- New upstream release 2.069
- IO::Socket::Utils CERT_asHash and CERT_create now support subject and
issuer with multiple same parts (like multiple OU); in this case an array
ref instead of a scalar is used as hash value (GH#95)
- New upstream release 2.067
- Fix memory leak on incomplete handshake (GH#92)
- Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
can decrease memory usage at the costs of more allocations (CPAN RT#129463)
- More detailed error messages when loading of certificate file failed (GH#89)
- Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
- Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
- Fix warning when no ecdh support is available
- Documentation update regarding use of select and TLS 1.3
- Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
- Stability fix for t/core.t
- New upstream release 2.066
- Make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first (CPAN RT#=128716)
- Prefer AES for server side cipher default since it is usually
hardware-accelerated
- Fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
- New upstream release 2.064
- Make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint (CPAN RT#127773)
- Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
- Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
set
- Update fingerprints for live tests
- New upstream release 2.063
- Support for both RSA and ECDSA certificate on same domain
- Update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (i.e. more than just
the patchlevel differs)
- New upstream release 2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
in the trust store be usable as full trust anchors too
- New upstream release 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay ≥ 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay ≥ 1.86)
- New upstream release 2.060
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
see also CPAN RT#126899
- TLS 1.3 support is not complete yet for session resume
- New upstream release 2.058
- Fix memory leak that occured with explicit stop_SSL in connection with
non-blocking sockets or timeout (CPAN RT#125867)
- Fix redefine warnings in case Socket6 is installed but neither
IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
number or callback to create serial number based on the original certificate
- New function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
value
- Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
- New upstream release 2.056
- Intercept: Fix creation of serial number (basing it on binary digest
instead of treating hex fingerprint as binary), allow use of own serial
numbers again
- t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
- Update PublicSuffix
- New upstream release 2.054
- Small behavior fixes
- If SSL_fingerprint is used and matches, don't check for OCSP
- Utils::CERT_create: Small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- Update PublicSuffix
- Updates for documentation, especially regarding pitfalls with forking or
using non-blocking sockets, spelling fixes
- Test fixes and improvements
- Stability improvements for live tests
- Regenerate certificates in certs/ and make sure they are limited to the
correct purpose; check in program used to generate certificates
- Adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
- New upstream release 2.052
- Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced
the functions with dummies instead of removing NPN completly or setting
OPENSSL_NO_NEXTPROTONEG
- t/01loadmodule.t shows more output helpful in debugging problems
- Update fingerprints for external tests
- Update documentation to make behavior of syswrite more clear
- New upstream release 2.051
- syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with
OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up
(GH#62)
- New upstream release 2.050
- Removed unnecessary settings of SSL_version and SSL_cipher_list from tests
- protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not
supported, as is the case with openssl versions in latest Debian (buster)
- New upstream release 2.049
- Fixed problem caused by typo in the context of session cache (GH#60)
- Updated PublicSuffix information from publicsuffix.org
- New upstream release 2.048
- Fixed small memory leaks during destruction of socket and context
(CPAN RT#120643)
- Drop support for EOL distributions prior to F-13
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %install section
- Drop explicit %clean section
- New upstream release 2.046
- Clean up everything in DESTROY and make sure to start with a fresh
%%{*self} in configure_SSL because it can happen that a GLOB gets used
again without calling DESTROY
(https://github.com/noxxi/p5-io-socket-ssl/issues/56)
- Update patches as needed
- New upstream release 2.045
- Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
objects (GH#55)
- Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
perl is compiled without thread support
- Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
openssl build without SSLv3 support
- When setting SSL_keepSocketOnError to true the socket will not be closed on
fatal error (GH#53, modified)
- Update patches as needed
- New upstream release 2.044
- Protect various 'eval'-based capability detections at startup with a
localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
as done by various third party software should cause less problems even if
there is a global __DIE__ handler that does not properly deal with 'eval'
- Update patches as needed
- New upstream release 2.043
- Enable session ticket callback with Net::SSLeay ≥ 1.80
- Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
session no longer gets reused if it was not properly closed, which is now
done using an explicit close by the client
- Update patches as needed
- New upstream release 2.040
- Fix detection of default CA path for OpenSSL 1.1.x
- Utils::CERT_asHash now includes the signature algorithm used
- Utils::CERT_asHash can now deal with large serial numbers
- Update patches as needed
- New upstream release 2.038
- Restrict session ticket callback to Net::SSLeay 1.79+ since version before
contains bug; add test for session reuse
- Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
- Fix t/external/ocsp.t to use different server (under my control) to check
OCSP stapling
- Update patches as needed
- New upstream release 2.037
- Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)
- Fix session cache del_session: it freed the session but did not properly
remove it from the cache; further reuse caused crash
- Update patches as needed
- New upstrean release 2.035
- Fixes for issues introduced in 2.034
- Return with error in configure_SSL if context creation failed; this
might otherwise result in an segmentation fault later
- Apply builtin defaults before any (user configurable) global settings
(i.e. done with set_defaults, set_default_context...) so that builtins
don't replace user settings
- Update patches as needed
- New upstream release 2.034
- Move handling of global SSL arguments into creation of context, so that
these get also applied when creating a context only
- Update patches as needed
- New upstream release 2.033
- Support for session ticket reuse over multiple contexts and processes (if
supported by Net::SSLeay)
- Small optimizations, like saving various Net::SSLeay constants into
variables and access variables instead of calling the constant sub all the
time
- Make t/dhe.t work with openssl 1.1.0
- Update patches as needed
- New upstream release 2.032
- Set session id context only on the server side; even if the documentation
for SSL_CTX_set_session_id_context makes clear that this function is server
side only, it actually affects handling of session reuse on the client side
too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session
in different context" at the client
- New upstream release 2.031
- Utils::CERT_create - don't add given extensions again if they were already
added; Firefox croaks with sec_error_extension_value_invalid if (specific?)
extensions are given twice
- Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
with the reverse order as in the PKCS12 file, because that's what it does
- Support for creating ECC keys in Utils once supported by Net::SSLeay
- Remove internal sub session_cache and access cache directly (faster)
- Update patches as needed
- New upstream release 2.029
- Add del_session method to session cache
- Use SSL_session_key as the real key for the cache and not some derivate of
it, so that it works to remove the entry using the same key
- New upstream release 2.024
- Work around issue where the connect fails on systems having only a loopback
interface and where IO::Socket::IP is used as super class (default when
available)
- Update patches as needed
- New upstream release 2.023
- OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS
connection was not fully established, which somehow resulted in
Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless
loop; it will now ignore this result in case the TLS connection was not
yet established and consider the TLS connection closed instead
- Update patches as needed
- New upstream release 2.021
- Fixes for documentation and typos
- Update PublicSuffix with latest version from publicsuffix.org
- Update patches as needed
- New upstream release 2.020
- Support multiple directories in SSL_ca_path (CPAN RT#106711); directories
can be given as array or as string with a path separator
- Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)
- Update patches as needed
- New upstream release 2.019
- Work around different behavior of getnameinfo from Socket and Socket6 by
using a different wrapper depending on which module is used for IPv6
- Update patches as needed
- New upstream release 2.018
- Checks for readability of files/dirs for certificates and CA no longer use
-r because this is not safe when ACLs are used (CPAN RT#106295)
- New method sock_certificate similar to peer_certificate (CPAN RT#105733)
- get_fingerprint can now take optional certificate as argument and compute
the fingerprint of it; useful in connection with sock_certificate
- Check for both EWOULDBLOCK and EAGAIN since these codes are different on
some platforms (CPAN RT#106573)
- Enforce default verification scheme if nothing was specified, i.e. no
longer just warn but accept; if really no verification is wanted, a scheme
of 'none' must be explicitly specified
- Support different cipher suites per SNI hosts
- startssl.t failed on darwin with old openssl since server requested client
certificate but offered also anon ciphers (CPAN RT#106687)
- Update patches as needed
- New upstream release 2.016
- Add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
(since 1.02) and available with Net::SSLeay (CPAN RT#104759)
- Work around hanging prompt() with older perl in Makefile.PL
(CPAN RT#104731)
- Make t/memleak_bad_handshake.t work on cygwin and other systems having
/proc/pid/statm (CPAN RT#104659)
- Add better debugging
- New upstream release 2.014
- Utils::CERT_create - work around problems with authorityInfoAccess, where
OpenSSL i2v does not create the same string as v2i expects
- Intercept - don't clone some specific extensions that only make sense with
the original certificate
- New upstream release 2.013
- Assign severities to internal error handling and make sure that follow-up
errors like "configuration failed" or "certificate verify error" don't
replace more specific "hostname verification failed" when reporting in
sub errstr/$SSL_ERROR (CPAN RT#103423)
- Enhanced documentation (https://github.com/noxxi/p5-io-socket-ssl/pull/26)
