522272
%if 0%{?rhel} >= 9
522272
%bcond_with perl_IO_Socket_SSL_test_unused_idn
522272
%else
522272
%bcond_without perl_IO_Socket_SSL_test_unused_idn
522272
%endif
522272
%bcond_without perl_IO_Socket_SSL_test_IO_Socket_INET6
522272
522272
Name:		perl-IO-Socket-SSL
522272
Version:	2.073
522272
Release:	1%{?dist}
522272
Summary:	Perl library for transparent SSL
522272
License:	(GPL+ or Artistic) and MPLv2.0
522272
URL:		https://metacpan.org/release/IO-Socket-SSL
522272
Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
522272
Patch0:		IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
522272
Patch1:		IO-Socket-SSL-2.068-use-system-default-SSL-version.patch
522272
# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
522272
# bug #1632660, requires openssl tool
522272
Patch2:		IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch
522272
Patch3:		IO-Socket-SSL-2.068-openssl-1.1.1e.patch
522272
BuildArch:	noarch
522272
# Module Build
522272
BuildRequires:	coreutils
522272
BuildRequires:	make
522272
BuildRequires:	perl-generators
522272
BuildRequires:	perl-interpreter
522272
BuildRequires:	perl(ExtUtils::MakeMaker) >= 6.76
522272
# Module Runtime
522272
BuildRequires:	openssl-libs >= 0.9.8
522272
BuildRequires:	perl(Carp)
522272
BuildRequires:	perl(Config)
522272
BuildRequires:	perl(constant)
522272
BuildRequires:	perl(Errno)
522272
BuildRequires:	perl(Exporter)
522272
BuildRequires:	perl(HTTP::Tiny)
522272
BuildRequires:	perl(IO::Socket)
522272
BuildRequires:	perl(IO::Socket::INET)
522272
BuildRequires:	perl(IO::Socket::IP) >= 0.31
522272
BuildRequires:	perl(Net::SSLeay) >= 1.46
522272
BuildRequires:	perl(Scalar::Util)
522272
BuildRequires:	perl(Socket) >= 1.95
522272
BuildRequires:	perl(strict)
522272
BuildRequires:	perl(URI::_idna)
522272
BuildRequires:	perl(vars)
522272
BuildRequires:	perl(warnings)
522272
# Test Suite
522272
# openssl tool required for Test-client-performs-Post-Handshake-Authentication.patch
522272
BuildRequires:	openssl
522272
BuildRequires:	perl(Data::Dumper)
522272
BuildRequires:	perl(File::Temp)
522272
BuildRequires:	perl(FindBin)
522272
BuildRequires:	perl(IO::Select)
522272
%if %{with perl_IO_Socket_SSL_test_IO_Socket_INET6}
522272
BuildRequires:	perl(IO::Socket::INET6) >= 2.62
522272
%endif
522272
# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch
522272
BuildRequires:	perl(IPC::Run)
522272
%if %{with perl_IO_Socket_SSL_test_unused_idn}
522272
BuildRequires:	perl(Net::IDN::Encode)
522272
BuildRequires:	perl(Net::LibIDN)
522272
%endif
522272
BuildRequires:	perl(Test::More) >= 0.88
522272
BuildRequires:	perl(utf8)
522272
BuildRequires:	procps
522272
# Runtime
522272
Requires:	perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
522272
Requires:	openssl-libs >= 0.9.8
522272
Requires:	perl(Config)
522272
Requires:	perl(HTTP::Tiny)
522272
Requires:	perl(IO::Socket::INET)
522272
Requires:	perl(IO::Socket::IP) >= 0.31
522272
Requires:	perl(Socket) >= 1.95
522272
Requires:	perl(URI::_idna)
522272
522272
%description
522272
This module is a true drop-in replacement for IO::Socket::INET that
522272
uses SSL to encrypt data before it is transferred to a remote server
522272
or client. IO::Socket::SSL supports all the extra features that one
522272
needs to write a full-featured SSL client or server application:
522272
multiple SSL contexts, cipher selection, certificate verification, and
522272
SSL version selection. As an extra bonus, it works perfectly with
522272
mod_perl.
522272
522272
%prep
522272
%setup -q -n IO-Socket-SSL-%{version}
522272
522272
# Allow building with OpenSSL 1.1.1e as the Fedora package has the
522272
# problematic EOF handling change reverted
522272
%patch3
522272
522272
# Use system-wide default cipher list to support use of system-wide
522272
# crypto policy (#1076390, #1127577, CPAN RT#97816)
522272
# https://fedoraproject.org/wiki/Changes/CryptoPolicy
522272
%patch0
522272
522272
# Use system-default SSL version too
522272
%patch1
522272
522272
# Add a test for PHA
522272
%patch2 -p1
522272
522272
%build
522272
NO_NETWORK_TESTING=1 perl Makefile.PL \
522272
	INSTALLDIRS=vendor \
522272
	NO_PACKLIST=1 \
522272
	NO_PERLLOCAL=1
522272
%{make_build}
522272
522272
%install
522272
%{make_install}
522272
%{_fixperms} -c %{buildroot}
522272
522272
%check
522272
make test
522272
522272
%files
522272
# GPL+ or Artistic
522272
%doc BUGS Changes README docs/ example/
522272
%dir %{perl_vendorlib}/IO/
522272
%dir %{perl_vendorlib}/IO/Socket/
522272
%dir %{perl_vendorlib}/IO/Socket/SSL/
522272
%doc %{perl_vendorlib}/IO/Socket/SSL.pod
522272
%{perl_vendorlib}/IO/Socket/SSL.pm
522272
%{perl_vendorlib}/IO/Socket/SSL/Intercept.pm
522272
%{perl_vendorlib}/IO/Socket/SSL/Utils.pm
522272
%{_mandir}/man3/IO::Socket::SSL.3*
522272
%{_mandir}/man3/IO::Socket::SSL::Intercept.3*
522272
%{_mandir}/man3/IO::Socket::SSL::Utils.3*
522272
# MPLv2.0
522272
%{perl_vendorlib}/IO/Socket/SSL/PublicSuffix.pm
522272
%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*
522272
522272
%changelog
522272
* Tue Jan 04 2022 Michal Josef Špaček <mspacek@redhat.com> - 2.073-1
522272
- Update to 2.073, which has official support for OpenSSL 3.0.0
522272
  Related: rhbz#1968046
522272
522272
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-6
522272
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
522272
  Related: rhbz#1991688
522272
522272
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-5
522272
- Rebuilt for RHEL 9 BETA for openssl 3.0
522272
  Related: rhbz#1971065
522272
522272
* Tue Jun 08 2021 Michal Josef Špaček <mspacek@redhat.com> - 2.070-4
522272
- Remove failing tests in openssl 3.0.0-alpha16. Related: rhbz#1968046
522272
  - Provisional for mass rebuild of openssl3.
522272
522272
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-3
522272
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
522272
522272
* Fri Mar 19 2021 Petr Pisar <ppisar@redhat.com> - 2.070-2
522272
- Disable optional libidn tests on ELN
522272
522272
* Fri Feb 26 2021 Paul Howarth <paul@city-fan.org> - 2.070-1
522272
- Update to 2.070
522272
  - Changed bugtracker in Makefile.PL to GitHub, away from obsolete rt.cpan.org
522272
522272
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.069-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
522272
522272
* Sat Jan 23 2021 Paul Howarth <paul@city-fan.org> - 2.069-1
522272
- Update to 2.069
522272
  - IO::Socket::Utils CERT_asHash and CERT_create now support subject and
522272
    issuer with multiple same parts (like multiple OU); in this case an array
522272
    ref instead of a scalar is used as hash value (GH#95)
522272
522272
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.068-3
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
522272
522272
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.068-2
522272
- Perl 5.32 rebuild
522272
522272
* Tue Mar 31 2020 Paul Howarth <paul@city-fan.org> - 2.068-1
522272
- Update to 2.068
522272
  - Treat OpenSSL 1.1.1e as broken and refuse to build with it in order to
522272
    prevent follow-up problems in tests and user code
522272
    https://github.com/noxxi/p5-io-socket-ssl/issues/93
522272
    https://github.com/openssl/openssl/issues/11388
522272
    https://github.com/openssl/openssl/issues/11378
522272
  - Update PublicSuffix with latest data from publicsuffix.org
522272
- Patch out the refusal to build with OpenSSL 1.1.1e as the OpenSSL package in
522272
  Fedora has had the problematic EOF-handling change reverted
522272
522272
* Sat Mar 21 2020 Paul Howarth <paul@city-fan.org> - 2.067-2
522272
- Fix FTBFS with OpenSSL 1.1.1e
522272
  https://github.com/noxxi/p5-io-socket-ssl/issues/93
522272
522272
* Sat Feb 15 2020 Paul Howarth <paul@city-fan.org> - 2.067-1
522272
- Update to 2.067
522272
  - Fix memory leak on incomplete handshake (GH#92)
522272
  - Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
522272
    can decrease memory usage at the costs of more allocations (CPAN RT#129463)
522272
  - More detailed error messages when loading of certificate file failed (GH#89)
522272
  - Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
522272
  - Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
522272
  - Fix warning when no ecdh support is available
522272
  - Documentation update regarding use of select and TLS 1.3
522272
  - Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
522272
  - Stability fix for t/core.t
522272
522272
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-8
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
522272
522272
* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 2.066-7
522272
- Default to PROFILE=SYSTEM cipher list (bug #1775167)
522272
522272
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-6
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
522272
522272
* Thu Jun 27 2019 Paul Howarth <paul@city-fan.org> - 2.066-5
522272
- Runtime openssl dependency should be on openssl-libs
522272
- Always require preferred IPv6 back-end: IO::Socket::IP ≥ 0.31
522272
- Always require preferred IDN back-end: URI::_idna
522272
- Modernize spec using %%{make_build} and %%{make_install}
522272
522272
* Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-4
522272
- PublicSuffix.pm is licensed MPLv2.0 (#1724169)
522272
522272
* Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-3
522272
- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1632660)
522272
522272
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.066-2
522272
- Perl 5.30 rebuild
522272
522272
* Wed Mar  6 2019 Paul Howarth <paul@city-fan.org> - 2.066-1
522272
- Update to 2.066
522272
  - Make sure that Net::SSLeay::CTX_get0_param is defined before using
522272
    X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
522272
    LibreSSL 2.7.4 but not the first (CPAN RT#128716)
522272
  - Prefer AES for server side cipher default since it is usually
522272
    hardware-accelerated
522272
  - Fix test t/verify_partial_chain.t by using the newly exposed function
522272
    can_partial_chain instead of guessing (wrongly) if the functionality is
522272
    available
522272
522272
* Mon Mar  4 2019 Paul Howarth <paul@city-fan.org> - 2.064-1
522272
- Update to 2.064
522272
  - Make algorithm for fingerprint optional, i.e. detect based on length of
522272
    fingerprint (CPAN RT#127773)
522272
  - Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
522272
  - Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
522272
    set
522272
  - Update fingerprints for live tests
522272
522272
* Sat Mar  2 2019 Paul Howarth <paul@city-fan.org> - 2.063-1
522272
- Update to 2.063
522272
  - Support for both RSA and ECDSA certificate on same domain
522272
  - Update PublicSuffix
522272
  - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
522272
    then linked against another API-incompatible version (i.e. more than just
522272
    the patchlevel differs)
522272
522272
* Mon Feb 25 2019 Paul Howarth <paul@city-fan.org> - 2.062-1
522272
- Update to 2.062
522272
  - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
522272
    OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
522272
    in the trust store be usable as full trust anchors too
522272
522272
* Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 2.061-1
522272
- Update to 2.061
522272
  - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
522272
    the previous (and undocumented) API for the session cache has been changed
522272
  - Support for multiple curves, automatic setting of curves and setting of
522272
    supported curves in client (needs Net::SSLeay ≥ 1.86)
522272
  - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
522272
    client certificates are provided (needs Net::SSLeay ≥ 1.86)
522272
522272
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
522272
- Client sends a post-handshake-authentication extension if a client key and
522272
  a certificate are available (bug #1632660)
522272
522272
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
522272
522272
* Mon Sep 24 2018 Petr Pisar <ppisar@redhat.com> - 2.060-2
522272
- Prevent tests from dying on SIGPIPE (CPAN RT#126899)
522272
522272
* Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1
522272
- Update to 2.060
522272
  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay ≥ 1.86); see
522272
    also CPAN RT#126899
522272
  - TLS 1.3 support is not complete yet for session reuse
522272
522272
* Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2
522272
- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)
522272
522272
* Thu Aug 16 2018 Paul Howarth <paul@city-fan.org> - 2.059-1
522272
- Update to 2.059
522272
  - Fix memory leak when CRLs are used (CPAN RT#125867)
522272
  - Fix memory leak when using stop_SSL and threads
522272
    (https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)
522272
522272
* Thu Jul 19 2018 Paul Howarth <paul@city-fan.org> - 2.058-1
522272
- Update to 2.058
522272
  - Fix memory leak that occurred with explicit stop_SSL in connection with
522272
    non-blocking sockets or timeout (CPAN RT#125867)
522272
  - Fix redefine warnings in case Socket6 is installed but neither
522272
    IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
522272
  - IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
522272
    number or callback to create serial number based on the original certificate
522272
  - New function get_session_reused to check if a session got reused
522272
  - IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
522272
    value
522272
  - Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
522272
    expects the extKeyUsage of clientAuth in the client cert also to be allowed
522272
    by the CA if CA uses extKeyUsage
522272
522272
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.056-3
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
522272
522272
* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.056-2
522272
- Perl 5.28 rebuild
522272
522272
* Mon Feb 19 2018 Paul Howarth <paul@city-fan.org> - 2.056-1
522272
- Update to 2.056
522272
  - Intercept: Fix creation of serial number (basing it on binary digest
522272
    instead of treating hex fingerprint as binary), allow use of own serial
522272
    numbers again
522272
  - t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
522272
  - Update PublicSuffix
522272
522272
* Thu Feb 15 2018 Paul Howarth <paul@city-fan.org> - 2.055-1
522272
- Update to 2.055
522272
  - Use SNI also if hostname was given all-uppercase
522272
  - Utils::CERT_create: Don't add authority key for issuer since Chrome does
522272
    not like this
522272
  - Intercept:
522272
    - Change behavior of code-based cache to better support synchronizing
522272
      within multiprocess/threaded set-ups
522272
    - Don't use counter for serial number but somehow base it on original
522272
      certificate in order to avoid conflicts with reuse of serial numbers
522272
      after restart
522272
  - Better support platforms without IPv6 (CPAN RT#124431)
522272
  - Spelling fixes in documentation (CPAN RT#124306)
522272
522272
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.054-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
522272
522272
* Mon Jan 22 2018 Paul Howarth <paul@city-fan.org> - 2.054-1
522272
- Update to 2.054
522272
  - Small behavior fixes
522272
    - If SSL_fingerprint is used and matches, don't check for OCSP
522272
    - Utils::CERT_create: Small fixes to properly specific purpose, ability to
522272
      use predefined complex purpose but disable some features
522272
  - Update PublicSuffix
522272
  - Updates for documentation, especially regarding pitfalls with forking or
522272
    using non-blocking sockets, spelling fixes
522272
  - Test fixes and improvements
522272
    - Stability improvements for live tests
522272
    - Regenerate certificates in certs/ and make sure they are limited to the
522272
      correct purpose; check in program used to generate certificates
522272
    - Adjust tests since certificates have changed and some tests used
522272
      certificates intended for client authentication as server certificates,
522272
      which now no longer works
522272
522272
* Mon Oct 23 2017 Paul Howarth <paul@city-fan.org> - 2.052-1
522272
- Update to 2.052
522272
  - Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced
522272
    the functions with dummies instead of removing NPN completly or setting
522272
    OPENSSL_NO_NEXTPROTONEG
522272
  - t/01loadmodule.t shows more output helpful in debugging problems
522272
  - Update fingerprints for external tests
522272
  - Update documentation to make behavior of syswrite more clear
522272
522272
* Tue Sep  5 2017 Paul Howarth <paul@city-fan.org> - 2.051-1
522272
- Update to 2.051
522272
  - syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with
522272
    OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up
522272
    (GH#62)
522272
522272
* Fri Aug 18 2017 Paul Howarth <paul@city-fan.org> - 2.050-1
522272
- Update to 2.050
522272
  - Removed unnecessary settings of SSL_version and SSL_cipher_list from tests
522272
  - protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not
522272
    supported, as is the case with openssl versions in latest Debian (buster)
522272
522272
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.049-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
522272
522272
* Mon Jun 12 2017 Paul Howarth <paul@city-fan.org> - 2.049-1
522272
- Update to 2.049
522272
  - Fixed problem caused by typo in the context of session cache (GH#60)
522272
  - Updated PublicSuffix information from publicsuffix.org
522272
522272
* Mon Jun 05 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.048-2
522272
- Perl 5.26 rebuild
522272
522272
* Mon Apr 17 2017 Paul Howarth <paul@city-fan.org> - 2.048-1
522272
- Update to 2.048
522272
  - Fixed small memory leaks during destruction of socket and context
522272
    (CPAN RT#120643)
522272
- Drop support for EOL distributions prior to F-13
522272
  - Drop BuildRoot: and Group: tags
522272
  - Drop explicit buildroot cleaning in %%install section
522272
  - Drop explicit %%clean section
522272
522272
* Fri Feb 17 2017 Paul Howarth <paul@city-fan.org> - 2.047-1
522272
- Update to 2.047
522272
  - Better fix for problem which 2.046 tried to fix but broke LWP that way
522272
- Update patches as needed
522272
522272
* Thu Feb 16 2017 Paul Howarth <paul@city-fan.org> - 2.046-1
522272
- Update to 2.046
522272
  - Clean up everything in DESTROY and make sure to start with a fresh
522272
    %%{*self} in configure_SSL because it can happen that a GLOB gets used
522272
    again without calling DESTROY
522272
    (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
522272
- Update patches as needed
522272
522272
* Tue Feb 14 2017 Paul Howarth <paul@city-fan.org> - 2.045-1
522272
- Update to 2.045
522272
  - Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
522272
    objects (GH#55)
522272
  - Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if
522272
    perl is compiled without thread support
522272
  - Small fix in t/protocol_version.t to use older versions of Net::SSLeay with
522272
    openssl build without SSLv3 support
522272
  - When setting SSL_keepSocketOnError to true the socket will not be closed on
522272
    fatal error (GH#53, modified)
522272
- Update patches as needed
522272
522272
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.044-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
522272
522272
* Thu Jan 26 2017 Paul Howarth <paul@city-fan.org> - 2.044-1
522272
- Update to 2.044
522272
  - Protect various 'eval'-based capability detections at startup with a
522272
    localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL
522272
    as done by various third party software should cause less problems even if
522272
    there is a global __DIE__ handler that does not properly deal with 'eval'
522272
- Update patches as needed
522272
522272
* Fri Jan  6 2017 Paul Howarth <paul@city-fan.org> - 2.043-1
522272
- Update to 2.043
522272
  - Enable session ticket callback with Net::SSLeay ≥ 1.80
522272
  - Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the
522272
    session no longer gets reused if it was not properly closed, which is now
522272
    done using an explicit close by the client
522272
- Update patches as needed
522272
522272
* Wed Jan  4 2017 Paul Howarth <paul@city-fan.org> - 2.041-1
522272
- Update to 2.041
522272
  - Leave session ticket callback off for now until the needed patch is
522272
    included in Net::SSLeay (see
522272
    https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146)
522272
- Update patches as needed
522272
522272
* Sun Dec 18 2016 Paul Howarth <paul@city-fan.org> - 2.040-1
522272
- Update to 2.040
522272
  - Fix detection of default CA path for OpenSSL 1.1.x
522272
  - Utils::CERT_asHash now includes the signature algorithm used
522272
  - Utils::CERT_asHash can now deal with large serial numbers
522272
- Update patches as needed
522272
522272
* Mon Nov 21 2016 Paul Howarth <paul@city-fan.org> - 2.039-1
522272
- Update to 2.039
522272
  - OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1
522272
    on EOF without proper SSL shutdown; since it looks like that this behavior
522272
    will be kept at least for 1.1.1+, adapt to the changed API by treating
522272
    errno=NOERR on SSL_ERROR_SYSCALL as EOF
522272
- Update patches as needed
522272
522272
* Mon Sep 19 2016 Paul Howarth <paul@city-fan.org> - 2.038-1
522272
- Update to 2.038
522272
  - Restrict session ticket callback to Net::SSLeay 1.79+ since version before
522272
    contains bug; add test for session reuse
522272
  - Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
522272
  - Fix t/external/ocsp.t to use different server (under my control) to check
522272
    OCSP stapling
522272
- Update patches as needed
522272
522272
* Tue Aug 23 2016 Paul Howarth <paul@city-fan.org> - 2.037-1
522272
- Update to 2.037
522272
  - Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)
522272
  - Fix session cache del_session: it freed the session but did not properly
522272
    remove it from the cache; further reuse caused crash
522272
- Update patches as needed
522272
522272
* Thu Aug 11 2016 Paul Howarth <paul@city-fan.org> - 2.035-1
522272
- Update to 2.035
522272
  - Fixes for issues introduced in 2.034
522272
    - Return with error in configure_SSL if context creation failed; this
522272
      might otherwise result in a segmentation fault later
522272
    - Apply builtin defaults before any (user configurable) global settings
522272
      (i.e. done with set_defaults, set_default_context...) so that builtins
522272
      don't replace user settings
522272
- Update patches as needed
522272
522272
* Mon Aug  8 2016 Paul Howarth <paul@city-fan.org> - 2.034-1
522272
- Update to 2.034
522272
  - Move handling of global SSL arguments into creation of context, so that
522272
    these get also applied when creating a context only
522272
- Update patches as needed
522272
522272
* Sat Jul 16 2016 Paul Howarth <paul@city-fan.org> - 2.033-1
522272
- Update to 2.033
522272
  - Support for session ticket reuse over multiple contexts and processes (if
522272
    supported by Net::SSLeay)
522272
  - Small optimizations, like saving various Net::SSLeay constants into
522272
    variables and access variables instead of calling the constant sub all the
522272
    time
522272
  - Make t/dhe.t work with openssl 1.1.0
522272
- Update patches as needed
522272
522272
* Tue Jul 12 2016 Paul Howarth <paul@city-fan.org> - 2.032-1
522272
- Update to 2.032
522272
  - Set session id context only on the server side; even if the documentation
522272
    for SSL_CTX_set_session_id_context makes clear that this function is server
522272
    side only, it actually affects handling of session reuse on the client side
522272
    too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session
522272
    in different context" at the client
522272
522272
* Fri Jul  8 2016 Paul Howarth <paul@city-fan.org> - 2.031-1
522272
- Update to 2.031
522272
  - Utils::CERT_create - don't add given extensions again if they were already
522272
    added; Firefox croaks with sec_error_extension_value_invalid if (specific?)
522272
    extensions are given twice
522272
  - Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
522272
    with the reverse order as in the PKCS12 file, because that's what it does
522272
  - Support for creating ECC keys in Utils once supported by Net::SSLeay
522272
  - Remove internal sub session_cache and access cache directly (faster)
522272
- Update patches as needed
522272
522272
* Tue Jun 28 2016 Paul Howarth <paul@city-fan.org> - 2.029-1
522272
- Update to 2.029
522272
  - Add del_session method to session cache
522272
  - Use SSL_session_key as the real key for the cache and not some derivate of
522272
    it, so that it works to remove the entry using the same key
522272
- BR: perl-generators
522272
522272
* Mon May 16 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.027-2
522272
- Perl 5.24 rebuild
522272
522272
* Thu Apr 21 2016 Paul Howarth <paul@city-fan.org> - 2.027-1
522272
- Update to 2.027
522272
  - Updated Changes file for 2.026
522272
522272
* Wed Apr 20 2016 Paul Howarth <paul@city-fan.org> - 2.026-1
522272
- Update to 2.026
522272
  - Upstream's default cipher lists updated (we use system default though)
522272
- Update patches as needed
522272
522272
* Mon Apr  4 2016 Paul Howarth <paul@city-fan.org> - 2.025-1
522272
- Update to 2.025
522272
  - Resolved memleak if SSL_crl_file was used (CPAN RT#113257, CPAN RT#113530)
522272
- Simplify find command using -delete
522272
522272
* Sun Feb  7 2016 Paul Howarth <paul@city-fan.org> - 2.024-1
522272
- Update to 2.024
522272
  - Work around issue where the connect fails on systems having only a loopback
522272
    interface and where IO::Socket::IP is used as super class (default when
522272
    available)
522272
- Update patches as needed
522272
522272
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.023-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
522272
522272
* Sat Jan 30 2016 Paul Howarth <paul@city-fan.org> - 2.023-1
522272
- Update to 2.023
522272
  - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS
522272
    connection was not fully established, which somehow resulted in
522272
    Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless
522272
    loop; it will now ignore this result in case the TLS connection was not
522272
    yet established and consider the TLS connection closed instead
522272
- Update patches as needed
522272
522272
* Thu Dec 10 2015 Paul Howarth <paul@city-fan.org> - 2.022-1
522272
- Update to 2.022
522272
  - Fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash
522272
    (CPAN RT#110253)
522272
522272
* Thu Dec  3 2015 Paul Howarth <paul@city-fan.org> - 2.021-1
522272
- Update to 2.021
522272
  - Fixes for documentation and typos
522272
  - Update PublicSuffix with latest version from publicsuffix.org
522272
- Update patches as needed
522272
522272
* Mon Sep 21 2015 Paul Howarth <paul@city-fan.org> - 2.020-1
522272
- Update to 2.020
522272
  - Support multiple directories in SSL_ca_path (CPAN RT#106711); directories
522272
    can be given as array or as string with a path separator
522272
  - Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)
522272
- Update patches as needed
522272
522272
* Tue Sep  1 2015 Paul Howarth <paul@city-fan.org> - 2.019-1
522272
- Update to 2.019
522272
  - Work around different behavior of getnameinfo from Socket and Socket6 by
522272
    using a different wrapper depending on which module is used for IPv6
522272
- Update patches as needed
522272
522272
* Mon Aug 31 2015 Paul Howarth <paul@city-fan.org> - 2.018-1
522272
- Update to 2.018
522272
  - Checks for readability of files/dirs for certificates and CA no longer use
522272
    -r because this is not safe when ACLs are used (CPAN RT#106295)
522272
  - New method sock_certificate similar to peer_certificate (CPAN RT#105733)
522272
  - get_fingerprint can now take optional certificate as argument and compute
522272
    the fingerprint of it; useful in connection with sock_certificate
522272
  - Check for both EWOULDBLOCK and EAGAIN since these codes are different on
522272
    some platforms (CPAN RT#106573)
522272
  - Enforce default verification scheme if nothing was specified, i.e. no
522272
    longer just warn but accept; if really no verification is wanted, a scheme
522272
    of 'none' must be explicitly specified
522272
  - Support different cipher suites per SNI hosts
522272
  - startssl.t failed on darwin with old openssl since server requested client
522272
    certificate but offered also anon ciphers (CPAN RT#106687)
522272
- Update patches as needed
522272
522272
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.016-3
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
522272
522272
* Tue Jun 09 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.016-2
522272
- Perl 5.22 rebuild
522272
522272
* Sun Jun  7 2015 Paul Howarth <paul@city-fan.org> - 2.016-1
522272
- Update to 2.016
522272
  - Add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
522272
    (since 1.02) and available with Net::SSLeay (CPAN RT#104759)
522272
  - Work around hanging prompt() with older perl in Makefile.PL
522272
    (CPAN RT#104731)
522272
  - Make t/memleak_bad_handshake.t work on cygwin and other systems having
522272
    /proc/pid/statm (CPAN RT#104659)
522272
  - Add better debugging
522272
522272
* Sat Jun 06 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.015-2
522272
- Perl 5.22 rebuild
522272
522272
* Thu May 14 2015 Paul Howarth <paul@city-fan.org> - 2.015-1
522272
- Update to 2.015
522272
  - Work around problem with IO::Socket::INET6 on Windows, by explicitly using
522272
    Domain AF_INET in the tests (CPAN RT#104226)
522272
522272
* Tue May  5 2015 Paul Howarth <paul@city-fan.org> - 2.014-1
522272
- Update to 2.014
522272
  - Utils::CERT_create - work around problems with authorityInfoAccess, where
522272
    OpenSSL i2v does not create the same string as v2i expects
522272
  - Intercept - don't clone some specific extensions that only make sense with
522272
    the original certificate
522272
522272
* Fri May  1 2015 Paul Howarth <paul@city-fan.org> - 2.013-1
522272
- Update to 2.013
522272
  - Assign severities to internal error handling and make sure that follow-up
522272
    errors like "configuration failed" or "certificate verify error" don't
522272
    replace more specific "hostname verification failed" when reporting in
522272
    sub errstr/$SSL_ERROR (CPAN RT#103423)
522272
  - Enhanced documentation (https://github.com/noxxi/p5-io-socket-ssl/pull/26)
522272
522272
* Mon Feb  2 2015 Paul Howarth <paul@city-fan.org> - 2.012-1
522272
- Update to 2.012
522272
  - Fix t/ocsp.t in case no HTTP::Tiny is installed
522272
522272
* Sun Feb  1 2015 Paul Howarth <paul@city-fan.org> - 2.011-1
522272
- Update to 2.011
522272
  - Fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling
522272
    (CPAN RT#101855)
522272
  - Added option 'purpose' to Utils::CERT_create to get better control of the
522272
    certificate's purpose; default is 'server,client' for non-CA (contrary to
522272
    only 'server' before)
522272
  - Removed RC4 from default cipher suites on the server side
522272
    (https://github.com/noxxi/p5-io-socket-ssl/issues/22)
522272
  - Refactoring of some tests using Test::More
522272
- Note that this package still uses system-default cipher and SSL versions,
522272
  which may have RC4 enabled
522272
- Update patches as needed
522272
522272
* Thu Jan 15 2015 Paul Howarth <paul@city-fan.org> - 2.010-1
522272
- Update to 2.010
522272
  - New options SSL_client_ca_file and SSL_client_ca to let the server send the
522272
    list of acceptable CAs for the client certificate
522272
  - t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay
522272
    (CPAN RT#101485)
522272
522272
* Mon Jan 12 2015 Paul Howarth <paul@city-fan.org> - 2.009-1
522272
- Update to 2.009
522272
  - Remove util/analyze.pl; this tool is now together with other SSL tools at
522272
    https://github.com/noxxi/p5-ssl-tools
522272
  - Added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) (CPAN RT#101452)
522272
522272
* Thu Dec 18 2014 Paul Howarth <paul@city-fan.org> - 2.008-1
522272
- Update to 2.008
522272
  - Work around recent OCSP verification errors for revoked.grc.com (badly
522272
    signed OCSP response, Firefox also complains about it) in test
522272
    t/external/ocsp.t
522272
  - util/analyze.pl - report more details about preferred cipher for specific
522272
    TLS versions
522272
522272
* Thu Nov 27 2014 Paul Howarth <paul@city-fan.org> - 2.007-1
522272
- Update to 2.007
522272
  - Make getline/readline fall back to super class if class is not sslified
522272
    yet, i.e. behave the same as sysread, syswrite etc. (CPAN RT#100529)
522272
522272
* Sun Nov 23 2014 Paul Howarth <paul@city-fan.org> - 2.006-1
522272
- Update to 2.006
522272
  - Make SSLv3 available even if the SSL library disables it by default in
522272
    SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3
522272
    so this will be only done when setting SSL_version explicitly
522272
  - Fix possible segmentation fault when trying to use an invalid certificate
522272
  - Use only the ICANN part of the default public suffix list and not the
522272
    private domains; this makes existing exceptions for s3.amazonaws.com and
522272
    googleapis.com obsolete
522272
  - Fix t/protocol_version.t to deal with OpenSSL installations that are
522272
    compiled without SSLv3 support
522272
  - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead
522272
    of EAGAIN; while this is the same on UNIX it is different on Windows and
522272
    socket operations return there (WSA)EWOULDBLOCK and not EAGAIN
522272
  - Enable non-blocking tests on Windows too
522272
  - Make PublicSuffix::_default_data thread safe
522272
  - Update PublicSuffix with latest list from publicsuffix.org
522272
- Note that this package still uses system-default cipher and SSL versions,
522272
  which may have SSL3.0 enabled
522272
- Classify buildreqs by usage
522272
522272
* Wed Oct 22 2014 Paul Howarth <paul@city-fan.org> - 2.002-1
522272
- Update to 2.002
522272
  - Fix check for (invalid) IPv4 when validating hostname against certificate;
522272
    do not use inet_aton any longer because it can cause DNS lookups for
522272
    malformed IP (CPAN RT#99448)
522272
  - Update PublicSuffix with latest version from publicsuffix.org - lots of new
522272
    top level domains
522272
  - Add exception to PublicSuffix for s3.amazonaws.com (CPAN RT#99702)
522272
522272
* Tue Oct 21 2014 Paul Howarth <paul@city-fan.org> - 2.001-1
522272
- Update to 2.001
522272
  - Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security
522272
  - Update external tests with currently expected fingerprints of hosts
522272
  - Some fixes to make it still work on 5.8.1
522272
522272
* Thu Oct 16 2014 Paul Howarth <paul@city-fan.org> - 2.000-1
522272
- Update to 2.000
522272
  - Consider SSL3.0 as broken because of POODLE and disable it by default
522272
  - Skip live tests without asking if environment NO_NETWORK_TESTING is set
522272
  - Skip tests that require fork on non-default windows setups without proper
522272
    fork (https://github.com/noxxi/p5-io-socket-ssl/pull/18)
522272
- Note that this package still uses system-default cipher and SSL versions,
522272
  which may have SSL3.0 enabled
522272
522272
* Fri Oct 10 2014 Paul Howarth <paul@city-fan.org> - 1.999-1
522272
- Update to 1.999
522272
  - Make sure we don't use version 0.30 of IO::Socket::IP
522272
  - Make sure that PeerHost is checked in all places where PeerAddr is checked,
522272
    because these are synonyms and IO::Socket::IP prefers PeerHost while others
522272
    prefer PeerAddr; also accept PeerService additionally to PeerPort
522272
    (https://github.com/noxxi/p5-io-socket-ssl/issues/16)
522272
  - Add ability to use client certificates and to overwrite hostname with
522272
    util/analyze-ssl.pl
522272
522272
* Mon Sep 22 2014 Paul Howarth <paul@city-fan.org> - 1.998-1
522272
- Update to 1.998
522272
  - Make client authentication work at the server side when SNI is in by use
522272
    having CA path and other settings in all SSL contexts instead of only the
522272
    main one (https://github.com/noxxi/p5-io-socket-ssl/pull/15)
522272
522272
* Thu Aug 28 2014 Jitka Plesnikova <jplesnik@redhat.com> - 1.997-4
522272
- Perl 5.20 rebuild
522272
522272
* Thu Aug  7 2014 Paul Howarth <paul@city-fan.org> - 1.997-3
522272
- Use system-default SSL version too
522272
522272
* Thu Aug  7 2014 Paul Howarth <paul@city-fan.org> - 1.997-2
522272
- Use system-wide default cipher list to support use of system-wide
522272
  crypto policy (#1076390, #1127577, CPAN RT#97816)
522272
  https://fedoraproject.org/wiki/Changes/CryptoPolicy
522272
522272
* Mon Jul 14 2014 Paul Howarth <paul@city-fan.org> - 1.997-1
522272
- Update to 1.997
522272
  - Fix initialization and creation of OpenSSL-internals for perlcc
522272
    compatibility (CPAN RT#95452)
522272
  - Add refresh option for peer_certificate, so that it checks if the
522272
    certificate changed in the mean time (on renegotiation)
522272
  - Fix fingerprint checking - now applies only to top-most certificate
522272
  - IO::Socket::SSL::Utils - accept extensions within CERT_create
522272
  - Various documentation fixes
522272
522272
* Mon Jun 23 2014 Paul Howarth <paul@city-fan.org> - 1.994-1
522272
- Update to 1.994
522272
  - IO::Socket::SSL can now be used as dual-use socket, e.g. start plain,
522272
    upgrade to SSL and downgrade again all with the same object; see
522272
    documentation of SSL_startHandshake and chapter Advanced Usage
522272
  - Try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
522272
    fails; this is needed if one wants to explicitly verify OCSP lookups even
522272
    if verification is otherwise off, because otherwise the signature check
522272
    would fail (this is mostly useful for testing)
522272
  - Reorder documentation of attributes for new, so that the more important
522272
    ones are at the top
522272
522272
* Sun Jun 15 2014 Paul Howarth <paul@city-fan.org> - 1.993-1
522272
- Update to 1.993
522272
  - Major rewrite of documentation, now in separate file
522272
  - Rework error handling to distinguish between SSL errors and internal errors
522272
    (like missing capabilities)
522272
  - Fix handling of default_ca if given during the run of the program
522272
    (Debian #750646)
522272
  - util/analyze-ssl.pl - fix hostname check if SNI does not work
522272
522272
* Tue Jun 10 2014 Paul Howarth <paul@city-fan.org> - 1.992-1
522272
- Update to 1.992
522272
  - Set $! to undef before doing IO (accept, read...); on Windows a connection
522272
    reset could cause an SSL read error without setting $!, so make sure we
522272
    don't keep the old value and maybe thus run into an endless loop
522272
522272
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.991-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
522272
522272
* Wed May 28 2014 Paul Howarth <paul@city-fan.org> - 1.991-1
522272
- Update to 1.991
522272
  - New option SSL_OCSP_TRY_STAPLE to enforce staple request even if
522272
    VERIFY_NONE
522272
  - Work around for CPAN RT#96013 in peer_certificates
522272
522272
* Tue May 27 2014 Paul Howarth <paul@city-fan.org> - 1.990-1
522272
- Update to 1.990
522272
  - Added option SSL_ocsp_staple_callback to get the stapled OCSP response and
522272
    verify it somewhere else
522272
  - Try to fix warnings on Windows again (CPAN RT#95967)
522272
  - Work around temporary OCSP error in t/external/ocsp.t
522272
522272
* Sun May 25 2014 Paul Howarth <paul@city-fan.org> - 1.989-1
522272
- Update to 1.989
522272
  - Fix warnings on Windows (CPAN RT#95881)
522272
522272
* Sat May 17 2014 Paul Howarth <paul@city-fan.org> - 1.988-1
522272
- Update to 1.988
522272
  - Allow IPv4 in common name, because browsers allow this too; only for scheme
522272
    www/http though, not for rfc2818 (because RC2818 does not allow this; in
522272
    default scheme IPv6 and IPv4 are allowed in CN)
522272
  - Fix handling of public suffix; add exemption for *.googleapis.com
522272
    wildcard, which should not be allowed according to public suffix list but
522272
    actually is used
522272
  - Add hostname verification test based on older test of chromium, but change
522272
    some of the test expectations because we don't want to support IP as SAN
522272
    DNS and because we enforce a public suffix list (and thus *.co.uk should
522272
    not be allowed)
522272
  - Fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6
522272
    (CPAN RT#95719)
522272
  - Enable IPv6 support only if we have a usable inet_pton
522272
  - Remove stale entries from MANIFEST
522272
  - Add transparent support for DER and PKCS#12 files to specify cert and key,
522272
    e.g. it will autodetect the format
522272
  - If SSL_cert_file is PEM and no SSL_key_file is given it will check if the
522272
    key is in SSL_cert_file too
522272
522272
* Thu May 15 2014 Paul Howarth <paul@city-fan.org> - 1.985-1
522272
- Update to 1.985
522272
  - Make OCSP callback return 1 even if it was called on the server side
522272
    because of bad setup of the socket; otherwise we get an endless calling of
522272
    the OCSP callback
522272
  - Consider an OCSP response that is not yet or no longer valid a soft error
522272
    instead of a hard error
522272
  - Fix skip in t/external/ocsp.t in case fingerprint does not match
522272
  - Call EVP_PKEY_free not EVP_KEY_free in IO::Socket::SSL::Utils::KEY_free
522272
    (CPAN RT#95633)
522272
  - util/analyze.pl - with --show-chain check if chain with SNI is different
522272
    from chain w/o SNI
522272
- Drop ExtUtils::MakeMaker version requirement
522272
522272
* Wed May 14 2014 Paul Howarth <paul@city-fan.org> - 1.984-2
522272
- Fix typo in Utils.pm (#1097640, CPAN RT#95633)
522272
522272
* Sat May 10 2014 Paul Howarth <paul@city-fan.org> - 1.984-1
522272
- Update to 1.984
522272
  - Added OCSP support:
522272
    - Needs Net::SSLeay ≥ 1.59
522272
    - For usage see documentation of IO::Socket::SSL (examples and anything
522272
      with OCSP in the name)
522272
  - New tool util/analyze-ssl.pl, which is intended to help in debugging of SSL
522272
    problems and to get information about capabilities of server; it works also
522272
    as an example of how to use various features (like OCSP, SNI...)
522272
  - Fix peer_certificates (returns leaf certificate only once on client side)
522272
  - Added timeout for stop_SSL (either with Timeout or with the default timeout
522272
    for IO::Socket)
522272
  - Fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local
522272
    time is not GMT; use Net::SSLeay::ASN1_TIME_timet if available
522272
  - Fix t/external/usable_ca.t for system with junk in CA files
522272
522272
* Sun May  4 2014 Paul Howarth <paul@city-fan.org> - 1.983-1
522272
- Update to 1.983
522272
  - Fix public suffix handling: ajax.googleapis.com should be ok even if
522272
    googleapis.com is in public suffix list (e.g. check one level less)
522272
    (CPAN RT#95317)
522272
  - usable_ca.t - update fingerprints after heartbleed attack
522272
  - usable_ca.t - make sure we have usable CA for tested hosts in CA store
522272
522272
* Thu Apr 24 2014 Paul Howarth <paul@city-fan.org> - 1.982-1
522272
- Update to 1.982
522272
  - Fix for using subroutine as argument to set_args_filter_hack
522272
522272
* Tue Apr  8 2014 Paul Howarth <paul@city-fan.org> - 1.981-1
522272
- Update to 1.981
522272
  - Fix ecdhe test for openssl 1.0.1d (CPAN RT#95432)
522272
  - Fix detection of openssl 1.0.1d (detected 1.0.1e instead)
522272
  - New function can_ecdh in IO::Socket::SSL
522272
522272
* Tue Apr  8 2014 Paul Howarth <paul@city-fan.org> - 1.980-1
522272
- Update to 1.980
522272
  - Disable elliptic curve support for openssl 1.0.1d on 64-bit
522272
    (http://rt.openssl.org/Ticket/Display.html?id=2975)
522272
  - Fix certificate fingerprint calculation
522272
- Add patch to skip elliptic curve test for openssl 1.0.1d on 64-bit
522272
- Add patch to fix openssl version test
522272
522272
* Sun Apr  6 2014 Paul Howarth <paul@city-fan.org> - 1.979-1
522272
- Update to 1.979
522272
  - Hostname checking:
522272
    - Configuration of 'leftmost' is renamed to 'full_label', but the old
522272
      version is kept for compatibility reasons
522272
    - Documentation of predefined schemes fixed to match reality
522272
522272
* Fri Apr  4 2014 Paul Howarth <paul@city-fan.org> - 1.978-1
522272
- Update to 1.978
522272
  - Added public prefix checking to verification of wildcard certificates, e.g.
522272
    accept *.foo.com but not *.co.uk; see documentation of
522272
    SSL_verifycn_publicsuffix and IO::Socket::SSL::PublicSuffix
522272
  - Fix publicsuffix for IDNA, more tests with various IDNA libs
522272
    (CPAN RT#94424)
522272
  - Reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm
522272
  - Add more checks to external/usable_ca.t; now it is enough that at least one
522272
    of the hosts verifies against the built-in CA store
522272
  - Add openssl and Net::SSLeay version to diagnostics in load test
522272
- Switch preferred IDN back-end from Net::LibIDN to URI::_idna as per upstream,
522272
  falling back to Net::IDN::Encode on older distributions
522272
- Add fix from upstream git to support building with Test::More < 0.88
522272
522272
* Wed Apr  2 2014 Paul Howarth <paul@city-fan.org> - 1.975-1
522272
- Update to 1.975
522272
  - BEHAVIOR CHANGE: work around TEA misfeature on OS X built-in openssl, e.g.
522272
    guarantee that only the explicitly-given CA or the openssl default CA will
522272
    be used; this means that certificates inside the OS X keyring will no
522272
    longer be used, because there is no way to control the use by openssl
522272
    (e.g. certificate pinning etc.)
522272
  - Make external tests run by default to make sure default CA works on all
522272
    platforms; it skips automatically on network problems like timeouts or SSL
522272
    interception, and can also use http(s)_proxy environment variables
522272
522272
* Wed Apr  2 2014 Paul Howarth <paul@city-fan.org> - 1.974-1
522272
- Update to 1.974
522272
  - New function peer_certificates to get the whole certificate chain; needs
522272
    Net::SSLeay ≥ 1.58
522272
  - Extended IO::Socket::Utils::CERT_asHash to provide way more information,
522272
    like issuer information, cert and pubkey digests, all extensions, CRL
522272
    distribution points and OCSP uri
522272
522272
* Wed Mar 26 2014 Paul Howarth <paul@city-fan.org> - 1.973-1
522272
- Update to 1.973
522272
  - With SSL_ca, certificate handles can now be used in addition to
522272
    SSL_ca_file and SSL_ca_path
522272
  - No longer complain if SSL_ca_file and SSL_ca_path are both given;
522272
    instead, add both as options to the CA store
522272
  - Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create
522272
522272
* Sun Mar 23 2014 Paul Howarth <paul@city-fan.org> - 1.972-1
522272
- Update to 1.972
522272
  - Make sure t/external/usable_ca.t works also with older openssl without
522272
    support for SNI (CPAN RT#94117)
522272
522272
* Sat Mar 22 2014 Paul Howarth <paul@city-fan.org> - 1.971-1
522272
- Update to 1.971
522272
  - Try to use SSL_hostname for hostname verification if no SSL_verifycn_name
522272
    is given; this way, hostname for SNI and verification can be specified in
522272
    one step
522272
  - New test program example/simulate_proxy.pl
522272
522272
* Wed Mar 19 2014 Paul Howarth <paul@city-fan.org> - 1.970-1
522272
- Update to 1.970
522272
  - Make sure sub default_ca uses a local $_ and not a version of an outer
522272
    scope that might be read-only (CPAN RT#93987)
522272
522272
* Sun Mar 16 2014 Paul Howarth <paul@city-fan.org> - 1.969-1
522272
- Update to 1.969
522272
  - Fix set_defaults to match documentation regarding short names
522272
  - New function set_args_filter_hack to make it possible to override bad SSL
522272
    settings from other code at the last moment
522272
  - Determine default_ca on module load (and not on first use in each thread)
522272
  - Don't try default hostname verification if verify_mode 0
522272
  - Fix hostname verification when reusing context
522272
522272
* Thu Mar 13 2014 Paul Howarth <paul@city-fan.org> - 1.968-1
522272
- Update to 1.968
522272
  - BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
522272
    for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file; these
522272
    defaults were deprecated since 1.951 (July 2013)
522272
  - Usable CA verification path on Windows etc.:
522272
    - Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
522272
      system/build dependent default verification path, because there was no
522272
      way to retrieve these default values and check if they contained usable
522272
      CA
522272
    - Instead, re-implement the same algorithm and export the results with
522272
      public function default_ca() and make it possible to overwrite it
522272
    - Also check for usable verification path during build; if no usable path
522272
      is detected, require Mozilla::CA at build and try to use it at runtime
522272
522272
* Fri Feb  7 2014 Paul Howarth <paul@city-fan.org> - 1.967-1
522272
- Update to 1.967
522272
  - Verify the hostname inside a certificate by default with a superset of
522272
    common verification schemes instead of not verifying identity at all; for
522272
    now it will only complain if name verification failed but in the future it
522272
    will fail certificate verification, forcing you to set the expected
522272
    SSL_verifycn_name if you want to accept the certificate
522272
  - New option SSL_fingerprint and new methods get_fingerprint and
522272
    get_fingerprint_bin; together they can be used to selectively accept
522272
    specific certificates that would otherwise fail verification, like
522272
    self-signed, outdated or from unknown CAs
522272
  - Utils:
522272
    - Default RSA key length 2048
522272
    - Digest algorithm to sign certificate in CERT_create can be given;
522272
      defaults to SHA-256
522272
    - CERT_create can now issue non-CA self-signed certificate
522272
    - CERT_create add some more useful constraints to certificate
522272
  - Spelling fixes
522272
522272
* Wed Jan 22 2014 Paul Howarth <paul@city-fan.org> - 1.966-1
522272
- Update to 1.966
522272
  - Fixed bug introduced in 1.964 - disabling TLSv1_2 no longer worked by
522272
    specifying !TLSv12; only !TLSv1_2 worked
522272
  - Fixed leak of session objects in SessionCache, if another session
522272
    replaced an existing session (introduced in 1.965)
522272
522272
* Fri Jan 17 2014 Paul Howarth <paul@city-fan.org> - 1.965-1
522272
- Update to 1.965
522272
  - New key SSL_session_key to influence how sessions are inserted and looked
522272
    up in the client's session cache, which makes it possible to share sessions
522272
    over different ip:host (as is required with some FTPS servers)
522272
  - t/core.t - handle case where default loopback source is not 127.0.0.1, like
522272
    in FreeBSD jails
522272
522272
* Wed Jan 15 2014 Paul Howarth <paul@city-fan.org> - 1.964-1
522272
- Update to 1.964
522272
  - Disabling TLSv1_1 did not work, because the constant was wrong; now it gets
522272
    the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc.
522272
  - The new syntax for the protocols is TLSv1_1 instead of TLSv11, which matches
522272
    the syntax from OpenSSL (the old syntax continues to work in SSL_version)
522272
  - New functions get_sslversion and get_sslversion_int, which get the SSL
522272
    version of the established session as string or int
522272
  - Disable t/io-socket-inet6.t if Acme::Override::INET is installed
522272
522272
* Tue Jan 14 2014 Paul Howarth <paul@city-fan.org> - 1.963-1
522272
- Update to 1.963
522272
  - Fix behavior of stop_SSL: for blocking sockets it now enough to call it
522272
    once, for non-blocking it should be called again as long as EAGAIN and
522272
    SSL_ERROR is set to SSL_WANT_(READ|WRITE)
522272
  - Don't call blocking if start_SSL failed and downgraded socket has no
522272
    blocking method
522272
  - Documentation enhancements:
522272
    - Special section for differences to IO::Socket
522272
    - Describe problem with blocking accept on non-blocking socket
522272
    - Describe arguments to new_from_fd and make clear that for upgrading an
522272
      existing IO::Socket, start_SSL should be used directly
522272
522272
* Thu Nov 28 2013 Paul Howarth <paul@city-fan.org> - 1.962-1
522272
- Update to 1.962
522272
  - Work around problems with older F5 BIG-IP by offering fewer ciphers on the
522272
    client side by default, so that the client hello stays below 255 bytes
522272
522272
* Tue Nov 26 2013 Paul Howarth <paul@city-fan.org> - 1.961-1
522272
- Update to 1.961
522272
  - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates that
522272
    are not self-signed (by giving issuer_*)
522272
522272
* Wed Nov 13 2013 Paul Howarth <paul@city-fan.org> - 1.960-1
522272
- Update to 1.960
522272
  - Only documentation enhancements:
522272
    - Clarify with text and example code, that within event loops not only
522272
      select/poll should be used, but also pending has to be called
522272
    - Better introduction into SSL; at least mention anonymous authentication as
522272
      something you don't want and should take care with the right cipher
522272
    - Make it more clear that it's better not to change the cipher list unless
522272
      you really know what you're doing
522272
- Adopt upstream's versioning scheme
522272
522272
* Tue Nov 12 2013 Paul Howarth <paul@city-fan.org> - 1.95.9-1
522272
- Update to 1.959
522272
  - Fix test t/core.t for Windows
522272
522272
* Mon Nov 11 2013 Paul Howarth <paul@city-fan.org> - 1.95.8-1
522272
- Update to 1.958
522272
  Lots of behavior changes for more secure defaults:
522272
  - BEHAVIOR CHANGE: make default cipher list more secure, especially:
522272
    - No longer support MD5 by default (broken)
522272
    - No longer support anonymous authentication by default (vulnerable to
522272
      man in the middle attacks)
522272
    - Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
522272
      that it uses by default forward secrecy, if underlying
522272
      Net::SSLeay/openssl supports it
522272
    - Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
522272
      hopefully have been fixed and now RC4 is considered less safe than 3DES)
522272
    - Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
522272
      to get the best cipher even if the client prefers other ciphers; PLEASE
522272
      NOTE that this might break connections with older, less secure
522272
      implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
522272
  - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
522272
    and thus gets reused if context gets reused; PLEASE NOTE that using
522272
    SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
522272
    the ciphers of the context
522272
  - Rework hostname verification schemes:
522272
    - Add RFC names as scheme (e.g. 'rfc2818', ...)
522272
    - Add SIP, SNMP, syslog, netconf, GIST
522272
    - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
522272
    - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
522272
  - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
522272
    'www2' etc.  but not 'www'
522272
  - Anywhere wildcards like x* are no longer applied to IDNA names (which start
522272
    with 'xn--')
522272
  - Fix crash of Utils::CERT_free
522272
  - Support TLSv11, TLSv12 as handshake protocols
522272
  - Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
522272
    authorization; with the DH param given by default since 1.956, old versions
522272
    of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
522272
    authorization) instead of AES256-SHA and thus the check for the peer
522272
    certificate failed (because ADH does not exchange certificates) - fixed by
522272
    explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
522272
  - Cleaned up tests:
522272
    - Remove ssl_settings.req and 02settings.t, because all tests now create a
522272
      simple socket at 127.0.0.1 and thus global settings are no longer needed
522272
    - Some tests did not have use strict(!); fixed it
522272
    - Removed special handling for older Net::SSLeay versions that are less
522272
      than our minimum requirement
522272
    - Some syntax enhancements: removed some SSL_version and SSL_cipher_list
522272
      options where they were not really needed
522272
  - Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
522272
    least version 2.55 which is now 5 years old
522272
  - Fix t/session.t to work with older openssl versions (CPAN RT#90240)
522272
522272
* Fri Oct 11 2013 Paul Howarth <paul@city-fan.org> - 1.95.5-1
522272
- Update to 1.955
522272
  - Support for perfect forward secrecy using ECDH, if the Net::SSLeay version
522272
    supports it
522272
522272
* Sun Sep 15 2013 Paul Howarth <paul@city-fan.org> - 1.95.4-1
522272
- Update to 1.954
522272
  - Accept older versions of ExtUtils::MakeMaker and add meta information like
522272
    link to repository only for newer versions
522272
522272
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.95.3-3
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
522272
522272
* Mon Jul 22 2013 Petr Pisar <ppisar@redhat.com> - 1.95.3-2
522272
- Perl 5.18 rebuild
522272
522272
* Mon Jul 22 2013 Paul Howarth <paul@city-fan.org> - 1.95.3-1
522272
- Update to 1.953
522272
  - Precedence fixes for IO::Socket::SSL::Utils (CPAN RT#87052)
522272
522272
* Fri Jul 12 2013 Paul Howarth <paul@city-fan.org> - 1.95.2-1
522272
- Update to 1.952
522272
  - Fix t/acceptSSL-timeout.t on Win32 (CPAN RT#86862)
522272
522272
* Wed Jul  3 2013 Paul Howarth <paul@city-fan.org> - 1.95.1-1
522272
- Update to 1.951
522272
  (1.950)
522272
  - MAJOR BEHAVIOR CHANGE:
522272
    - ssl_verify_mode now defaults to verify_peer for client
522272
    - Previously it used verify_none, but loudly complained since 1.79 about it
522272
    - It will not complain any longer, but the connection will probably fail
522272
    - Please don't simply disable ssl verification; instead, set SSL_ca_file
522272
      etc. so that verification succeeds!
522272
  - MAJOR BEHAVIOR CHANGE:
522272
    - It will now complain if the built-in defaults of certs/my-ca.pem or ca/
522272
      for CA and certs/{server,client}-{key,cert}.pem for cert and key are
522272
      used, i.e. no certificates are specified explicitly
522272
    - In the future these insecure (relative path!) defaults will be removed
522272
      and the CA replaced with the system defaults
522272
  (1.951)
522272
  - Use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's built-in
522272
    defaults for CA unless CA path/file was given (or IO::Socket::SSL built-ins
522272
    used)
522272
522272
* Sat Jun  1 2013 Paul Howarth <paul@city-fan.org> - 1.94-1
522272
- Update to 1.94
522272
  - Makefile.PL reported wrong version of openssl if Net::SSLeay was not
522272
    installed, instead of reporting a missing dependency of Net::SSLeay
522272
522272
* Fri May 31 2013 Paul Howarth <paul@city-fan.org> - 1.93-1
522272
- Update to 1.93
522272
  - Need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
522272
    years ago; remove code to work around older releases
522272
  - Changed AUTHOR in Makefile.PL from array back to string, because the array
522272
    feature is not available in MakeMaker shipped with 5.8.9 (CPAN RT#85739)
522272
- Set openssl version requirement to 0.9.8
522272
- Drop ExtUtils::MakeMaker version requirement back to 6.46
522272
522272
* Thu May 30 2013 Paul Howarth <paul@city-fan.org> - 1.92-1
522272
- Update to 1.92
522272
  - Intercept: use sha1-fingerprint of original cert for id into cache unless
522272
    otherwise given
522272
  - Fix pod error in IO::Socket::SSL::Utils (CPAN RT#85733)
522272
522272
* Thu May 30 2013 Paul Howarth <paul@city-fan.org> - 1.91-1
522272
- Update to 1.91
522272
  - Added IO::Socket::SSL::Utils for easier manipulation of certificates and
522272
    keys
522272
  - Moved SSL interception into IO::Socket::SSL::Intercept and simplified it
522272
    using IO::Socket::SSL::Utils
522272
  - Enhance meta information in Makefile.PL
522272
- Bump openssl version requirement to 0.9.8a
522272
- Need at least version 6.58 of ExtUtils::MakeMaker (CPAN RT#85739)
522272
522272
* Wed May 29 2013 Paul Howarth <paul@city-fan.org> - 1.90-1
522272
- Update to 1.90
522272
  - Support more digests, especially SHA-2 (CPAN RT#85290)
522272
  - Added support for easy SSL interception (man in the middle) based on ideas
522272
    found in mojo-mitm proxy
522272
  - Make 1.46 the minimal required version for Net::SSLeay, because it
522272
    introduced lots of useful functions
522272
- BR:/R: openssl ≥ 0.9.7e for P_ASN1_TIME_(get,set)_isotime in Net::SSLeay
522272
522272
* Tue May 14 2013 Paul Howarth <paul@city-fan.org> - 1.89-1
522272
- Update to 1.89
522272
  - If IO::Socket::IP is used it should be at least version 0.20; otherwise we
522272
    get problems with HTTP::Daemon::SSL and maybe others (CPAN RT#81932)
522272
  - Spelling corrections
522272
522272
* Thu May  2 2013 Paul Howarth <paul@city-fan.org> - 1.88-1
522272
- Update to 1.88
522272
  - Consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
522272
    and SSL_cert* - some apps like Net::LDAP use it that way
522272
522272
* Wed Apr 24 2013 Paul Howarth <paul@city-fan.org> - 1.87-1
522272
- Update to 1.87
522272
  - Complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are
522272
    not readable (CPAN RT#84829)
522272
  - Fix use of SSL_key|SSL_file objects instead of files, broken with 1.83
522272
522272
* Wed Apr 17 2013 Paul Howarth <paul@city-fan.org> - 1.86-1
522272
- Update to 1.86
522272
  - Don't warn about SSL_verify_mode when re-using an existing SSL context
522272
    (CPAN RT#84686)
522272
522272
* Mon Apr 15 2013 Paul Howarth <paul@city-fan.org> - 1.85-1
522272
- Update to 1.85
522272
  - Probe for available modules with local __DIE__ and __WARN__handlers
522272
    (CPAN RT#84574)
522272
  - Fix warning, when IO::Socket::IP is installed and inet6 support gets
522272
    explicitly requested (CPAN RT#84619)
522272
522272
* Sat Feb 16 2013 Paul Howarth <paul@city-fan.org> - 1.84-1
522272
- Update to 1.84
522272
  - Disabled client side SNI for openssl version < 1.0.0 because of
522272
    CPAN RT#83289
522272
  - Added functions can_client_sni, can_server_sni and can_npn to check
522272
    availability of SNI and NPN features
522272
  - Added more documentation for SNI and NPN
522272
522272
* Thu Feb 14 2013 Paul Howarth <paul@city-fan.org> - 1.83-2
522272
- Update to 1.831
522272
  - Separated documentation of non-blocking I/O from error handling
522272
  - Changed and documented behavior of readline to return the read data on
522272
    EAGAIN/EWOULDBLOCK in case of non-blocking socket
522272
    (see https://github.com/noxxi/p5-io-socket-ssl/issues/1)
522272
- Bumped release rather than version number to preserve likely upgrade path
522272
  and avoid need for epoch or version number ugliness; may revisit this in
522272
  light of upstream's future version numbering decisions
522272
522272
* Mon Feb  4 2013 Paul Howarth <paul@city-fan.org> - 1.83-1
522272
- Update to 1.83
522272
  - Server Name Indication (SNI) support on the server side (CPAN RT#82761)
522272
  - Reworked part of the documentation, like providing better examples
522272
522272
* Mon Jan 28 2013 Paul Howarth <paul@city-fan.org> - 1.82-1
522272
- Update to 1.82
522272
  - sub error sets $SSL_ERROR etc. only if there really is an error; otherwise
522272
    it will keep the latest error, which allows IO::Socket::SSL->new to report
522272
    the correct problem, even if the problem is deeper in the code (like in
522272
    connect)
522272
  - Correct spelling (CPAN RT#82790)
522272
522272
* Thu Dec  6 2012 Paul Howarth <paul@city-fan.org> - 1.81-1
522272
- Update to 1.81
522272
  - Deprecated set_ctx_defaults; new name is set_defaults (the old name is
522272
    still available)
522272
  - Changed handling of default path for SSL_(ca|cert|key)* keys: if one of
522272
    these keys is user defined, don't add defaults for the others, i.e.
522272
    don't mix user settings and defaults
522272
  - Cleaner handling of module defaults vs. global settings vs. socket
522272
    specific settings; global and socket specific settings are both provided
522272
    by the user, while module defaults are not
522272
  - Make IO::Socket::INET6 and IO::Socket::IP specific tests both run, even
522272
    if both modules are installed, by faking a failed load of the other module
522272
- BR: perl(IO::Socket::INET6) and perl(Socket6) unconditionally
522272
522272
* Fri Nov 30 2012 Paul Howarth <paul@city-fan.org> - 1.80-1
522272
- Update to 1.80
522272
  - Removed some warnings in test (missing SSL_verify_mode => 0), which caused
522272
    tests to hang on Windows (CPAN RT#81493)
522272
522272
* Sun Nov 25 2012 Paul Howarth <paul@city-fan.org> - 1.79-1
522272
- Update to 1.79
522272
  - Use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort
522272
    from sockaddr in _update_peer, because this provides scope too
522272
  - Work around systems that don't define AF_INET6 (CPAN RT#81216)
522272
  - Prepare transition to a more secure default for SSL_verify_mode; the use of
522272
    the current default SSL_VERIFY_NONE will cause a big warning for clients,
522272
    unless SSL_verify_mode was explicitly set inside the application to this
522272
    insecure value (in the near future the default will be SSL_VERIFY_PEER, and
522272
    thus causing verification failures in unchanged applications)
522272
522272
* Thu Nov 15 2012 Petr Šabata <contyk@redhat.com> - 1.77-2
522272
- Added some missing build dependencies
522272
522272
* Fri Oct  5 2012 Paul Howarth <paul@city-fan.org> - 1.77-1
522272
- Update to 1.77
522272
  - support _update_peer for IPv6 too (CPAN RT#79916)
522272
522272
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.76-3
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
522272
522272
* Thu Jun 28 2012 Petr Pisar <ppisar@redhat.com> - 1.76-2
522272
- Perl 5.16 rebuild
522272
522272
* Mon Jun 18 2012 Paul Howarth <paul@city-fan.org> - 1.76-1
522272
- Update to 1.76
522272
  - add support for IO::Socket::IP, which supports inet6 and inet4
522272
    (CPAN RT#75218)
522272
  - fix documentation errors (CPAN RT#77690)
522272
  - made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version
522272
  - use inet_pton from either Socket.pm 1.95 or Socket6.pm
522272
- Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6
522272
- Add runtime dependency for appropriate IPv6 support module so that we can
522272
  ensure that we run at runtime what we tested with at build time
522272
522272
* Thu Jun 14 2012 Petr Pisar <ppisar@redhat.com> - 1.74-2
522272
- Perl 5.16 rebuild
522272
522272
* Mon May 14 2012 Paul Howarth <paul@city-fan.org> - 1.74-1
522272
- Update to 1.74
522272
  - accept a version of SSLv2/3 as SSLv23, because older documentation could
522272
    be interpreted like this
522272
522272
* Fri May 11 2012 Paul Howarth <paul@city-fan.org> - 1.73-1
522272
- Update to 1.73
522272
  - set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW
522272
  - make test t/dhe.t hopefully work with more versions of openssl
522272
522272
* Wed May  9 2012 Paul Howarth <paul@city-fan.org> - 1.71-1
522272
- Update to 1.71
522272
  - 1.70 done right: don't disable SSLv2 ciphers; SSLv2 support is better
522272
    disabled by the default SSL_version of 'SSLv23:!SSLv2'
522272
522272
* Tue May  8 2012 Paul Howarth <paul@city-fan.org> - 1.70-1
522272
- Update to 1.70
522272
  - make it possible to disable protocols using SSL_version, and make
522272
    SSL_version default to 'SSLv23:!SSLv2'
522272
522272
* Tue May  8 2012 Paul Howarth <paul@city-fan.org> - 1.69-1
522272
- Update to 1.69 (changes for CPAN RT#76929)
522272
  - if no explicit cipher list is given, default to ALL:!LOW instead of the
522272
    openssl default, which usually includes weak ciphers like DES
522272
  - new config key SSL_honor_cipher_order and document how to use it to fight
522272
    BEAST attack
522272
  - fix behavior for empty cipher list (use default)
522272
  - re-added workaround in t/dhe.t
522272
522272
* Mon Apr 16 2012 Paul Howarth <paul@city-fan.org> - 1.66-1
522272
- Update to 1.66
522272
  - make it thread safer (CPAN RT#76538)
522272
522272
* Mon Apr 16 2012 Paul Howarth <paul@city-fan.org> - 1.65-1
522272
- Update to 1.65
522272
  - added NPN (Next Protocol Negotiation) support (CPAN RT#76223)
522272
522272
* Sat Apr  7 2012 Paul Howarth <paul@city-fan.org> - 1.64-1
522272
- Update to 1.64
522272
  - ignore die from within eval to make tests more stable on Win32
522272
    (CPAN RT#76147)
522272
  - clarify some behavior regarding hostname verification
522272
- Drop patch for t/dhe.t, no longer needed
522272
522272
* Wed Mar 28 2012 Paul Howarth <paul@city-fan.org> - 1.62-1
522272
- Update to 1.62
522272
  - small fix to last version
522272
522272
* Tue Mar 27 2012 Paul Howarth <paul@city-fan.org> - 1.61-1
522272
- Update to 1.61
522272
  - call CTX_set_session_id_context so that server's session caching works with
522272
    client certificates too (CPAN RT#76053)
522272
522272
* Tue Mar 20 2012 Paul Howarth <paul@city-fan.org> - 1.60-1
522272
- Update to 1.60
522272
  - don't make blocking readline if socket was set nonblocking, but return as
522272
    soon no more data are available (CPAN RT#75910)
522272
  - fix BUG section about threading so that it shows package as thread safe
522272
    as long as Net::SSLeay ≥ 1.43 is used (CPAN RT#75749)
522272
- BR: perl(constant), perl(Exporter) and perl(IO::Socket)
522272
522272
* Thu Mar  8 2012 Paul Howarth <paul@city-fan.org> - 1.59-1
522272
- Update to 1.59
522272
  - if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful message
522272
    when attempting to use it
522272
  - modify constant declarations so that 5.6.1 should work again
522272
- Drop %%defattr, redundant since rpm 4.4
522272
522272
* Mon Feb 27 2012 Paul Howarth <paul@city-fan.org> - 1.58-1
522272
- Update to 1.58
522272
  - fix t/dhe.t for openssl 1.0.1 beta by forcing TLSv1, so that it does not
522272
    complain about the too small RSA key, which it should not use anyway; this
522272
    workaround is not applied for older openssl versions, where it would cause
522272
    failures (CPAN RT#75165)
522272
- Add patch to fiddle the openssl version number in the t/dhe.t workaround
522272
  because the OPENSSL_VERSION_NUMBER cannot be trusted in Fedora
522272
- One buildreq per line for readability
522272
- Drop redundant buildreq perl(Test::Simple)
522272
- Always run full test suite
522272
522272
* Wed Feb 22 2012 Paul Howarth <paul@city-fan.org> - 1.56-1
522272
- Update to 1.56
522272
  - add automatic or explicit (via SSL_hostname) SNI support, needed for
522272
    multiple SSL hostnames with the same IP (currently only supported for the
522272
    client)
522272
- Use DESTDIR rather than PERL_INSTALL_ROOT
522272
- No need to delete empty directories from buildroot
522272
522272
* Mon Feb 20 2012 Paul Howarth <paul@city-fan.org> - 1.55-1
522272
- Update to 1.55
522272
  - work around IO::Socket's work around for systems returning EISCONN etc. on
522272
    connect retry for non-blocking sockets by clearing $! if SUPER::connect
522272
    returned true (CPAN RT#75101)
522272
522272
* Wed Jan 11 2012 Paul Howarth <paul@city-fan.org> - 1.54-1
522272
- Update to 1.54
522272
  - return 0 instead of undef in SSL_verify_callback to fix uninitialized
522272
    warnings (CPAN RT#73629)
522272
522272
* Mon Dec 12 2011 Paul Howarth <paul@city-fan.org> - 1.53-1
522272
- Update to 1.53
522272
  - kill child in t/memleak_bad_handshake.t if test fails (CPAN RT#73146)
522272
522272
* Wed Dec  7 2011 Paul Howarth <paul@city-fan.org> - 1.52-1
522272
- Update to 1.52
522272
  - fix for t/nonblock.t hangs on AIX (CPAN RT#72305)
522272
  - disable t/memleak_bad_handshake.t on AIX, because it might hang
522272
    (CPAN RT#72170)
522272
  - fix syntax error in t/memleak_bad_handshake.t
522272
522272
* Fri Oct 28 2011 Paul Howarth <paul@city-fan.org> - 1.49-1
522272
- Update to 1.49
522272
  - another regression for readline fix: this time it failed to return lines
522272
    at EOF that don't end with newline - extended t/readline.t to catch this
522272
    case and the fix for 1.48
522272
522272
* Wed Oct 26 2011 Paul Howarth <paul@city-fan.org> - 1.48-1
522272
- Update to 1.48
522272
  - further fix for readline fix in 1.45: if the pending data were false (like
522272
    '0'), it failed to read the rest of the line (CPAN RT#71953)
522272
522272
* Fri Oct 21 2011 Paul Howarth <paul@city-fan.org> - 1.47-1
522272
- Update to 1.47
522272
  - fix for 1.46 - check for mswin32 needs to be /i
522272
522272
* Tue Oct 18 2011 Paul Howarth <paul@city-fan.org> - 1.46-1
522272
- Update to 1.46
522272
  - skip signals test on Windows
522272
522272
* Thu Oct 13 2011 Paul Howarth <paul@city-fan.org> - 1.45-1
522272
- Update to 1.45
522272
  - fix readline to continue when getting interrupt waiting for more data
522272
- BR: perl(Carp)
522272
522272
* Tue Jul 19 2011 Petr Sabata <contyk@redhat.com> - 1.44-2
522272
- Perl mass rebuild
522272
522272
* Fri May 27 2011 Paul Howarth <paul@city-fan.org> - 1.44-1
522272
- Update to 1.44
522272
  - fix invalid call to inet_pton in verify_hostname_of_cert when identity
522272
    should be verified as ipv6 address because it contains a colon
522272
522272
* Wed May 11 2011 Paul Howarth <paul@city-fan.org> - 1.43-1
522272
- Update to 1.43
522272
  - add SSL_create_ctx_callback to have a way to adjust context on creation
522272
    (CPAN RT#67799)
522272
  - describe problem of fake memory leak because of big session cache and how
522272
    to fix it (CPAN RT#68073)
522272
  - fix t/nonblock.t
522272
  - stability improvements for t/inet6.t
522272
522272
* Tue May 10 2011 Paul Howarth <paul@city-fan.org> - 1.41-1
522272
- Update to 1.41
522272
  - fix issue in stop_SSL where it did not issue a shutdown of the SSL
522272
    connection if it first received the shutdown from the other side
522272
  - try to make t/nonblock.t more reliable, at least report the real cause of
522272
    SSL connection errors
522272
- No longer need to re-code docs to UTF-8
522272
522272
* Mon May  2 2011 Paul Howarth <paul@city-fan.org> - 1.40-1
522272
- Update to 1.40
522272
  - fix in example/async_https_server
522272
  - get IDN support from URI (CPAN RT#67676)
522272
- Nobody else likes macros for commands
522272
522272
* Thu Mar  3 2011 Paul Howarth <paul@city-fan.org> - 1.39-1
522272
- Update to 1.39
522272
  - fixed documentation of http verification: wildcards in cn is allowed
522272
522272
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.38-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
522272
522272
* Tue Jan 18 2011 Paul Howarth <paul@city-fan.org> - 1.38-1
522272
- Update to 1.38
522272
  - fixed wildcards_in_cn setting for http, wrongly set in 1.34 to 1 instead of
522272
    anywhere (CPAN RT#64864)
522272
522272
* Fri Dec 10 2010 Paul Howarth <paul@city-fan.org> - 1.37-1
522272
- Update to 1.37
522272
  - don't complain about invalid certificate locations if user explicitly set
522272
    SSL_ca_path and SSL_ca_file to undef: assume that user knows what they are
522272
    doing and will work around the problems themselves (CPAN RT#63741)
522272
522272
* Thu Dec  9 2010 Paul Howarth <paul@city-fan.org> - 1.36-1
522272
- Update to 1.36
522272
  - update documentation for SSL_verify_callback based on CPAN RT#63743 and
522272
    CPAN RT#63740
522272
522272
* Mon Dec  6 2010 Paul Howarth <paul@city-fan.org> - 1.35-1
522272
- Update to 1.35 (addresses CVE-2010-4334)
522272
  - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
522272
    verified as valid, it will no longer fall back to VERIFY_NONE but throw an
522272
    error (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058)
522272
522272
* Tue Nov  2 2010 Paul Howarth <paul@city-fan.org> - 1.34-1
522272
- Update to 1.34
522272
  - schema http for certificate verification changed to wildcards_in_cn=1
522272
  - if upgrading socket from inet to ssl fails due to handshake problems, the
522272
    socket gets downgraded back again but is still open (CPAN RT#61466)
522272
  - deprecate kill_socket: just use close()
522272
522272
* Sun May 02 2010 Marcela Maslanova <mmaslano@redhat.com> - 1.33-2
522272
- Mass rebuild with perl-5.12.0
522272
522272
* Wed Mar 17 2010 Paul Howarth <paul@city-fan.org> - 1.33-1
522272
- Update to 1.33
522272
  - attempt to make t/memleak_bad_handshake.t more stable
522272
  - fix hostname checking: only check an IP against subjectAltName GEN_IPADD
522272
522272
* Tue Feb 23 2010 Paul Howarth <paul@city-fan.org> - 1.32-1
522272
- Update to 1.32 (die in Makefile.PL if Scalar::Util has no dualvar support)
522272
- Use %%{_fixperms} macro instead of our own %%{__chmod} incantation
522272
522272
* Mon Dec  7 2009 Stepan Kasal <skasal@redhat.com> - 1.31-2
522272
- Rebuild against perl 5.10.1
522272
522272
* Sun Sep 27 2009 Paul Howarth <paul@city-fan.org> - 1.31-1
522272
- Update to 1.31 (see Changes for details)
522272
522272
* Thu Aug 20 2009 Paul Howarth <paul@city-fan.org> - 1.30-1
522272
- Update to 1.30 (fix memleak when SSL handshake failed)
522272
- Add buildreq procps needed for memleak test
522272
522272
* Mon Jul 27 2009 Paul Howarth <paul@city-fan.org> - 1.27-1
522272
- Update to 1.27
522272
  - various regex fixes for i18n and service names
522272
  - fix warnings from perl -w (CPAN RT#48131)
522272
  - improve handling of errors from Net::ssl_write_all
522272
522272
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.26-2
522272
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
522272
522272
* Sat Jul  4 2009 Paul Howarth <paul@city-fan.org> - 1.26-1
522272
- Update to 1.26 (verify_hostname_of_cert matched only the prefix for the
522272
  hostname when no wildcard was given, e.g. www.example.org matched against a
522272
  certificate with name www.exam in it [#509819])
522272
522272
* Fri Jul  3 2009 Paul Howarth <paul@city-fan.org> - 1.25-1
522272
- Update to 1.25 (fix t/nonblock.t for OS X 10.5 - CPAN RT#47240)
522272
522272
* Thu Apr  2 2009 Paul Howarth <paul@city-fan.org> - 1.24-1
522272
- Update to 1.24 (add verify hostname scheme ftp, same as http)
522272
522272
* Wed Feb 25 2009 Paul Howarth <paul@city-fan.org> - 1.23-1
522272
- Update to 1.23 (complain when no certificates are provided)
522272
522272
* Sat Jan 24 2009 Paul Howarth <paul@city-fan.org> - 1.22-1
522272
- Update to latest upstream version: 1.22
522272
522272
* Thu Jan 22 2009 Paul Howarth <paul@city-fan.org> - 1.20-1
522272
- Update to latest upstream version: 1.20
522272
522272
* Tue Nov 18 2008 Paul Howarth <paul@city-fan.org> - 1.18-1
522272
- Update to latest upstream version: 1.18
522272
- BR: perl(IO::Socket::INET6) for extra test coverage
522272
522272
* Mon Oct 13 2008 Paul Howarth <paul@city-fan.org> - 1.17-1
522272
- Update to latest upstream version: 1.17
522272
522272
* Mon Sep 22 2008 Paul Howarth <paul@city-fan.org> - 1.16-1
522272
- Update to latest upstream version: 1.16
522272
522272
* Sat Aug 30 2008 Paul Howarth <paul@city-fan.org> - 1.15-1
522272
- Update to latest upstream version: 1.15
522272
- Add buildreq and req for perl(Net::LibIDN) to avoid croaking when trying to
522272
  verify an international name against a certificate
522272
522272
* Wed Jul 16 2008 Paul Howarth <paul@city-fan.org> - 1.14-1
522272
- Update to latest upstream version: 1.14
522272
- BuildRequire perl(Net::SSLeay) >= 1.21
522272
522272
* Wed Feb 27 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1.12-4
522272
- Rebuild for perl 5.10 (again)
522272
522272
* Thu Jan 31 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 1.12-3
522272
- Rebuild for new perl
522272
522272
* Wed Nov 28 2007 Paul Howarth <paul@city-fan.org> - 1.12-2
522272
- Cosmetic spec changes suiting new maintainer's preferences
522272
522272
* Fri Oct 26 2007 Robin Norwood <rnorwood@redhat.com> - 1.12-1
522272
- Update to latest upstream version: 1.12
522272
- Fix license tag
522272
- Add BuildRequires for ExtUtils::MakeMaker and Test::Simple
522272
- Fix package review issues:
522272
- Source URL
522272
- Resolves: bz#226264
522272
522272
* Tue Oct 16 2007 Tom "spot" Callaway <tcallawa@redhat.com> - 1.02-1.1
522272
- Correct license tag
522272
- Add BR: perl(ExtUtils::MakeMaker)
522272
522272
* Sat Dec 02 2006 Robin Norwood <rnorwood@redhat.com> - 1.02-1
522272
- Upgrade to latest CPAN version: 1.02
522272
522272
* Mon Sep 18 2006 Warren Togami <wtogami@redhat.com> - 1.01-1
522272
- 1.01 bug fixes (#206782)
522272
522272
* Sun Aug 13 2006 Warren Togami <wtogami@redhat.com> - 0.998-1
522272
- 0.998 with more important fixes
522272
522272
* Tue Aug 01 2006 Warren Togami <wtogami@redhat.com> - 0.994-1
522272
- 0.994 important bugfixes (#200860)
522272
522272
* Tue Jul 18 2006 Warren Togami <wtogami@redhat.com> - 0.991-1
522272
- 0.991
522272
522272
* Wed Jul 12 2006 Warren Togami <wtogami@redhat.com> - 0.97-3
522272
- Import into FC6
522272
522272
* Tue Feb 28 2006 Jose Pedro Oliveira <jpo at di.uminho.pt> - 0.97-2
522272
- Rebuild for FC5 (perl 5.8.8).
522272
- Rebuild switch: "--with sessiontests".
522272
522272
* Mon Jul 18 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.97-1
522272
- 0.97.
522272
- Convert docs to UTF-8, drop some unuseful ones.
522272
522272
* Wed Apr  6 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.96-4
522272
- Rebuilt
522272
522272
* Tue Oct 12 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.96-3
522272
- Disable session test suite even if Net::SSLeay >= 1.26 is available.
522272
522272
* Wed Jul  7 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.96-0.fdr.2
522272
- Bring up to date with current fedora.us Perl spec template.
522272
- Include examples in docs.
522272
522272
* Sat May  1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.96-0.fdr.1
522272
- Update to 0.96.
522272
- Reduce directory ownership bloat.
522272
- Require perl(:MODULE_COMPAT_*).
522272
522272
* Fri Oct 17 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.95-0.fdr.1
522272
- First build.