Compare commits

...

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

11 changed files with 253 additions and 68 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/IO-Socket-SSL-2.066.tar.gz
/IO-Socket-SSL-[0-9.]*.tar.gz

View File

@ -1 +0,0 @@
4eacd69b81f7edae24135a53411cf87429584289 SOURCES/IO-Socket-SSL-2.066.tar.gz

View File

@ -0,0 +1,15 @@
--- Makefile.PL
+++ Makefile.PL
@@ -68,12 +68,6 @@ if (my $compiled = eval {
die sprintf("API-different OpenSSL versions compiled in (0x%08x) vs linked (0x%08x)",
$compiled,$linked);
}
-
- # OpenSSL 1.1.1e introduced behavior changes breaking various code
- # will likely be reverted in 1.1.1f - enforce to not use this version
- if ($linked == 0x1010105f) {
- die "detected OpenSSL 1.1.1e - please use a different version\n";
- }
}
# make sure that we have dualvar from the XS Version of Scalar::Util

View File

@ -1,6 +1,6 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
# global defaults
my %DEFAULT_SSL_ARGS = (
SSL_check_crl => 0,
@ -9,7 +9,7 @@
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # fallback cn verification
SSL_verifycn_publicsuffix => undef, # fallback default list verification
@@ -2335,7 +2335,7 @@ sub new {
@@ -2383,7 +2383,7 @@ sub new {
my $ssl_op = $DEFAULT_SSL_OP;
@ -20,7 +20,7 @@
or croak("invalid SSL_version specified");
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1028,11 +1028,12 @@ All values are case-insensitive. Instea
@@ -1043,11 +1043,12 @@ All values are case-insensitive. Instea
'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for
'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
and openssl.

View File

@ -1,6 +1,6 @@
--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = (
@@ -202,77 +202,17 @@ my %DEFAULT_SSL_ARGS = (
SSL_npn_protocols => undef, # meaning depends whether on server or client side
SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
@ -16,10 +16,12 @@
);
my %DEFAULT_SSL_CLIENT_ARGS = (
@@ -186,63 +185,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
%DEFAULT_SSL_ARGS,
SSL_verify_mode => SSL_VERIFY_PEER,
-
SSL_ca_file => undef,
SSL_ca_path => undef,
-
- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
@ -32,7 +34,7 @@
-
- SSL_cipher_list => join(" ",
-
- # SSLabs report for Chrome 48/OSX.
- # SSLabs report for Chrome 48/OSX.
- # This also includes the fewer ciphers Firefox uses.
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-GCM-SHA256',
@ -82,7 +84,7 @@
# set values inside _init to work with perlcc, RT#95452
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -1054,12 +1054,8 @@ documentation (L<http://www.openssl.org/
@@ -1069,12 +1069,8 @@ documentation (L<https://www.openssl.org
for more details.
Unless you fail to contact your peer because of no shared ciphers it is

View File

@ -0,0 +1,23 @@
From 7c0798d6de3467603dff42253448e36aded7f5ac Mon Sep 17 00:00:00 2001
From: Steffen Ullrich <github@maulwuff.de>
Date: Fri, 22 Dec 2023 08:07:20 +0100
Subject: [PATCH] fixed test fail #147 with OpenSSL 3.2
---
t/core.t | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/t/core.t b/t/core.t
index e194811..22d78fb 100755
--- a/t/core.t
+++ b/t/core.t
@@ -74,7 +74,8 @@ unless (fork) {
LocalAddr => $localip,
);
print $client "Test\n";
- is( <$client>, "This server is SSL only", "Client non-SSL connection");
+
+ like( <$client>, qr/This server is SSL only/, "Client non-SSL connection");
close $client;
$client = IO::Socket::SSL->new(

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -0,0 +1,4 @@
from Config import *
# Documentation/test certs
addFilter("pem-certificate /usr/share/doc/perl-IO-Socket-SSL.*/certs/.*\.pem");

View File

@ -1,26 +1,33 @@
%if 0%{?rhel} >= 9
%bcond_with perl_IO_Socket_SSL_test_unused_idn
%else
%bcond_without perl_IO_Socket_SSL_test_unused_idn
%endif
%bcond_without perl_IO_Socket_SSL_test_IO_Socket_INET6
Name: perl-IO-Socket-SSL
Version: 2.066
Release: 4%{?dist}
Version: 2.073
Release: 2%{?dist}
Summary: Perl library for transparent SSL
License: (GPL+ or Artistic) and MPLv2.0
URL: https://metacpan.org/release/IO-Socket-SSL
Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
# Default to a system-wide crypto-policy, bug #1775167
Patch0: IO-Socket-SSL-2.066-use-system-default-cipher-list.patch
Patch1: IO-Socket-SSL-2.066-use-system-default-SSL-version.patch
Patch0: IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
Patch1: IO-Socket-SSL-2.068-use-system-default-SSL-version.patch
# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
# bug #1633636, requires openssl tool
# bug #1632660, requires openssl tool
Patch2: IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch
Patch3: IO-Socket-SSL-2.068-openssl-1.1.1e.patch
Patch4: IO-Socket-SSL-2.085-Fixed-test-fail-with-OpenSSL-3.2.patch
BuildArch: noarch
# Module Build
BuildRequires: coreutils
BuildRequires: findutils
BuildRequires: make
BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76
# Module Runtime
BuildRequires: openssl >= 0.9.8
BuildRequires: openssl-libs >= 0.9.8
BuildRequires: perl(Carp)
BuildRequires: perl(Config)
BuildRequires: perl(constant)
@ -28,49 +35,43 @@ BuildRequires: perl(Errno)
BuildRequires: perl(Exporter)
BuildRequires: perl(HTTP::Tiny)
BuildRequires: perl(IO::Socket)
BuildRequires: perl(IO::Socket::INET6) >= 2.62
BuildRequires: perl(IO::Socket::INET)
BuildRequires: perl(IO::Socket::IP) >= 0.31
BuildRequires: perl(Net::SSLeay) >= 1.46
BuildRequires: perl(Scalar::Util)
BuildRequires: perl(Socket)
BuildRequires: perl(Socket6)
BuildRequires: perl(Socket) >= 1.95
BuildRequires: perl(strict)
BuildRequires: perl(URI::_idna)
BuildRequires: perl(vars)
BuildRequires: perl(warnings)
# Test Suite
# openssl tool required for Test-client-performs-Post-Handshake-Authentication.patch
BuildRequires: openssl
BuildRequires: perl(Data::Dumper)
BuildRequires: perl(File::Temp)
BuildRequires: perl(FindBin)
BuildRequires: perl(IO::Select)
BuildRequires: perl(IO::Socket::INET)
%if %{with perl_IO_Socket_SSL_test_IO_Socket_INET6}
BuildRequires: perl(IO::Socket::INET6) >= 2.62
%endif
# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch
BuildRequires: perl(IPC::Run)
%if %{with perl_IO_Socket_SSL_test_unused_idn}
BuildRequires: perl(Net::IDN::Encode)
BuildRequires: perl(Net::LibIDN)
%endif
BuildRequires: perl(Test::More) >= 0.88
BuildRequires: perl(utf8)
BuildRequires: procps
# Runtime
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: openssl >= 0.9.8
Requires: openssl-libs >= 0.9.8
Requires: perl(Config)
Requires: perl(HTTP::Tiny)
# Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6
%if 0%{?fedora} > 15 || 0%{?rhel} > 6
BuildRequires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
Requires: perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
%else
Requires: perl(IO::Socket::INET6) >= 2.62, perl(Socket6)
%endif
# IDN back-ends: URI::_idna (from URI ≥ 1.50) is preferred
# but Net::IDN::Encode (next pref) and Net::LibIDN are also tested
BuildRequires: perl(Net::IDN::Encode)
BuildRequires: perl(Net::LibIDN)
%if 0%{?fedora:1} || 0%{?rhel} > 6
BuildRequires: perl(URI::_idna)
Requires: perl(IO::Socket::INET)
Requires: perl(IO::Socket::IP) >= 0.31
Requires: perl(Socket) >= 1.95
Requires: perl(URI::_idna)
%else
Requires: perl(Net::IDN::Encode)
%endif
%description
This module is a true drop-in replacement for IO::Socket::INET that
@ -84,24 +85,33 @@ mod_perl.
%prep
%setup -q -n IO-Socket-SSL-%{version}
# Allow building with OpenSSL 1.1.1e as the Fedora package has the
# problematic EOF handling change reverted
%patch -P3
# Use system-wide default cipher list to support use of system-wide
# crypto policy (#1076390, #1127577, CPAN RT#97816)
# https://fedoraproject.org/wiki/Changes/CryptoPolicy
%patch0
%patch -P0
# Use system-default SSL version too
%patch1
%patch -P1
# Add a test for PHA
%patch2 -p1
%patch -P2 -p1
# Fixed test fail with OpenSSL 3.2
%patch -P4 -p1
%build
NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
NO_NETWORK_TESTING=1 perl Makefile.PL \
INSTALLDIRS=vendor \
NO_PACKLIST=1 \
NO_PERLLOCAL=1
%{make_build}
%install
make pure_install DESTDIR=%{buildroot}
find %{buildroot} -type f -name .packlist -delete
%{make_install}
%{_fixperms} -c %{buildroot}
%check
@ -109,7 +119,7 @@ make test
%files
# GPL+ or Artistic
%doc BUGS Changes README docs/ certs/ example/
%doc BUGS Changes README docs/ example/
%dir %{perl_vendorlib}/IO/
%dir %{perl_vendorlib}/IO/Socket/
%dir %{perl_vendorlib}/IO/Socket/SSL/
@ -125,45 +135,170 @@ make test
%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*
%changelog
* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 2.066-4
* Wed Jun 19 2024 Jitka Plesnikova <jplesnik@redhat.com> - 2.073-2
- Resolves: RHEL-40746 - Fixed test fail with OpenSSL 3.2
* Tue Jan 04 2022 Michal Josef Špaček <mspacek@redhat.com> - 2.073-1
- Update to 2.073, which has official support for OpenSSL 3.0.0
Related: rhbz#1968046
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-5
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Jun 08 2021 Michal Josef Špaček <mspacek@redhat.com> - 2.070-4
- Remove failing tests in openssl 3.0.0-alpha16. Related: rhbz#1968046
- Provisional for mass rebuild of openssl3.
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Mar 19 2021 Petr Pisar <ppisar@redhat.com> - 2.070-2
- Disable optional libidn tests on ELN
* Fri Feb 26 2021 Paul Howarth <paul@city-fan.org> - 2.070-1
- Update to 2.070
- Changed bugtracker in Makefile.PL to GitHub, away from obsolete rt.cpan.org
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.069-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Jan 23 2021 Paul Howarth <paul@city-fan.org> - 2.069-1
- Update to 2.069
- IO::Socket::Utils CERT_asHash and CERT_create now support subject and
issuer with multiple same parts (like multiple OU); in this case an array
ref instead of a scalar is used as hash value (GH#95)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.068-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.068-2
- Perl 5.32 rebuild
* Tue Mar 31 2020 Paul Howarth <paul@city-fan.org> - 2.068-1
- Update to 2.068
- Treat OpenSSL 1.1.1e as broken and refuse to build with it in order to
prevent follow-up problems in tests and user code
https://github.com/noxxi/p5-io-socket-ssl/issues/93
https://github.com/openssl/openssl/issues/11388
https://github.com/openssl/openssl/issues/11378
- Update PublicSuffix with latest data from publicsuffix.org
- Patch out the refusal to build with OpenSSL 1.1.1e as the OpenSSL package in
Fedora has had the problematic EOF-handling change reverted
* Sat Mar 21 2020 Paul Howarth <paul@city-fan.org> - 2.067-2
- Fix FTBFS with OpenSSL 1.1.1e
https://github.com/noxxi/p5-io-socket-ssl/issues/93
* Sat Feb 15 2020 Paul Howarth <paul@city-fan.org> - 2.067-1
- Update to 2.067
- Fix memory leak on incomplete handshake (GH#92)
- Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
can decrease memory usage at the costs of more allocations (CPAN RT#129463)
- More detailed error messages when loading of certificate file failed (GH#89)
- Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
- Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
- Fix warning when no ecdh support is available
- Documentation update regarding use of select and TLS 1.3
- Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
- Stability fix for t/core.t
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 2.066-7
- Default to PROFILE=SYSTEM cipher list (bug #1775167)
* Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-3
- PublicSuffix.pm is licensed MPLv2.0 (#1724434)
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-2
- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1633636)
* Thu Jun 27 2019 Paul Howarth <paul@city-fan.org> - 2.066-5
- Runtime openssl dependency should be on openssl-libs
- Always require preferred IPv6 back-end: IO::Socket::IP 0.31
- Always require preferred IDN back-end: URI::_idna
- Modernize spec using %%{make_build} and %%{make_install}
* Thu Jun 13 2019 Petr Pisar <ppisar@redhat.com> - 2.066-1
- Update to 2.066 (bug #1632600)
* Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-4
- PublicSuffix.pm is licensed MPLv2.0 (#1724169)
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-3
* Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-3
- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1632660)
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.066-2
- Perl 5.30 rebuild
* Wed Mar 6 2019 Paul Howarth <paul@city-fan.org> - 2.066-1
- Update to 2.066
- Make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first (CPAN RT#128716)
- Prefer AES for server side cipher default since it is usually
hardware-accelerated
- Fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
* Mon Mar 4 2019 Paul Howarth <paul@city-fan.org> - 2.064-1
- Update to 2.064
- Make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint (CPAN RT#127773)
- Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
- Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
set
- Update fingerprints for live tests
* Sat Mar 2 2019 Paul Howarth <paul@city-fan.org> - 2.063-1
- Update to 2.063
- Support for both RSA and ECDSA certificate on same domain
- Update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (i.e. more than just
the patchlevel differs)
* Mon Feb 25 2019 Paul Howarth <paul@city-fan.org> - 2.062-1
- Update to 2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
in the trust store be usable as full trust anchors too
* Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 2.061-1
- Update to 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay 1.86)
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
- Client sends a post-handshake-authentication extension if a client key and
a certificate are available (bug #1633636)
a certificate are available (bug #1632660)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Sep 24 2018 Petr Pisar <ppisar@redhat.com> - 2.060-2
- Prevent tests from dying on SIGPIPE (bug #1610017)
- Prevent tests from dying on SIGPIPE (CPAN RT#126899)
* Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1
- Update to 2.060 (bug #1610017)
- Update to 2.060
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay 1.86); see
also CPAN RT#126899
- TLS 1.3 support is not complete yet for session reuse
* Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2
- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1610017)
- Enable tests (bug #1610017)
- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)
* Thu Aug 16 2018 Paul Howarth <paul@city-fan.org> - 2.059-1
- Update to 2.059 (bug #1610017)
- Update to 2.059
- Fix memory leak when CRLs are used (CPAN RT#125867)
- Fix memory leak when using stop_SSL and threads
(https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)
* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
- Disable %%check so package will build for Mass Rebuild
- Related: bug#1614611
* Thu Jul 19 2018 Paul Howarth <paul@city-fan.org> - 2.058-1
- Update to 2.058
- Fix memory leak that occurred with explicit stop_SSL in connection with

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (IO-Socket-SSL-2.073.tar.gz) = f6c7e089dbe4012bdaf3fdea2a5bea01d856736a86b1895466aa860de0b45535b8ff31be576e846f41b5e550865e82f479a2b9d3f05ee384c8e595496b874f45