Compare commits

...

No commits in common. "c10s" and "c8" have entirely different histories.
c10s ... c8

12 changed files with 206 additions and 388 deletions

View File

@ -1 +0,0 @@
1

2
.gitignore vendored
View File

@ -1 +1 @@
/IO-Socket-SSL-[0-9.]*.tar.gz
SOURCES/IO-Socket-SSL-2.066.tar.gz

View File

@ -0,0 +1 @@
4eacd69b81f7edae24135a53411cf87429584289 SOURCES/IO-Socket-SSL-2.066.tar.gz

View File

@ -1,37 +0,0 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -196,8 +196,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
- # TLS 1.1 and lower are deprecated with RFC 8996
- SSL_version => 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2',
+ SSL_version => '',
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2445,7 +2444,7 @@ sub new {
my $ssl_op = $DEFAULT_SSL_OP;
- my $ver;
+ my $ver = '';
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1044,11 +1044,12 @@ All values are case-insensitive. Instea
versions are actually supported depend on the versions of OpenSSL and
Net::SSLeay installed, but modern protocols like TLS 1.3 are supported by these
for many years now.
+The default SSL_version is defined by the underlying cryptographic library.
Independent from the handshake format you can limit to set of accepted SSL
versions by adding !version separated by ':'.
-The default SSL_version is 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2'. This means,
+For example, 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2' means
that the handshake format is compatible to SSL2.0 and higher, but that the
successful handshake is limited to TLS1.2 and higher, that is no SSL2.0, SSL3.0,
TLS 1.0 or TLS 1.1 because these versions have serious security issues and

View File

@ -1,29 +0,0 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -205,8 +205,10 @@ my %DEFAULT_SSL_ARGS = (
SSL_npn_protocols => undef, # meaning depends whether on server or client side
SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
- # rely on system default but be sure to disable some definitely bad ones
- SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP',
+ # Use system-wide default cipher list to support use of system-wide
+ # crypto policy (#1076390, #1127577, CPAN RT#97816)
+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy
+ SSL_cipher_list => 'PROFILE=SYSTEM',
);
my %DEFAULT_SSL_CLIENT_ARGS = (
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1071,9 +1071,8 @@ ciphers for TLS 1.2 and lower. See the O
for more details.
Unless you fail to contact your peer because of no shared ciphers it is
-recommended to leave this option at the default setting, which uses the system
-default but disables some insecure ciphers which might still be enabled on older
-systems.
+recommended to leave this option at the default setting, which honors the
+system-wide PROFILE=SYSTEM cipher list.
In case different cipher lists are needed for different SNI hosts a hash can be
given with the host as key and the cipher suite as value, similar to

View File

@ -53,15 +53,15 @@ index 0000000..2413588
+}
+
+my $port = 2000;
+my $ca_cert = 't/certs/test-ca.pem';
+my $ca_cert = 'certs/test-ca.pem';
+
+diag 'Starting a server';
+my ($server, $input, $stdout, $stderr);
+eval {
+ $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
+ '-Verify', '1',
+ '-cert', 't/certs/server-wildcard.pem',
+ '-key', 't/certs/server-wildcard.pem', '-CAfile', $ca_cert],
+ '-cert', 'certs/server-wildcard.pem',
+ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
+ \$input, \$stdout, \$stderr);
+ # subsequent \undef does not work
+ # <https://github.com/toddr/IPC-Run/issues/124>
@ -84,8 +84,8 @@ index 0000000..2413588
+ SSL_verifycn_scheme => 'www',
+ SSL_verifycn_name => 'www.server.local',
+ SSL_ca_file => $ca_cert,
+ SSL_key_file => 't/certs/client-key.pem',
+ SSL_cert_file => 't/certs/client-cert.pem'
+ SSL_key_file => 'certs/client-key.pem',
+ SSL_cert_file => 'certs/client-cert.pem'
+);
+ok($client, 'Client connected');
+

View File

@ -0,0 +1,36 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken
+ SSL_version => '',
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2335,7 +2335,7 @@ sub new {
my $ssl_op = $DEFAULT_SSL_OP;
- my $ver;
+ my $ver = '';
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1028,11 +1028,12 @@ All values are case-insensitive. Instea
'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for
'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
and openssl.
+The default SSL_version is defined by the underlying cryptographic library.
Independent from the handshake format you can limit to set of accepted SSL
versions by adding !version separated by ':'.
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
+For example, 'SSLv23:!SSLv3:!SSLv2' means that the
handshake format is compatible to SSL2.0 and higher, but that the successful
handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
both of these versions have serious security issues and should not be used

View File

@ -0,0 +1,99 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = (
SSL_npn_protocols => undef, # meaning depends whether on server or client side
SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
- # "Old backward compatibility" for best compatibility
- # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
- # slightly reordered to prefer AES since it is cheaper when hardware accelerated
- SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+ # Use system-wide default cipher list to support use of system-wide
+ # crypto policy (#1076390, #1127577, CPAN RT#97816)
+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy
+ SSL_cipher_list => 'PROFILE=SYSTEM',
);
my %DEFAULT_SSL_CLIENT_ARGS = (
@@ -186,63 +185,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
SSL_ca_file => undef,
SSL_ca_path => undef,
- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
- # Ubuntu worked around this by disabling TLSv1_2 on the client side for
- # a while. Later a padding extension was added to OpenSSL to work around
- # broken F5 but then IronPort croaked because it did not understand this
- # extension so it was disabled again :(
- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so
- # that packet stays small enough. We try the same here.
-
- SSL_cipher_list => join(" ",
-
- # SSLabs report for Chrome 48/OSX.
- # This also includes the fewer ciphers Firefox uses.
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-GCM-SHA256',
- 'ECDHE-ECDSA-CHACHA20-POLY1305',
- 'ECDHE-RSA-CHACHA20-POLY1305',
- 'ECDHE-ECDSA-AES256-SHA',
- 'ECDHE-RSA-AES256-SHA',
- 'DHE-RSA-AES256-SHA',
- 'ECDHE-ECDSA-AES128-SHA',
- 'ECDHE-RSA-AES128-SHA',
- 'DHE-RSA-AES128-SHA',
- 'AES128-GCM-SHA256',
- 'AES256-SHA',
- 'AES128-SHA',
- 'DES-CBC3-SHA',
-
- # IE11/Edge has some more ciphers, notably SHA384 and DSS
- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM
- # ciphers IE/Edge offers because they look like a large mismatch
- # between a very strong HMAC and a comparably weak (but sufficient)
- # encryption. Similar all browsers which do SHA384 can do ECDHE
- # so skip the DHE*SHA384 ciphers.
- 'ECDHE-RSA-AES256-GCM-SHA384',
- 'ECDHE-ECDSA-AES256-GCM-SHA384',
- # 'ECDHE-RSA-AES256-SHA384',
- # 'ECDHE-ECDSA-AES256-SHA384',
- # 'ECDHE-RSA-AES128-SHA256',
- # 'ECDHE-ECDSA-AES128-SHA256',
- # 'DHE-RSA-AES256-GCM-SHA384',
- # 'AES256-GCM-SHA384',
- 'AES256-SHA256',
- # 'AES128-SHA256',
- 'DHE-DSS-AES256-SHA256',
- # 'DHE-DSS-AES128-SHA256',
- 'DHE-DSS-AES256-SHA',
- 'DHE-DSS-AES128-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
-
- # Just to make sure, that we don't accidentally add bad ciphers above.
- # This includes dropping RC4 which is no longer supported by modern
- # browsers and also excluded in the SSL libraries of Python and Ruby.
- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP"
- )
);
# set values inside _init to work with perlcc, RT#95452
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1054,12 +1054,8 @@ documentation (L<http://www.openssl.org/
for more details.
Unless you fail to contact your peer because of no shared ciphers it is
-recommended to leave this option at the default setting. The default setting
-prefers ciphers with forward secrecy, disables anonymous authentication and
-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
-at the tests of SSL Labs.
-To use the less secure OpenSSL builtin default (whatever this is) set
-SSL_cipher_list to ''.
+recommended to leave this option at the default setting, which honors the
+system-wide PROFILE=SYSTEM cipher list.
In case different cipher lists are needed for different SNI hosts a hash can be
given with the host as key and the cipher suite as value, similar to

View File

@ -1,32 +1,26 @@
%if 0%{?rhel} >= 9
%bcond_with perl_IO_Socket_SSL_test_unused_idn
%bcond_with perl_IO_Socket_SSL_test_IO_Socket_INET6
%else
%bcond_without perl_IO_Socket_SSL_test_unused_idn
%bcond_without perl_IO_Socket_SSL_test_IO_Socket_INET6
%endif
Name: perl-IO-Socket-SSL
Version: 2.085
Release: 3%{?dist}
Version: 2.066
Release: 4%{?dist}
Summary: Perl library for transparent SSL
License: (GPL-1.0-or-later OR Artistic-1.0-Perl) AND MPL-2.0
License: (GPL+ or Artistic) and MPLv2.0
URL: https://metacpan.org/release/IO-Socket-SSL
Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
Patch0: IO-Socket-SSL-2.084-use-system-default-cipher-list.patch
Patch1: IO-Socket-SSL-2.084-use-system-default-SSL-version.patch
# Default to a system-wide crypto-policy, bug #1775167
Patch0: IO-Socket-SSL-2.066-use-system-default-cipher-list.patch
Patch1: IO-Socket-SSL-2.066-use-system-default-SSL-version.patch
# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
# bug #1632660, requires openssl tool
Patch2: IO-Socket-SSL-2.080-Test-client-performs-Post-Handshake-Authentication.patch
# bug #1633636, requires openssl tool
Patch2: IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch
BuildArch: noarch
# Module Build
BuildRequires: coreutils
BuildRequires: findutils
BuildRequires: make
BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76
BuildRequires: perl(ExtUtils::MakeMaker)
# Module Runtime
BuildRequires: openssl-libs >= 0.9.8
BuildRequires: openssl >= 0.9.8
BuildRequires: perl(Carp)
BuildRequires: perl(Config)
BuildRequires: perl(constant)
@ -34,42 +28,49 @@ BuildRequires: perl(Errno)
BuildRequires: perl(Exporter)
BuildRequires: perl(HTTP::Tiny)
BuildRequires: perl(IO::Socket)
BuildRequires: perl(IO::Socket::INET)
BuildRequires: perl(IO::Socket::IP) >= 0.31
BuildRequires: perl(IO::Socket::INET6) >= 2.62
BuildRequires: perl(Net::SSLeay) >= 1.46
BuildRequires: perl(Scalar::Util)
BuildRequires: perl(Socket) >= 1.95
BuildRequires: perl(Socket)
BuildRequires: perl(Socket6)
BuildRequires: perl(strict)
BuildRequires: perl(URI::_idna)
BuildRequires: perl(vars)
BuildRequires: perl(warnings)
# Test Suite
# openssl tool required for Test-client-performs-Post-Handshake-Authentication.patch
BuildRequires: openssl
BuildRequires: perl(Data::Dumper)
BuildRequires: perl(File::Temp)
BuildRequires: perl(FindBin)
BuildRequires: perl(IO::Select)
%if %{with perl_IO_Socket_SSL_test_IO_Socket_INET6}
BuildRequires: perl(IO::Socket::INET6) >= 2.62
%endif
BuildRequires: perl(IO::Socket::INET)
# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch
BuildRequires: perl(IPC::Run)
%if %{with perl_IO_Socket_SSL_test_unused_idn}
BuildRequires: perl(Net::IDN::Encode)
BuildRequires: perl(Net::LibIDN)
%endif
BuildRequires: perl(Test::More) >= 0.88
BuildRequires: perl(utf8)
BuildRequires: procps
# Dependencies
Requires: openssl-libs >= 0.9.8
# Runtime
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: openssl >= 0.9.8
Requires: perl(Config)
Requires: perl(HTTP::Tiny)
Requires: perl(IO::Socket::INET)
Requires: perl(IO::Socket::IP) >= 0.31
Requires: perl(Socket) >= 1.95
# Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6
%if 0%{?fedora} > 15 || 0%{?rhel} > 6
BuildRequires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
Requires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
%else
Requires: perl(IO::Socket::INET6) >= 2.62, perl(Socket6)
%endif
# IDN back-ends: URI::_idna (from URI ≥ 1.50) is preferred
# but Net::IDN::Encode (next pref) and Net::LibIDN are also tested
BuildRequires: perl(Net::IDN::Encode)
BuildRequires: perl(Net::LibIDN)
%if 0%{?fedora:1} || 0%{?rhel} > 6
BuildRequires: perl(URI::_idna)
Requires: perl(URI::_idna)
%else
Requires: perl(Net::IDN::Encode)
%endif
%description
This module is a true drop-in replacement for IO::Socket::INET that
@ -86,31 +87,29 @@ mod_perl.
# Use system-wide default cipher list to support use of system-wide
# crypto policy (#1076390, #1127577, CPAN RT#97816)
# https://fedoraproject.org/wiki/Changes/CryptoPolicy
%patch -P 0
%patch0
# Use system-default SSL version too
%patch -P 1
%patch1
# Add a test for PHA
%patch -P 2 -p1
%patch2 -p1
%build
NO_NETWORK_TESTING=1 perl Makefile.PL \
INSTALLDIRS=vendor \
NO_PACKLIST=1 \
NO_PERLLOCAL=1
%{make_build}
NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
%install
%{make_install}
make pure_install DESTDIR=%{buildroot}
find %{buildroot} -type f -name .packlist -delete
%{_fixperms} -c %{buildroot}
%check
make test
%files
# GPL-1.0-or-later OR Artistic-1.0-Perl
%doc BUGS Changes README docs/ example/
# GPL+ or Artistic
%doc BUGS Changes README docs/ certs/ example/
%dir %{perl_vendorlib}/IO/
%dir %{perl_vendorlib}/IO/Socket/
%dir %{perl_vendorlib}/IO/Socket/SSL/
@ -121,281 +120,50 @@ make test
%{_mandir}/man3/IO::Socket::SSL.3*
%{_mandir}/man3/IO::Socket::SSL::Intercept.3*
%{_mandir}/man3/IO::Socket::SSL::Utils.3*
# MPL-2.0
# MPLv2.0
%{perl_vendorlib}/IO/Socket/SSL/PublicSuffix.pm
%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.085-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.085-2
- Bump release for June 2024 mass rebuild
* Tue Jan 23 2024 Paul Howarth <paul@city-fan.org> - 2.085-1
- Update to 2.085
- Fix test that failed due to behavior changes in OpenSSL 3.2 (GH#147)
- Update PublicSuffix
- Add examples for TLS JA3/JA4 fingerprinting to tls_fingerprint/
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.084-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Nov 7 2023 Paul Howarth <paul@city-fan.org> - 2.084-1
- Update to 2.084
- Various fixes for edge cases and build: GH#136, GH#141, GH#142, GH#143,
GH#145
- Update documentation to reflect default SSL_version
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.083-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jun 27 2023 Jitka Plesnikova <jplesnik@redhat.com> - 2.083-2
- Disable optional IO::Socket::INET6 tests on ELN
* Thu May 18 2023 Paul Howarth <paul@city-fan.org> - 2.083-1
- Update to 2.083
- Fix t/protocol_version.t for OpenSSL versions that don't support SECLEVEL
(regression from GH#122)
* Thu May 18 2023 Paul Howarth <paul@city-fan.org> - 2.082-1
- Update to 2.082
- SSL_version default now TLS 1.2+ since TLS 1.1 and lower are deprecated
(GH#122)
- Fix output of alert string when debugging (GH#132)
- Improve regex for hostname validation (GH#130, GH#126)
- Add can_ciphersuites subroutine for feature checking (GH#127)
- Utils::CERT_create - die if unexpected arguments are given instead of
ignoring these
- Avoid use of deprecated patch syntax
* Wed Jan 25 2023 Paul Howarth <paul@city-fan.org> - 2.081-1
- Update to 2.081
- New function set_msg_callback for user defined callback on each SSL message
- Showcase function in example/ssl_client.pl and example/ssl_server.pl for
computing JA3S/JA3 fingerprints
- Fix tracing added in 2.076 to no longer include SSL3_RT_HEADER (noise)
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.080-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jan 18 2023 Paul Howarth <paul@city-fan.org> - 2.080-1
- Update to 2.080
- Move test certificates into t/ directory where they belong
* Mon Jan 16 2023 Paul Howarth <paul@city-fan.org> - 2.079-1
- Update to 2.079
- Properly extract IPv6 address for verification from PeerAddr if
not explicitly given as SSL_verifycn_name (GH#123)
* Mon Dec 12 2022 Paul Howarth <paul@city-fan.org> - 2.078-1
- Update to 2.078
- Revert decision from 2014 to not verify hostname by default if hostname is
IP address but no explicit verification scheme given (GH#121)
* Mon Nov 21 2022 Paul Howarth <paul@city-fan.org> - 2.077-1
- Update to 2.077
- Fix memory leak in session cache (GH#118)
- More race conditions in tests fixed (GH#97)
* Mon Nov 14 2022 Paul Howarth <paul@city-fan.org> - 2.076-1
- Update to 2.076
- Added curl like tracing (based on GH#117)
- Fixed race condition in t/sni_verify.t (GH#97)
* Sat Sep 3 2022 Paul Howarth <paul@city-fan.org> - 2.075-1
- Update to 2.075
- Treat SSL_write returning 0 same as previously -1, as suggested by both
OpenSSL and LibreSSL documentation
- Propagate error from SSL_shutdown, unless the shutdown is caused by an outer
SSL error, in which case keep the original error
- Small test fixes
- Use SPDX-format license tag
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.074-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 01 2022 Jitka Plesnikova <jplesnik@redhat.com> - 2.074-3
- Perl 5.36 rebuild
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.074-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Jan 8 2022 Paul Howarth <paul@city-fan.org> - 2.074-1
- Update to 2.074
- Add SSL_ciphersuites option for TLS 1.3 ciphers
- No longer use own default for ciphers: instead, use system default but
disable some weak ciphers that might still be enabled on older systems
* Thu Dec 23 2021 Paul Howarth <paul@city-fan.org> - 2.073-1
- Update to 2.073
- Fix behavior and tests for OpenSSL 3.0.1
- Fix GH#110 - prevent internal error warning in some cases
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.072-2
- Rebuilt with OpenSSL 3.0.0
* Tue Aug 17 2021 Paul Howarth <paul@city-fan.org> - 2.072-1
- Update to 2.072
- Add PEM_certs2file and PEM_file2certs in IO::Socket::SSL::Utils based on
idea in GH#101
- certs/*.p12 used for testing should now work with OpenSSL 3.0 too (GH#108)
- Update public suffix database
- Drop patch for building with OpenSSL 1.1.1e
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.071-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue May 25 2021 Paul Howarth <paul@city-fan.org> - 2.071-1
- Update to 2.071
- Fix t/nonblock.t race on some systems (fixes GH#102, maybe GH#98 too)
* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 2.070-3
- Perl 5.34 rebuild
* Fri Mar 19 2021 Petr Pisar <ppisar@redhat.com> - 2.070-2
- Disable optional libidn tests on ELN
* Fri Feb 26 2021 Paul Howarth <paul@city-fan.org> - 2.070-1
- Update to 2.070
- Changed bugtracker in Makefile.PL to GitHub, away from obsolete rt.cpan.org
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.069-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Jan 23 2021 Paul Howarth <paul@city-fan.org> - 2.069-1
- Update to 2.069
- IO::Socket::Utils CERT_asHash and CERT_create now support subject and
issuer with multiple same parts (like multiple OU); in this case an array
ref instead of a scalar is used as hash value (GH#95)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.068-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.068-2
- Perl 5.32 rebuild
* Tue Mar 31 2020 Paul Howarth <paul@city-fan.org> - 2.068-1
- Update to 2.068
- Treat OpenSSL 1.1.1e as broken and refuse to build with it in order to
prevent follow-up problems in tests and user code
https://github.com/noxxi/p5-io-socket-ssl/issues/93
https://github.com/openssl/openssl/issues/11388
https://github.com/openssl/openssl/issues/11378
- Update PublicSuffix with latest data from publicsuffix.org
- Patch out the refusal to build with OpenSSL 1.1.1e as the OpenSSL package in
Fedora has had the problematic EOF-handling change reverted
* Sat Mar 21 2020 Paul Howarth <paul@city-fan.org> - 2.067-2
- Fix FTBFS with OpenSSL 1.1.1e
https://github.com/noxxi/p5-io-socket-ssl/issues/93
* Sat Feb 15 2020 Paul Howarth <paul@city-fan.org> - 2.067-1
- Update to 2.067
- Fix memory leak on incomplete handshake (GH#92)
- Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
can decrease memory usage at the costs of more allocations (CPAN RT#129463)
- More detailed error messages when loading of certificate file failed (GH#89)
- Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
- Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
- Fix warning when no ecdh support is available
- Documentation update regarding use of select and TLS 1.3
- Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
- Stability fix for t/core.t
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 2.066-7
* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 2.066-4
- Default to PROFILE=SYSTEM cipher list (bug #1775167)
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-3
- PublicSuffix.pm is licensed MPLv2.0 (#1724434)
* Thu Jun 27 2019 Paul Howarth <paul@city-fan.org> - 2.066-5
- Runtime openssl dependency should be on openssl-libs
- Always require preferred IPv6 back-end: IO::Socket::IP 0.31
- Always require preferred IDN back-end: URI::_idna
- Modernize spec using %%{make_build} and %%{make_install}
* Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-2
- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1633636)
* Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-4
- PublicSuffix.pm is licensed MPLv2.0 (#1724169)
* Thu Jun 13 2019 Petr Pisar <ppisar@redhat.com> - 2.066-1
- Update to 2.066 (bug #1632600)
* Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-3
- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1632660)
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.066-2
- Perl 5.30 rebuild
* Wed Mar 6 2019 Paul Howarth <paul@city-fan.org> - 2.066-1
- Update to 2.066
- Make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first (CPAN RT#128716)
- Prefer AES for server side cipher default since it is usually
hardware-accelerated
- Fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
* Mon Mar 4 2019 Paul Howarth <paul@city-fan.org> - 2.064-1
- Update to 2.064
- Make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint (CPAN RT#127773)
- Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
- Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
set
- Update fingerprints for live tests
* Sat Mar 2 2019 Paul Howarth <paul@city-fan.org> - 2.063-1
- Update to 2.063
- Support for both RSA and ECDSA certificate on same domain
- Update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (i.e. more than just
the patchlevel differs)
* Mon Feb 25 2019 Paul Howarth <paul@city-fan.org> - 2.062-1
- Update to 2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
in the trust store be usable as full trust anchors too
* Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 2.061-1
- Update to 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay 1.86)
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-3
- Client sends a post-handshake-authentication extension if a client key and
a certificate are available (bug #1632660)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
a certificate are available (bug #1633636)
* Mon Sep 24 2018 Petr Pisar <ppisar@redhat.com> - 2.060-2
- Prevent tests from dying on SIGPIPE (CPAN RT#126899)
- Prevent tests from dying on SIGPIPE (bug #1610017)
* Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1
- Update to 2.060
- Update to 2.060 (bug #1610017)
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay 1.86); see
also CPAN RT#126899
- TLS 1.3 support is not complete yet for session reuse
* Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2
- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)
- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1610017)
- Enable tests (bug #1610017)
* Thu Aug 16 2018 Paul Howarth <paul@city-fan.org> - 2.059-1
- Update to 2.059
- Update to 2.059 (bug #1610017)
- Fix memory leak when CRLs are used (CPAN RT#125867)
- Fix memory leak when using stop_SSL and threads
(https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)
* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
- Disable %%check so package will build for Mass Rebuild
- Related: bug#1614611
* Thu Jul 19 2018 Paul Howarth <paul@city-fan.org> - 2.058-1
- Update to 2.058
- Fix memory leak that occurred with explicit stop_SSL in connection with

View File

@ -1,6 +0,0 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

View File

@ -1,12 +0,0 @@
summary: Private (RHEL) beakerlib tests
enabled: false
adjust:
- when: distro == rhel
enabled: true
because: private tests are accesible only within rhel pipline
discover:
- name: rhel
how: fmf
url: https://pkgs.devel.redhat.com/git/tests/perl-IO-Socket-SSL
execute:
how: tmt

View File

@ -1 +0,0 @@
SHA512 (IO-Socket-SSL-2.085.tar.gz) = c4e045e88f69579d53a3663ed8f74d342fe3529e24e06d9e7d299debafdb840839c6f5bccb579b4d03f7501615439dba4661ac006312f379a2598a3030634cfd