%if 0%{?rhel} >= 9

%bcond_with perl_IO_Socket_SSL_test_unused_idn

%else

%bcond_without perl_IO_Socket_SSL_test_unused_idn

%endif

%bcond_without perl_IO_Socket_SSL_test_IO_Socket_INET6

Name:		perl-IO-Socket-SSL

Version:	2.073

Release:	1%{?dist}

Summary:	Perl library for transparent SSL

License:	(GPL+ or Artistic) and MPLv2.0

URL:		https://metacpan.org/release/IO-Socket-SSL

Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz

Patch0:		IO-Socket-SSL-2.068-use-system-default-cipher-list.patch

Patch1:		IO-Socket-SSL-2.068-use-system-default-SSL-version.patch

# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,

# bug #1632660, requires openssl tool

Patch2:		IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch

Patch3:		IO-Socket-SSL-2.068-openssl-1.1.1e.patch

BuildArch:	noarch

# Module Build

BuildRequires:	coreutils

BuildRequires:	make

BuildRequires:	perl-generators

BuildRequires:	perl-interpreter

BuildRequires:	perl(ExtUtils::MakeMaker) >= 6.76

# Module Runtime

BuildRequires:	openssl-libs >= 0.9.8

BuildRequires:	perl(Carp)

BuildRequires:	perl(Config)

BuildRequires:	perl(constant)

BuildRequires:	perl(Errno)

BuildRequires:	perl(Exporter)

BuildRequires:	perl(HTTP::Tiny)

BuildRequires:	perl(IO::Socket)

BuildRequires:	perl(IO::Socket::INET)

BuildRequires:	perl(IO::Socket::IP) >= 0.31

BuildRequires:	perl(Net::SSLeay) >= 1.46

BuildRequires:	perl(Scalar::Util)

BuildRequires:	perl(Socket) >= 1.95

BuildRequires:	perl(strict)

BuildRequires:	perl(URI::_idna)

BuildRequires:	perl(vars)

BuildRequires:	perl(warnings)

# Test Suite

# openssl tool required for Test-client-performs-Post-Handshake-Authentication.patch

BuildRequires:	openssl

BuildRequires:	perl(Data::Dumper)

BuildRequires:	perl(File::Temp)

BuildRequires:	perl(FindBin)

BuildRequires:	perl(IO::Select)

%if %{with perl_IO_Socket_SSL_test_IO_Socket_INET6}

BuildRequires:	perl(IO::Socket::INET6) >= 2.62

%endif

# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch

BuildRequires:	perl(IPC::Run)

%if %{with perl_IO_Socket_SSL_test_unused_idn}

BuildRequires:	perl(Net::IDN::Encode)

BuildRequires:	perl(Net::LibIDN)

%endif

BuildRequires:	perl(Test::More) >= 0.88

BuildRequires:	perl(utf8)

BuildRequires:	procps

# Runtime

Requires:	perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))

Requires:	openssl-libs >= 0.9.8

Requires:	perl(Config)

Requires:	perl(HTTP::Tiny)

Requires:	perl(IO::Socket::INET)

Requires:	perl(IO::Socket::IP) >= 0.31

Requires:	perl(Socket) >= 1.95

Requires:	perl(URI::_idna)

%description

This module is a true drop-in replacement for IO::Socket::INET that

uses SSL to encrypt data before it is transferred to a remote server

or client. IO::Socket::SSL supports all the extra features that one

needs to write a full-featured SSL client or server application:

multiple SSL contexts, cipher selection, certificate verification, and

SSL version selection. As an extra bonus, it works perfectly with

mod_perl.

%prep

%setup -q -n IO-Socket-SSL-%{version}

# Allow building with OpenSSL 1.1.1e as the Fedora package has the

# problematic EOF handling change reverted

%patch3

# Use system-wide default cipher list to support use of system-wide

# crypto policy (#1076390, #1127577, CPAN RT#97816)

# https://fedoraproject.org/wiki/Changes/CryptoPolicy

%patch0

# Use system-default SSL version too

%patch1

# Add a test for PHA

%patch2 -p1

%build

NO_NETWORK_TESTING=1 perl Makefile.PL \

	INSTALLDIRS=vendor \

	NO_PACKLIST=1 \

	NO_PERLLOCAL=1

%{make_build}

%install

%{make_install}

%{_fixperms} -c %{buildroot}

%check

make test

%files

# GPL+ or Artistic

%doc BUGS Changes README docs/ example/

%dir %{perl_vendorlib}/IO/

%dir %{perl_vendorlib}/IO/Socket/

%dir %{perl_vendorlib}/IO/Socket/SSL/

%doc %{perl_vendorlib}/IO/Socket/SSL.pod

%{perl_vendorlib}/IO/Socket/SSL.pm

%{perl_vendorlib}/IO/Socket/SSL/Intercept.pm

%{perl_vendorlib}/IO/Socket/SSL/Utils.pm

%{_mandir}/man3/IO::Socket::SSL.3*

%{_mandir}/man3/IO::Socket::SSL::Intercept.3*

%{_mandir}/man3/IO::Socket::SSL::Utils.3*

# MPLv2.0

%{perl_vendorlib}/IO/Socket/SSL/PublicSuffix.pm

%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*

%changelog

* Tue Jan 04 2022 Michal Josef Špaček <mspacek@redhat.com> - 2.073-1

- Update to 2.073, which has official support for OpenSSL 3.0.0

  Related: rhbz#1968046

* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-6

- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags

  Related: rhbz#1991688

* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-5

- Rebuilt for RHEL 9 BETA for openssl 3.0

  Related: rhbz#1971065

* Tue Jun 08 2021 Michal Josef Špaček <mspacek@redhat.com> - 2.070-4

- Remove failing tests in openssl 3.0.0-alpha16. Related: rhbz#1968046

  - Provisional for mass rebuild of openssl3.

* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-3

- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

* Fri Mar 19 2021 Petr Pisar <ppisar@redhat.com> - 2.070-2

- Disable optional libidn tests on ELN

* Fri Feb 26 2021 Paul Howarth <paul@city-fan.org> - 2.070-1

- Update to 2.070

  - Changed bugtracker in Makefile.PL to GitHub, away from obsolete rt.cpan.org

* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.069-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Sat Jan 23 2021 Paul Howarth <paul@city-fan.org> - 2.069-1

- Update to 2.069

  - IO::Socket::Utils CERT_asHash and CERT_create now support subject and

    issuer with multiple same parts (like multiple OU); in this case an array

    ref instead of a scalar is used as hash value (GH#95)

* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.068-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.068-2

- Perl 5.32 rebuild

* Tue Mar 31 2020 Paul Howarth <paul@city-fan.org> - 2.068-1

- Update to 2.068

  - Treat OpenSSL 1.1.1e as broken and refuse to build with it in order to

    prevent follow-up problems in tests and user code

    https://github.com/noxxi/p5-io-socket-ssl/issues/93

    https://github.com/openssl/openssl/issues/11388

    https://github.com/openssl/openssl/issues/11378

  - Update PublicSuffix with latest data from publicsuffix.org

- Patch out the refusal to build with OpenSSL 1.1.1e as the OpenSSL package in

  Fedora has had the problematic EOF-handling change reverted

* Sat Mar 21 2020 Paul Howarth <paul@city-fan.org> - 2.067-2

- Fix FTBFS with OpenSSL 1.1.1e

  https://github.com/noxxi/p5-io-socket-ssl/issues/93

* Sat Feb 15 2020 Paul Howarth <paul@city-fan.org> - 2.067-1

- Update to 2.067

  - Fix memory leak on incomplete handshake (GH#92)

  - Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this

    can decrease memory usage at the costs of more allocations (CPAN RT#129463)

  - More detailed error messages when loading of certificate file failed (GH#89)

  - Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)

  - Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1

  - Fix warning when no ecdh support is available

  - Documentation update regarding use of select and TLS 1.3

  - Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)

  - Stability fix for t/core.t

* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 2.066-7

- Default to PROFILE=SYSTEM cipher list (bug #1775167)

* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Thu Jun 27 2019 Paul Howarth <paul@city-fan.org> - 2.066-5

- Runtime openssl dependency should be on openssl-libs

- Always require preferred IPv6 back-end: IO::Socket::IP ≥ 0.31

- Always require preferred IDN back-end: URI::_idna

- Modernize spec using %%{make_build} and %%{make_install}

* Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-4

- PublicSuffix.pm is licensed MPLv2.0 (#1724169)

* Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-3

- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1632660)

* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.066-2

- Perl 5.30 rebuild

* Wed Mar  6 2019 Paul Howarth <paul@city-fan.org> - 2.066-1

- Update to 2.066

  - Make sure that Net::SSLeay::CTX_get0_param is defined before using

    X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with

    LibreSSL 2.7.4 but not the first (CPAN RT#128716)

  - Prefer AES for server side cipher default since it is usually

    hardware-accelerated

  - Fix test t/verify_partial_chain.t by using the newly exposed function

    can_partial_chain instead of guessing (wrongly) if the functionality is

    available

* Mon Mar  4 2019 Paul Howarth <paul@city-fan.org> - 2.064-1

- Update to 2.064

  - Make algorithm for fingerprint optional, i.e. detect based on length of

    fingerprint (CPAN RT#127773)

  - Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows

  - Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are

    set

  - Update fingerprints for live tests

* Sat Mar  2 2019 Paul Howarth <paul@city-fan.org> - 2.063-1

- Update to 2.063

  - Support for both RSA and ECDSA certificate on same domain

  - Update PublicSuffix

  - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but

    then linked against another API-incompatible version (i.e. more than just

    the patchlevel differs)

* Mon Feb 25 2019 Paul Howarth <paul@city-fan.org> - 2.062-1

- Update to 2.062

  - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and

    OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates

    in the trust store be usable as full trust anchors too

* Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 2.061-1

- Update to 2.061

  - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that

    the previous (and undocumented) API for the session cache has been changed

  - Support for multiple curves, automatic setting of curves and setting of

    supported curves in client (needs Net::SSLeay ≥ 1.86)

  - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when

    client certificates are provided (needs Net::SSLeay ≥ 1.86)

* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4

- Client sends a post-handshake-authentication extension if a client key and

  a certificate are available (bug #1632660)

* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Mon Sep 24 2018 Petr Pisar <ppisar@redhat.com> - 2.060-2

- Prevent tests from dying on SIGPIPE (CPAN RT#126899)

* Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1

- Update to 2.060

  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay ≥ 1.86); see

    also CPAN RT#126899

  - TLS 1.3 support is not complete yet for session reuse

* Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2

- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)

* Thu Aug 16 2018 Paul Howarth <paul@city-fan.org> - 2.059-1

- Update to 2.059

  - Fix memory leak when CRLs are used (CPAN RT#125867)

  - Fix memory leak when using stop_SSL and threads

    (https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)

* Thu Jul 19 2018 Paul Howarth <paul@city-fan.org> - 2.058-1

- Update to 2.058

  - Fix memory leak that occurred with explicit stop_SSL in connection with

    non-blocking sockets or timeout (CPAN RT#125867)

  - Fix redefine warnings in case Socket6 is installed but neither

    IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)

  - IO::Socket::SSL::Intercept - optional 'serial' argument can be starting

    number or callback to create serial number based on the original certificate

  - New function get_session_reused to check if a session got reused

  - IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct

    value

  - Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version

    expects the extKeyUsage of clientAuth in the client cert also to be allowed

    by the CA if CA uses extKeyUsage

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.056-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.056-2

- Perl 5.28 rebuild

* Mon Feb 19 2018 Paul Howarth <paul@city-fan.org> - 2.056-1

- Update to 2.056

  - Intercept: Fix creation of serial number (basing it on binary digest

    instead of treating hex fingerprint as binary), allow use of own serial

    numbers again

  - t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)

  - Update PublicSuffix

* Thu Feb 15 2018 Paul Howarth <paul@city-fan.org> - 2.055-1

- Update to 2.055

  - Use SNI also if hostname was given all-uppercase

  - Utils::CERT_create: Don't add authority key for issuer since Chrome does

    not like this

  - Intercept:

    - Change behavior of code-based cache to better support synchronizing

      within multiprocess/threaded set-ups

    - Don't use counter for serial number but somehow base it on original

      certificate in order to avoid conflicts with reuse of serial numbers

      after restart

  - Better support platforms without IPv6 (CPAN RT#124431)

  - Spelling fixes in documentation (CPAN RT#124306)

* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.054-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Mon Jan 22 2018 Paul Howarth <paul@city-fan.org> - 2.054-1

- Update to 2.054

  - Small behavior fixes

    - If SSL_fingerprint is used and matches, don't check for OCSP

    - Utils::CERT_create: Small fixes to properly specific purpose, ability to

      use predefined complex purpose but disable some features

  - Update PublicSuffix

  - Updates for documentation, especially regarding pitfalls with forking or

    using non-blocking sockets, spelling fixes

  - Test fixes and improvements

    - Stability improvements for live tests

    - Regenerate certificates in certs/ and make sure they are limited to the

      correct purpose; check in program used to generate certificates

    - Adjust tests since certificates have changed and some tests used

      certificates intended for client authentication as server certificates,

      which now no longer works

* Mon Oct 23 2017 Paul Howarth <paul@city-fan.org> - 2.052-1

- Update to 2.052

  - Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced

    the functions with dummies instead of removing NPN completly or setting

    OPENSSL_NO_NEXTPROTONEG

  - t/01loadmodule.t shows more output helpful in debugging problems

  - Update fingerprints for external tests

  - Update documentation to make behavior of syswrite more clear

* Tue Sep  5 2017 Paul Howarth <paul@city-fan.org> - 2.051-1

- Update to 2.051

  - syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with

    OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up

    (GH#62)

* Fri Aug 18 2017 Paul Howarth <paul@city-fan.org> - 2.050-1

- Update to 2.050

  - Removed unnecessary settings of SSL_version and SSL_cipher_list from tests

  - protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not

    supported, as is the case with openssl versions in latest Debian (buster)

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.049-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Mon Jun 12 2017 Paul Howarth <paul@city-fan.org> - 2.049-1

- Update to 2.049

  - Fixed problem caused by typo in the context of session cache (GH#60)

  - Updated PublicSuffix information from publicsuffix.org

* Mon Jun 05 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.048-2

- Perl 5.26 rebuild

* Mon Apr 17 2017 Paul Howarth <paul@city-fan.org> - 2.048-1

- Update to 2.048

  - Fixed small memory leaks during destruction of socket and context

    (CPAN RT#120643)

- Drop support for EOL distributions prior to F-13

  - Drop BuildRoot: and Group: tags

  - Drop explicit buildroot cleaning in %%install section

  - Drop explicit %%clean section

* Fri Feb 17 2017 Paul Howarth <paul@city-fan.org> - 2.047-1

- Update to 2.047

  - Better fix for problem which 2.046 tried to fix but broke LWP that way

- Update patches as needed

* Thu Feb 16 2017 Paul Howarth <paul@city-fan.org> - 2.046-1

- Update to 2.046

  - Clean up everything in DESTROY and make sure to start with a fresh

    %%{*self} in configure_SSL because it can happen that a GLOB gets used

    again without calling DESTROY

    (https://github.com/noxxi/p5-io-socket-ssl/issues/56)

- Update patches as needed

* Tue Feb 14 2017 Paul Howarth <paul@city-fan.org> - 2.045-1

- Update to 2.045

  - Fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL

    objects (GH#55)

  - Optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if

    perl is compiled without thread support

  - Small fix in t/protocol_version.t to use older versions of Net::SSLeay with

    openssl build without SSLv3 support

  - When setting SSL_keepSocketOnError to true the socket will not be closed on

    fatal error (GH#53, modified)

- Update patches as needed

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.044-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Thu Jan 26 2017 Paul Howarth <paul@city-fan.org> - 2.044-1

- Update to 2.044

  - Protect various 'eval'-based capability detections at startup with a

    localized __DIE__ handler; this way, dynamically requiring IO::Socket::SSL

    as done by various third party software should cause less problems even if

    there is a global __DIE__ handler that does not properly deal with 'eval'

- Update patches as needed

* Fri Jan  6 2017 Paul Howarth <paul@city-fan.org> - 2.043-1

- Update to 2.043

  - Enable session ticket callback with Net::SSLeay ≥ 1.80

  - Make t/session_ticket.t work with OpenSSL 1.1.0; with this version the

    session no longer gets reused if it was not properly closed, which is now

    done using an explicit close by the client

- Update patches as needed

* Wed Jan  4 2017 Paul Howarth <paul@city-fan.org> - 2.041-1

- Update to 2.041

  - Leave session ticket callback off for now until the needed patch is

    included in Net::SSLeay (see

    https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146)

- Update patches as needed

* Sun Dec 18 2016 Paul Howarth <paul@city-fan.org> - 2.040-1

- Update to 2.040

  - Fix detection of default CA path for OpenSSL 1.1.x

  - Utils::CERT_asHash now includes the signature algorithm used

  - Utils::CERT_asHash can now deal with large serial numbers

- Update patches as needed

* Mon Nov 21 2016 Paul Howarth <paul@city-fan.org> - 2.039-1

- Update to 2.039

  - OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1

    on EOF without proper SSL shutdown; since it looks like that this behavior

    will be kept at least for 1.1.1+, adapt to the changed API by treating

    errno=NOERR on SSL_ERROR_SYSCALL as EOF

- Update patches as needed

* Mon Sep 19 2016 Paul Howarth <paul@city-fan.org> - 2.038-1

- Update to 2.038

  - Restrict session ticket callback to Net::SSLeay 1.79+ since version before

    contains bug; add test for session reuse

  - Extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'

  - Fix t/external/ocsp.t to use different server (under my control) to check

    OCSP stapling

- Update patches as needed

* Tue Aug 23 2016 Paul Howarth <paul@city-fan.org> - 2.037-1

- Update to 2.037

  - Disable OCSP support when Net::SSLeay 1.75..1.77 is used (CPAN RT#116795)

  - Fix session cache del_session: it freed the session but did not properly

    remove it from the cache; further reuse caused crash

- Update patches as needed

* Thu Aug 11 2016 Paul Howarth <paul@city-fan.org> - 2.035-1

- Update to 2.035

  - Fixes for issues introduced in 2.034

    - Return with error in configure_SSL if context creation failed; this

      might otherwise result in a segmentation fault later

    - Apply builtin defaults before any (user configurable) global settings

      (i.e. done with set_defaults, set_default_context...) so that builtins

      don't replace user settings

- Update patches as needed

* Mon Aug  8 2016 Paul Howarth <paul@city-fan.org> - 2.034-1

- Update to 2.034

  - Move handling of global SSL arguments into creation of context, so that

    these get also applied when creating a context only

- Update patches as needed

* Sat Jul 16 2016 Paul Howarth <paul@city-fan.org> - 2.033-1

- Update to 2.033

  - Support for session ticket reuse over multiple contexts and processes (if

    supported by Net::SSLeay)

  - Small optimizations, like saving various Net::SSLeay constants into

    variables and access variables instead of calling the constant sub all the

    time

  - Make t/dhe.t work with openssl 1.1.0

- Update patches as needed

* Tue Jul 12 2016 Paul Howarth <paul@city-fan.org> - 2.032-1

- Update to 2.032

  - Set session id context only on the server side; even if the documentation

    for SSL_CTX_set_session_id_context makes clear that this function is server

    side only, it actually affects handling of session reuse on the client side

    too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session

    in different context" at the client

* Fri Jul  8 2016 Paul Howarth <paul@city-fan.org> - 2.031-1

- Update to 2.031

  - Utils::CERT_create - don't add given extensions again if they were already

    added; Firefox croaks with sec_error_extension_value_invalid if (specific?)

    extensions are given twice

  - Assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates

    with the reverse order as in the PKCS12 file, because that's what it does

  - Support for creating ECC keys in Utils once supported by Net::SSLeay

  - Remove internal sub session_cache and access cache directly (faster)

- Update patches as needed

* Tue Jun 28 2016 Paul Howarth <paul@city-fan.org> - 2.029-1

- Update to 2.029

  - Add del_session method to session cache

  - Use SSL_session_key as the real key for the cache and not some derivate of

    it, so that it works to remove the entry using the same key

- BR: perl-generators

* Mon May 16 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.027-2

- Perl 5.24 rebuild

* Thu Apr 21 2016 Paul Howarth <paul@city-fan.org> - 2.027-1

- Update to 2.027

  - Updated Changes file for 2.026

* Wed Apr 20 2016 Paul Howarth <paul@city-fan.org> - 2.026-1

- Update to 2.026

  - Upstream's default cipher lists updated (we use system default though)

- Update patches as needed

* Mon Apr  4 2016 Paul Howarth <paul@city-fan.org> - 2.025-1

- Update to 2.025

  - Resolved memleak if SSL_crl_file was used (CPAN RT#113257, CPAN RT#113530)

- Simplify find command using -delete

* Sun Feb  7 2016 Paul Howarth <paul@city-fan.org> - 2.024-1

- Update to 2.024

  - Work around issue where the connect fails on systems having only a loopback

    interface and where IO::Socket::IP is used as super class (default when

    available)

- Update patches as needed

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.023-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Sat Jan 30 2016 Paul Howarth <paul@city-fan.org> - 2.023-1

- Update to 2.023

  - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS

    connection was not fully established, which somehow resulted in

    Net::SSLeay::shutdown returning 0 (i.e. keep trying) and hence an endless

    loop; it will now ignore this result in case the TLS connection was not

    yet established and consider the TLS connection closed instead

- Update patches as needed

* Thu Dec 10 2015 Paul Howarth <paul@city-fan.org> - 2.022-1

- Update to 2.022

  - Fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash

    (CPAN RT#110253)

* Thu Dec  3 2015 Paul Howarth <paul@city-fan.org> - 2.021-1

- Update to 2.021

  - Fixes for documentation and typos

  - Update PublicSuffix with latest version from publicsuffix.org

- Update patches as needed

* Mon Sep 21 2015 Paul Howarth <paul@city-fan.org> - 2.020-1

- Update to 2.020

  - Support multiple directories in SSL_ca_path (CPAN RT#106711); directories

    can be given as array or as string with a path separator

  - Typos fixed (https://github.com/noxxi/p5-io-socket-ssl/pull/34)

- Update patches as needed

* Tue Sep  1 2015 Paul Howarth <paul@city-fan.org> - 2.019-1

- Update to 2.019

  - Work around different behavior of getnameinfo from Socket and Socket6 by

    using a different wrapper depending on which module is used for IPv6

- Update patches as needed

* Mon Aug 31 2015 Paul Howarth <paul@city-fan.org> - 2.018-1

- Update to 2.018

  - Checks for readability of files/dirs for certificates and CA no longer use

    -r because this is not safe when ACLs are used (CPAN RT#106295)

  - New method sock_certificate similar to peer_certificate (CPAN RT#105733)

  - get_fingerprint can now take optional certificate as argument and compute

    the fingerprint of it; useful in connection with sock_certificate

  - Check for both EWOULDBLOCK and EAGAIN since these codes are different on

    some platforms (CPAN RT#106573)

  - Enforce default verification scheme if nothing was specified, i.e. no

    longer just warn but accept; if really no verification is wanted, a scheme

    of 'none' must be explicitly specified

  - Support different cipher suites per SNI hosts

  - startssl.t failed on darwin with old openssl since server requested client

    certificate but offered also anon ciphers (CPAN RT#106687)

- Update patches as needed

* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.016-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Tue Jun 09 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.016-2

- Perl 5.22 rebuild

* Sun Jun  7 2015 Paul Howarth <paul@city-fan.org> - 2.016-1

- Update to 2.016

  - Add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL

    (since 1.02) and available with Net::SSLeay (CPAN RT#104759)

  - Work around hanging prompt() with older perl in Makefile.PL

    (CPAN RT#104731)

  - Make t/memleak_bad_handshake.t work on cygwin and other systems having

    /proc/pid/statm (CPAN RT#104659)

  - Add better debugging

* Sat Jun 06 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.015-2

- Perl 5.22 rebuild

* Thu May 14 2015 Paul Howarth <paul@city-fan.org> - 2.015-1

- Update to 2.015

  - Work around problem with IO::Socket::INET6 on Windows, by explicitly using

    Domain AF_INET in the tests (CPAN RT#104226)

* Tue May  5 2015 Paul Howarth <paul@city-fan.org> - 2.014-1

- Update to 2.014

  - Utils::CERT_create - work around problems with authorityInfoAccess, where

    OpenSSL i2v does not create the same string as v2i expects

  - Intercept - don't clone some specific extensions that only make sense with

    the original certificate

* Fri May  1 2015 Paul Howarth <paul@city-fan.org> - 2.013-1

- Update to 2.013

  - Assign severities to internal error handling and make sure that follow-up

    errors like "configuration failed" or "certificate verify error" don't

    replace more specific "hostname verification failed" when reporting in

    sub errstr/$SSL_ERROR (CPAN RT#103423)

  - Enhanced documentation (https://github.com/noxxi/p5-io-socket-ssl/pull/26)

* Mon Feb  2 2015 Paul Howarth <paul@city-fan.org> - 2.012-1

- Update to 2.012

  - Fix t/ocsp.t in case no HTTP::Tiny is installed

* Sun Feb  1 2015 Paul Howarth <paul@city-fan.org> - 2.011-1

- Update to 2.011

  - Fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling

    (CPAN RT#101855)

  - Added option 'purpose' to Utils::CERT_create to get better control of the

    certificate's purpose; default is 'server,client' for non-CA (contrary to

    only 'server' before)

  - Removed RC4 from default cipher suites on the server side

    (https://github.com/noxxi/p5-io-socket-ssl/issues/22)

  - Refactoring of some tests using Test::More

- Note that this package still uses system-default cipher and SSL versions,

  which may have RC4 enabled

- Update patches as needed

* Thu Jan 15 2015 Paul Howarth <paul@city-fan.org> - 2.010-1

- Update to 2.010

  - New options SSL_client_ca_file and SSL_client_ca to let the server send the

    list of acceptable CAs for the client certificate

  - t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay

    (CPAN RT#101485)

* Mon Jan 12 2015 Paul Howarth <paul@city-fan.org> - 2.009-1

- Update to 2.009

  - Remove util/analyze.pl; this tool is now together with other SSL tools at

    https://github.com/noxxi/p5-ssl-tools

  - Added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) (CPAN RT#101452)

* Thu Dec 18 2014 Paul Howarth <paul@city-fan.org> - 2.008-1

- Update to 2.008

  - Work around recent OCSP verification errors for revoked.grc.com (badly

    signed OCSP response, Firefox also complains about it) in test

    t/external/ocsp.t

  - util/analyze.pl - report more details about preferred cipher for specific

    TLS versions

* Thu Nov 27 2014 Paul Howarth <paul@city-fan.org> - 2.007-1

- Update to 2.007

  - Make getline/readline fall back to super class if class is not sslified

    yet, i.e. behave the same as sysread, syswrite etc. (CPAN RT#100529)

* Sun Nov 23 2014 Paul Howarth <paul@city-fan.org> - 2.006-1

- Update to 2.006

  - Make SSLv3 available even if the SSL library disables it by default in

    SSL_CTX_new (like done in LibreSSL); default will stay to disable SSLv3

    so this will be only done when setting SSL_version explicitly

  - Fix possible segmentation fault when trying to use an invalid certificate

  - Use only the ICANN part of the default public suffix list and not the

    private domains; this makes existing exceptions for s3.amazonaws.com and

    googleapis.com obsolete

  - Fix t/protocol_version.t to deal with OpenSSL installations that are

    compiled without SSLv3 support

  - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead

    of EAGAIN; while this is the same on UNIX it is different on Windows and

    socket operations return there (WSA)EWOULDBLOCK and not EAGAIN

  - Enable non-blocking tests on Windows too

  - Make PublicSuffix::_default_data thread safe

  - Update PublicSuffix with latest list from publicsuffix.org

- Note that this package still uses system-default cipher and SSL versions,

  which may have SSL3.0 enabled

- Classify buildreqs by usage

* Wed Oct 22 2014 Paul Howarth <paul@city-fan.org> - 2.002-1

- Update to 2.002

  - Fix check for (invalid) IPv4 when validating hostname against certificate;

    do not use inet_aton any longer because it can cause DNS lookups for

    malformed IP (CPAN RT#99448)