- New upstream release 1.88
Summary of major changes since version 1.85
- Mike McCauley has stepped down as maintainer: the new maintainers are Chris
Novakovic, Heikki Vatiainen and Tuure Vartiainen
- The source code has moved from the now-defunct Debian Subversion server
(alioth.debian.org) to GitHub
(https://github.com/radiator-software/p5-net-ssleay)
- Net-SSLeay is provided under the terms of the Artistic License 2.0; this
has been the case since version 1.66, but references to other licenses
remained in the source code, causing ambiguity
- Perl 5.8.1 or newer is now required to use Net-SSLeay; this has already
been the case for some time in practice, as the test suite hasn't fully
passed on Perl 5.6 for several years
- Much-improved compatibility with OpenSSL 1.1.1, and improved support for
TLS 1.3
- Fixed a long-standing bug in cb_data_advanced_put() that caused memory
leaks when callbacks were frequently added and removed
- Support in the test suite for "hardened" OpenSSL configurations that set a
default security level of 2 or higher (e.g., in the OpenSSL packages that
ship with recent versions of Debian, Fedora and Ubuntu)
openssl-1:1.1.1-0.pre8.2.fc29 started to obey to a system-wide crypto
policy. This affected Net-SSLeay tests. Please note that
openssl-1.1.1-0.pre8.3.fc29 fixed some regressions affecting
Net-SSLeay tests.
- New upstream release 1.85
- Preparations for transferring maintenace to a new maintainer
- Fixed test failure in t/local/33_x509_create_cert.t for some versions of
OpenSSL
- Fixed free() error that causes "Free to wrong pool ..." message on Windows
- New upstream release 1.83
- Fixed a problem with exporting OPENSSL_NO_NEXTPROTONEG even though they
are not availble on LibreSSL
- Add support for SSL_set_default_passwd_cb* for OpenSSL 1.1.0f and later;
LibreSSL does not support these functions, at least yet
- Add new functions related to SSL_CTX_new
- Add two new functions introduced in OpenSSL 1.1.0, a number of constants
and a couple of const qualifiers to SSLeay.xs; tests and documentation .pod
were also updated
- Added support for SSL_use_certificate_chain_file function introduced in
OpenSSL 1.1.0
- Fixed LibreSSL version detection to correctly parse LibreSSL minor version
- Fix memory leaks in OCSP handling
- Add new functions for certificate verification introduced in OpenSSL 1.02,
a number of constants, new test data files, new tests and updates to .pod
documentation; the new functions provide access to the built-in wildcard
check functionality available in OpenSSL 1.0.2 and later
- Added X509_STORE_CTX_new and X509_verify_cert
- SSL_OCSP_response_verify now clears the error queue if OCSP_basic_verify
fails but the intermediate certificate succeeds
- New upstream release 1.82
- Added support for building under Linuxbrew (a linuxbrew version of MacOS
Homebrew)
- Implement SSL_CTX_set_psk_client_callback() and
SSL_set_psk_client_callback()
- Skip the NPN test if the SSL library is LibreSSL
- Fixed a problem with a variable declaration in
ssleay_session_secret_cb_invoke
- Bugfix: tlsext_status_cb_invoke(...): free ocsp_response only when
allocated; the same callback is used on a server side for OCSP stapling
and in that case ocsp_response is NULL and not used
- New feature: Added a binding
SSL_set_session_ticket_ext_cb(ssl, callback, data); a callback used by
EAP-FAST/EAP-TEAT to parse and process TLS session ticket
- New feature: Added a binding SSL_set_session_ticket_ext(ssl, ticket); used
by EAP-FAST/EAP-TEAP to define TLS session ticket value
- Bugfix: tlsext_ticket_key_cb_invoke(...): allow SHA256 HMAC key to be 32
bytes instead of 16 bytes (which OpenSSL will pad with zeros up to 32
bytes)
- New feature: Added following bindings:
- X509_get_ex_data(cert, idx)
- X509_get_ex_new_index(argl, argp, new_func, dup_func, free_func)
- X509_get_app_data(cert)
- X509_set_ex_data(cert, idx, data)
- X509_set_app_data(cert, arg)
- X509_STORE_CTX_get_ex_new_index(argl, argp, new_func, dup_func, free_func)
- X509_STORE_CTX_get_app_data(x509_store_ctx)
- X509_STORE_CTX_set_app_data(x509_store_ctx, arg)
- New feature: Added an implementation for
SSL_get_finished(ssl, buf, count=2*EVP_MAX_MD_SIZE)
- New feature: Added an implementation for
SSL_get_peer_finished(ssl, buf, count=2*EVP_MAX_MD_SIZE)
- Bugfix: SSL_get_keyblock_size(s): Calculate key block size correctly also
with AEAD ciphers, which don’t use digest functions
- New feature: Added a binding SSL_set_tlsext_status_ocsp_resp(ssl, staple);
used by a server side to include OCSP staple in ServerHello
- Bugfix: SSL_OCSP_response_verify(ssl, rsp, svreq, flags): check that chain
and last are not NULL before trying to use them
- Bugfix: inc/Module/Install/PRIVATE/Net/SSLeay.pm: Don’t quote include and
lib paths
- Drop EL-5 support
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %install section
- Drop explicit %clean section
- New upstream release 1.81
- Enable RSA_get_key_parameters with LibreSSL - again
- Fixed memory leak in X509_get_subjectAltNames
- Added . to lib path in Makefile.PL to accommodate people who are using a
perl with -Ddefault_inc_excludes_dot
- Fixed build failure if engine support not present
- Improvements to get_my_thread_id to work around possibility of ERRSV not
being defined, e.g. on OpenWRT
- New upstream release 1.79
- Patch to fix a few inline variable declarations that cause errors for older
compilers
- Patch: Generated C code is not compatible with MSVC, AIX cc, probably
others; added some PREINIT blocks and replaced 2 cases of INIT with PREINIT
- Fix compile failure if the OpenSSL library it's built against has
compression support compiled out
- Added RSA_get_key_parameters() to return a list of pointers to RSA key
internals (only available prior to OpenSSL 1.1)
- Fix some documentation typos
- Testing with openssl-1.1.0b
- New upstream release 1.76
- Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5:
- Conditionally remove threading locking code, not needed in 1.1
- Rewrite code that accesses inside X509_ATTRIBUTE struct
- SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa, SSL_CTX_set_tmp_rsa_callback,
SSL_set_tmp_rsa_callback support not available in 1.1
- SSL_session_reused is now native
- SSL_get_keyblock_size modifed to use new API
- OCSP functions modified to use new API under 1.1
- SSL_set_state removed with 1.1
- SSL_get_state and SSL_state are now equivalent and available in all
versions
- SSL_CTX_v2_new removed
- SESSION_set_master_key removed with 1.1; code that previously used
SESSION_set_master_key must now set $secret in the session_secret
callback set with SSL_set_session_secret_cb
- With 1.1, $secret in the session_secret callback set with
SSL_set_session_secret_cb can be changed to alter the master key
(required by EAP-FAST)
- Added a function EC_KEY_generate_key similar to RSA_generate_key and a
function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA; using
these functions it is easy to create and use EC keys in the same way as RSA
keys
- Testing with LibreSSL 2.4.1
- Provide support for cross context (and cross process) session sharing using
the stateless TLS session tickets
- Added documentation about downloading latest version from SVN
- Added missing Module/install files to SVN
- New upstream release 1.73
- Added X509_get_X509_PUBKEY
- Added README.OSX with instructions on how to build for recent OS X
- Added info about using OPENSSL_PREFIX to README.Win32
- Added comments in POD about installation documentation
- Added '/usr/local/opt/openssl/bin/openssl' to Openssl search path for
latest version of OSX homebrew openssl
- Simplify find commands using -delete
- New upstream release 1.72
- Fixed a problem where SvPVx_nolen was undefined in some versions of perl;
replaced with SvPV_nolen
- Fixed a cast warning on Darwin
