but accept; if really no verification is wanted, a scheme
    of 'none' must be explicitly specified
  - Support different cipher suites per SNI hosts
  - startssl.t failed on darwin with old openssl since server requested client
    certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
2015-09-01 09:44:25 +01:00