- New upstream release 1.92
- Net::SSLeay now supports stable releases of OpenSSL 3.0
- OpenSSL 3.0.0 introduces the concept of "providers", which contain
cryptographic algorithm implementations; many outdated, deprecated
and/or insecure algorithms have been moved to the "legacy" provider,
which may need to be loaded explicitly in order to use them with
Net::SSLeay (see "Low level API: OSSL_LIB_CTX and OSSL_PROVIDER
related functions" in the Net::SSLeay module documentation for details)
- Net::SSLeay's built-in PEM_get_string_PrivateKey() function depends on
algorithms that have moved to the legacy provider described above; if
OpenSSL has been compiled without the legacy provider, the tests
t/local/33_x509_create_cert.t and t/local/63_ec_key_generate_key.t will
fail when the test suite is run
- TLS 1.1 and below may only be used at security level 0 as of OpenSSL
3.0.0; if a minimum required security level is imposed (e.g. in an
OpenSSL configuration file managed by the operating system), the tests
t/local/44_sess.t and t/local/45_exporter.t will fail when the test
suite is run
- Net::SSLeay now supports stable releases of LibreSSL from the 3.2-3.4
series (with the exception of 3.2.2 and 3.2.3 - see "COMPATIBILITY" in
the Net::SSLeay module documentation for details)
- The TLS 1.3 implementation in LibreSSL 3.1-3.3, parts of which are
enabled by default, is not fully compatible with the libssl API and may
not function as expected with Net::SSLeay; see "KNOWN BUGS AND CAVEATS"
in the Net::SSLeay module documentation for details
- A number of new libcrypto/libssl constants and functions are now exposed,
including SSL_CTX_set_keylog_callback() and SSL_CTX_set_msg_callback(),
which are helpful when debugging TLS handshakes; see the release notes
for the 1.91 developer releases (in the Changes file) for a full list of
newly-exposed constants and functions
- New upstream release 1.90
- Formalised libssl version support policy: all stable versions of OpenSSL
in the 0.9.8-1.1.1 branches (with the exception of 0.9.8-0.9.8b) and all
stable releases of LibreSSL in the 2.0-3.1 series are supported
- The LibreSSL 3.2 series is not yet fully supported because its TLSv1.3
implementation is not currently libssl-compatible
- Added support for LibreSSL on Windows when built with Visual C++
- Exposed P_X509_CRL_add_extensions, several SSL_CIPHER functions, and
several stack functions
- Fixed crashes in the callback functions CTX_set_next_proto_select_cb and
CTX_set_alpn_select_cb
- The test suite is now compatible with OpenSSL 1.1.1e onwards, as well as
OpenSSL security level 2 (the default on many Linux distributions)
- New upstream release 1.88
Summary of major changes since version 1.85
- Mike McCauley has stepped down as maintainer: the new maintainers are Chris
Novakovic, Heikki Vatiainen and Tuure Vartiainen
- The source code has moved from the now-defunct Debian Subversion server
(alioth.debian.org) to GitHub
(https://github.com/radiator-software/p5-net-ssleay)
- Net-SSLeay is provided under the terms of the Artistic License 2.0; this
has been the case since version 1.66, but references to other licenses
remained in the source code, causing ambiguity
- Perl 5.8.1 or newer is now required to use Net-SSLeay; this has already
been the case for some time in practice, as the test suite hasn't fully
passed on Perl 5.6 for several years
- Much-improved compatibility with OpenSSL 1.1.1, and improved support for
TLS 1.3
- Fixed a long-standing bug in cb_data_advanced_put() that caused memory
leaks when callbacks were frequently added and removed
- Support in the test suite for "hardened" OpenSSL configurations that set a
default security level of 2 or higher (e.g., in the OpenSSL packages that
ship with recent versions of Debian, Fedora and Ubuntu)
openssl-1:1.1.1-0.pre8.2.fc29 started to obey to a system-wide crypto
policy. This affected Net-SSLeay tests. Please note that
openssl-1.1.1-0.pre8.3.fc29 fixed some regressions affecting
Net-SSLeay tests.
- New upstream release 1.85
- Preparations for transferring maintenace to a new maintainer
- Fixed test failure in t/local/33_x509_create_cert.t for some versions of
OpenSSL
- Fixed free() error that causes "Free to wrong pool ..." message on Windows
- New upstream release 1.83
- Fixed a problem with exporting OPENSSL_NO_NEXTPROTONEG even though they
are not availble on LibreSSL
- Add support for SSL_set_default_passwd_cb* for OpenSSL 1.1.0f and later;
LibreSSL does not support these functions, at least yet
- Add new functions related to SSL_CTX_new
- Add two new functions introduced in OpenSSL 1.1.0, a number of constants
and a couple of const qualifiers to SSLeay.xs; tests and documentation .pod
were also updated
- Added support for SSL_use_certificate_chain_file function introduced in
OpenSSL 1.1.0
- Fixed LibreSSL version detection to correctly parse LibreSSL minor version
- Fix memory leaks in OCSP handling
- Add new functions for certificate verification introduced in OpenSSL 1.02,
a number of constants, new test data files, new tests and updates to .pod
documentation; the new functions provide access to the built-in wildcard
check functionality available in OpenSSL 1.0.2 and later
- Added X509_STORE_CTX_new and X509_verify_cert
- SSL_OCSP_response_verify now clears the error queue if OCSP_basic_verify
fails but the intermediate certificate succeeds
- New upstream release 1.82
- Added support for building under Linuxbrew (a linuxbrew version of MacOS
Homebrew)
- Implement SSL_CTX_set_psk_client_callback() and
SSL_set_psk_client_callback()
- Skip the NPN test if the SSL library is LibreSSL
- Fixed a problem with a variable declaration in
ssleay_session_secret_cb_invoke
- Bugfix: tlsext_status_cb_invoke(...): free ocsp_response only when
allocated; the same callback is used on a server side for OCSP stapling
and in that case ocsp_response is NULL and not used
- New feature: Added a binding
SSL_set_session_ticket_ext_cb(ssl, callback, data); a callback used by
EAP-FAST/EAP-TEAT to parse and process TLS session ticket
- New feature: Added a binding SSL_set_session_ticket_ext(ssl, ticket); used
by EAP-FAST/EAP-TEAP to define TLS session ticket value
- Bugfix: tlsext_ticket_key_cb_invoke(...): allow SHA256 HMAC key to be 32
bytes instead of 16 bytes (which OpenSSL will pad with zeros up to 32
bytes)
- New feature: Added following bindings:
- X509_get_ex_data(cert, idx)
- X509_get_ex_new_index(argl, argp, new_func, dup_func, free_func)
- X509_get_app_data(cert)
- X509_set_ex_data(cert, idx, data)
- X509_set_app_data(cert, arg)
- X509_STORE_CTX_get_ex_new_index(argl, argp, new_func, dup_func, free_func)
- X509_STORE_CTX_get_app_data(x509_store_ctx)
- X509_STORE_CTX_set_app_data(x509_store_ctx, arg)
- New feature: Added an implementation for
SSL_get_finished(ssl, buf, count=2*EVP_MAX_MD_SIZE)
- New feature: Added an implementation for
SSL_get_peer_finished(ssl, buf, count=2*EVP_MAX_MD_SIZE)
- Bugfix: SSL_get_keyblock_size(s): Calculate key block size correctly also
with AEAD ciphers, which don’t use digest functions
- New feature: Added a binding SSL_set_tlsext_status_ocsp_resp(ssl, staple);
used by a server side to include OCSP staple in ServerHello
- Bugfix: SSL_OCSP_response_verify(ssl, rsp, svreq, flags): check that chain
and last are not NULL before trying to use them
- Bugfix: inc/Module/Install/PRIVATE/Net/SSLeay.pm: Don’t quote include and
lib paths
- Drop EL-5 support
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %install section
- Drop explicit %clean section
