From 1a2827380db5d714ccdd97a3da9dec8dcc402a7d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 19:46:01 +0000 Subject: import perl-IO-Socket-SSL-2.066-3.el8 --- diff --git a/.gitignore b/.gitignore index 1d3934a..8a8da28 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/IO-Socket-SSL-2.060.tar.gz +SOURCES/IO-Socket-SSL-2.066.tar.gz diff --git a/.perl-IO-Socket-SSL.metadata b/.perl-IO-Socket-SSL.metadata index 9f96ae7..67b548c 100644 --- a/.perl-IO-Socket-SSL.metadata +++ b/.perl-IO-Socket-SSL.metadata @@ -1 +1 @@ -d00985ca87425ab5860bc38e59bcb9d39b372508 SOURCES/IO-Socket-SSL-2.060.tar.gz +4eacd69b81f7edae24135a53411cf87429584289 SOURCES/IO-Socket-SSL-2.066.tar.gz diff --git a/SOURCES/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch b/SOURCES/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch deleted file mode 100644 index e68acf6..0000000 --- a/SOURCES/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch +++ /dev/null @@ -1,121 +0,0 @@ -From e96b1c9e394011de4ee181cfa42b8021796bf7d4 Mon Sep 17 00:00:00 2001 -From: Steffen Ullrich -Date: Mon, 17 Sep 2018 14:09:48 +0200 -Subject: [PATCH] make all tests which use fork also ignore signal PIPE -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Petr Písař ---- - t/nonblock.t | 4 +--- - t/protocol_version.t | 2 -- - t/session_ticket.t | 2 -- - t/signal-readline.t | 1 - - t/sni.t | 2 -- - t/sni_verify.t | 2 -- - t/testlib.pl | 2 ++ - 7 files changed, 3 insertions(+), 12 deletions(-) - -diff --git a/t/nonblock.t b/t/nonblock.t -index 6c1bc38..ad62799 100644 ---- a/t/nonblock.t -+++ b/t/nonblock.t -@@ -9,7 +9,7 @@ use Net::SSLeay; - use Socket; - use IO::Socket::SSL; - use IO::Select; --use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS EPIPE ECONNRESET ); -+use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS); - do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; - - if ( ! eval "use 5.006; use IO::Select; return 1" ) { -@@ -17,8 +17,6 @@ if ( ! eval "use 5.006; use IO::Select; return 1" ) { - exit; - } - --$SIG{PIPE} = 'IGNORE'; # use EPIPE not signal handler -- - $|=1; - print "1..27\n"; - -diff --git a/t/protocol_version.t b/t/protocol_version.t -index 2e5cc6f..3577720 100644 ---- a/t/protocol_version.t -+++ b/t/protocol_version.t -@@ -7,8 +7,6 @@ use Socket; - use IO::Socket::SSL; - do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; - --$SIG{PIPE} = 'IGNORE'; -- - plan skip_all => "Test::More has no done_testing" - if !defined &done_testing; - -diff --git a/t/session_ticket.t b/t/session_ticket.t -index ca70b80..4071b8a 100644 ---- a/t/session_ticket.t -+++ b/t/session_ticket.t -@@ -27,8 +27,6 @@ my ($server_cert,$server_key) = CERT_create( - purpose => { server => 1 } - ); - --$SIG{PIPE} = 'IGNORE'; -- - # create two servers with the same session ticket callback - my (@server,@saddr); - for (1,2) { -diff --git a/t/signal-readline.t b/t/signal-readline.t -index 6dcd4ae..3e226c0 100644 ---- a/t/signal-readline.t -+++ b/t/signal-readline.t -@@ -50,7 +50,6 @@ if ( $pid == 0 ) { - - my $csock = $server->accept; - ok("accept"); --$SIG{PIPE} = 'IGNORE'; - - syswrite($csock,"foo") or print "not "; - ok("wrote foo"); -diff --git a/t/sni.t b/t/sni.t -index c6e6510..de0f06e 100644 ---- a/t/sni.t -+++ b/t/sni.t -@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) { - exit; - } - --$SIG{PIPE} = 'IGNORE'; -- - print "1..17\n"; - my $server = IO::Socket::SSL->new( - LocalAddr => '127.0.0.1', -diff --git a/t/sni_verify.t b/t/sni_verify.t -index 86b5dca..b3b299b 100644 ---- a/t/sni_verify.t -+++ b/t/sni_verify.t -@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) { - exit; - } - --$SIG{PIPE} = 'IGNORE'; -- - print "1..17\n"; - my $server = IO::Socket::SSL->new( - LocalAddr => '127.0.0.1', -diff --git a/t/testlib.pl b/t/testlib.pl -index 5a99e49..b3f342c 100644 ---- a/t/testlib.pl -+++ b/t/testlib.pl -@@ -19,6 +19,8 @@ unless ( $Config::Config{d_fork} || $Config::Config{d_pseudofork} || - exit - } - -+# let IO errors result in EPIPE instead of crashing the test -+$SIG{PIPE} = 'IGNORE'; - - # small implementations if not used from Test::More (09_fdleak.t) - if ( ! defined &ok ) { --- -2.17.1 - diff --git a/SOURCES/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch b/SOURCES/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch deleted file mode 100644 index 15ad9a6..0000000 --- a/SOURCES/IO-Socket-SSL-2.060-use-system-default-SSL-version.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- lib/IO/Socket/SSL.pm -+++ lib/IO/Socket/SSL.pm -@@ -130,7 +130,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p - # global defaults - my %DEFAULT_SSL_ARGS = ( - SSL_check_crl => 0, -- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken -+ SSL_version => '', - SSL_verify_callback => undef, - SSL_verifycn_scheme => undef, # fallback cn verification - SSL_verifycn_publicsuffix => undef, # fallback default list verification -@@ -2295,7 +2295,7 @@ sub new { - - my $ssl_op = $DEFAULT_SSL_OP; - -- my $ver; -+ my $ver = ''; - for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { - m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i - or croak("invalid SSL_version specified"); ---- lib/IO/Socket/SSL.pod -+++ lib/IO/Socket/SSL.pod -@@ -1010,11 +1010,12 @@ protocol to the specified version. - All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can - also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires - recent versions of Net::SSLeay and openssl. -+The default SSL_version is defined by the underlying cryptographic library. - - Independent from the handshake format you can limit to set of accepted SSL - versions by adding !version separated by ':'. - --The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the -+For example, 'SSLv23:!SSLv3:!SSLv2' means that the - handshake format is compatible to SSL2.0 and higher, but that the successful - handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because - both of these versions have serious security issues and should not be used diff --git a/SOURCES/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch b/SOURCES/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch deleted file mode 100644 index e1e6863..0000000 --- a/SOURCES/IO-Socket-SSL-2.060-use-system-default-cipher-list.patch +++ /dev/null @@ -1,98 +0,0 @@ ---- lib/IO/Socket/SSL.pm -+++ lib/IO/Socket/SSL.pm -@@ -138,10 +138,10 @@ my %DEFAULT_SSL_ARGS = ( - SSL_npn_protocols => undef, # meaning depends whether on server or client side - SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] - -- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2016/04/20 -- # "Old backward compatibility" for best compatibility -- # .. "Most ciphers that are not clearly broken and dangerous to use are supported" -- SSL_cipher_list => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', -+ # Use system-wide default cipher list to support use of system-wide -+ # crypto policy (#1076390, #1127577, CPAN RT#97816) -+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy -+ SSL_cipher_list => 'DEFAULT', - ); - - my %DEFAULT_SSL_CLIENT_ARGS = ( -@@ -151,63 +151,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( - SSL_ca_file => undef, - SSL_ca_path => undef, - -- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes -- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html -- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771 -- # Ubuntu worked around this by disabling TLSv1_2 on the client side for -- # a while. Later a padding extension was added to OpenSSL to work around -- # broken F5 but then IronPort croaked because it did not understand this -- # extension so it was disabled again :( -- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so -- # that packet stays small enough. We try the same here. -- -- SSL_cipher_list => join(" ", -- -- # SSLabs report for Chrome 48/OSX. -- # This also includes the fewer ciphers Firefox uses. -- 'ECDHE-ECDSA-AES128-GCM-SHA256', -- 'ECDHE-RSA-AES128-GCM-SHA256', -- 'DHE-RSA-AES128-GCM-SHA256', -- 'ECDHE-ECDSA-CHACHA20-POLY1305', -- 'ECDHE-RSA-CHACHA20-POLY1305', -- 'ECDHE-ECDSA-AES256-SHA', -- 'ECDHE-RSA-AES256-SHA', -- 'DHE-RSA-AES256-SHA', -- 'ECDHE-ECDSA-AES128-SHA', -- 'ECDHE-RSA-AES128-SHA', -- 'DHE-RSA-AES128-SHA', -- 'AES128-GCM-SHA256', -- 'AES256-SHA', -- 'AES128-SHA', -- 'DES-CBC3-SHA', -- -- # IE11/Edge has some more ciphers, notably SHA384 and DSS -- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM -- # ciphers IE/Edge offers because they look like a large mismatch -- # between a very strong HMAC and a comparably weak (but sufficient) -- # encryption. Similar all browsers which do SHA384 can do ECDHE -- # so skip the DHE*SHA384 ciphers. -- 'ECDHE-RSA-AES256-GCM-SHA384', -- 'ECDHE-ECDSA-AES256-GCM-SHA384', -- # 'ECDHE-RSA-AES256-SHA384', -- # 'ECDHE-ECDSA-AES256-SHA384', -- # 'ECDHE-RSA-AES128-SHA256', -- # 'ECDHE-ECDSA-AES128-SHA256', -- # 'DHE-RSA-AES256-GCM-SHA384', -- # 'AES256-GCM-SHA384', -- 'AES256-SHA256', -- # 'AES128-SHA256', -- 'DHE-DSS-AES256-SHA256', -- # 'DHE-DSS-AES128-SHA256', -- 'DHE-DSS-AES256-SHA', -- 'DHE-DSS-AES128-SHA', -- 'EDH-DSS-DES-CBC3-SHA', -- -- # Just to make sure, that we don't accidentally add bad ciphers above. -- # This includes dropping RC4 which is no longer supported by modern -- # browsers and also excluded in the SSL libraries of Python and Ruby. -- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP" -- ) - ); - - # set values inside _init to work with perlcc, RT#95452 ---- lib/IO/Socket/SSL.pod -+++ lib/IO/Socket/SSL.pod -@@ -1036,12 +1036,8 @@ documentation (L +Date: Fri, 8 Feb 2019 14:50:32 +0100 +Subject: [PATCH] Test client performs Post-Handshake-Authentication +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This test uses openssl tool because PHA is not yet supported by +IO::Socket::SSL's server implementation. The openssl tool uses a fixed +port. So the test can fail. + +Signed-off-by: Petr Písař +--- + MANIFEST | 1 + + t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 91 insertions(+) + create mode 100755 t/pha_client.t + +diff --git a/MANIFEST b/MANIFEST +index 20cddb6..2b8328d 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -57,6 +57,7 @@ t/mitm.t + t/multiple-cert-rsa-ecc.t + t/nonblock.t + t/npn.t ++t/pha_client.t + t/plain_upgrade_downgrade.t + t/protocol_version.t + t/public_suffix_lib_encode_idn.t +diff --git a/t/pha_client.t b/t/pha_client.t +new file mode 100755 +index 0000000..2413588 +--- /dev/null ++++ b/t/pha_client.t +@@ -0,0 +1,90 @@ ++#!/usr/bin/perl ++use strict; ++use warnings; ++use Test::More; ++use IPC::Run (); ++use IO::Socket::SSL (); ++use Net::SSLeay (); ++use IO::Select (); ++ ++if (system('openssl', 'version')) { ++ plan skip_all => 'openssl tool is not available'; ++} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) { ++ plan skip_all => 'Net::SSLeay does not expose PHA'; ++} else { ++ plan tests => 5; ++} ++ ++my $port = 2000; ++my $ca_cert = 'certs/test-ca.pem'; ++ ++diag 'Starting a server'; ++my ($server, $input, $stdout, $stderr); ++eval { ++ $server = IPC::Run::start(['openssl', 's_server', '-port', $port, ++ '-Verify', '1', ++ '-cert', 'certs/server-wildcard.pem', ++ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert], ++ \$input, \$stdout, \$stderr); ++ # subsequent \undef does not work ++ # ++}; ++if (!$server or $@) { ++ BAIL_OUT("Could not start a server: $@"); ++} ++# openssl s_server does not return a non-zero exit code in case of bind(2) failure. ++while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; } ++if ($stderr =~ /unable to bind socket/) { ++ $server->kill_kill; ++ BAIL_OUT("Could not start a server: $stderr"); ++} ++ok($server, 'Server started'); ++ ++my $client = IO::Socket::SSL->new( ++ PeerHost => 'localhost', ++ PeerPort => $port, ++ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER, ++ SSL_verifycn_scheme => 'www', ++ SSL_verifycn_name => 'www.server.local', ++ SSL_ca_file => $ca_cert, ++ SSL_key_file => 'certs/client-key.pem', ++ SSL_cert_file => 'certs/client-cert.pem' ++); ++ok($client, 'Client connected'); ++ ++SKIP: { ++ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2 ++ unless $client; ++ $client->blocking(0); ++ ++ SKIP: { ++ # Ask openssl s_server for PHA request and wait for the result. ++ $input .= "c\n"; ++ while ($server->pumpable && ++ $stderr !~ /SSL_verify_client_post_handshake/ && ++ $stdout !~ /SSL_do_handshake -> 1/ ++ ) { ++ # Push the PHA command to the server and read outputs. ++ $server->pump; ++ ++ # Client also must perform I/O to process the PHA request. ++ my $select = IO::Select->new($client); ++ while ($select->can_read(1)) { # 1 second time-out because of ++ # blocking IPC::Run ++ my $retval = $client->read(my $buf, 1); ++ if (defined $buf and $buf eq 'c') { ++ skip 'openssl tool does not support PHA command', 1; ++ } ++ } ++ } ++ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA'); ++ } ++ ++ ok($client->close, 'Client disconnected'); ++} ++ ++eval { ++ $server->kill_kill; ++}; ++ok(!$@, 'Server terminated'); ++ +-- +2.20.1 + diff --git a/SOURCES/IO-Socket-SSL-2.066-use-system-default-SSL-version.patch b/SOURCES/IO-Socket-SSL-2.066-use-system-default-SSL-version.patch new file mode 100644 index 0000000..a9a4331 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-2.066-use-system-default-SSL-version.patch @@ -0,0 +1,36 @@ +--- lib/IO/Socket/SSL.pm ++++ lib/IO/Socket/SSL.pm +@@ -164,7 +164,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p + # global defaults + my %DEFAULT_SSL_ARGS = ( + SSL_check_crl => 0, +- SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken ++ SSL_version => '', + SSL_verify_callback => undef, + SSL_verifycn_scheme => undef, # fallback cn verification + SSL_verifycn_publicsuffix => undef, # fallback default list verification +@@ -2335,7 +2335,7 @@ sub new { + + my $ssl_op = $DEFAULT_SSL_OP; + +- my $ver; ++ my $ver = ''; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { + m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i + or croak("invalid SSL_version specified"); +--- lib/IO/Socket/SSL.pod ++++ lib/IO/Socket/SSL.pod +@@ -1028,11 +1028,12 @@ All values are case-insensitive. Instea + 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for + 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay + and openssl. ++The default SSL_version is defined by the underlying cryptographic library. + + Independent from the handshake format you can limit to set of accepted SSL + versions by adding !version separated by ':'. + +-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the ++For example, 'SSLv23:!SSLv3:!SSLv2' means that the + handshake format is compatible to SSL2.0 and higher, but that the successful + handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because + both of these versions have serious security issues and should not be used diff --git a/SOURCES/IO-Socket-SSL-2.066-use-system-default-cipher-list.patch b/SOURCES/IO-Socket-SSL-2.066-use-system-default-cipher-list.patch new file mode 100644 index 0000000..4ae5f11 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-2.066-use-system-default-cipher-list.patch @@ -0,0 +1,99 @@ +--- lib/IO/Socket/SSL.pm ++++ lib/IO/Socket/SSL.pm +@@ -172,11 +172,10 @@ my %DEFAULT_SSL_ARGS = ( + SSL_npn_protocols => undef, # meaning depends whether on server or client side + SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] + +- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05 +- # "Old backward compatibility" for best compatibility +- # .. "Most ciphers that are not clearly broken and dangerous to use are supported" +- # slightly reordered to prefer AES since it is cheaper when hardware accelerated +- SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP', ++ # Use system-wide default cipher list to support use of system-wide ++ # crypto policy (#1076390, #1127577, CPAN RT#97816) ++ # https://fedoraproject.org/wiki/Changes/CryptoPolicy ++ SSL_cipher_list => 'DEFAULT', + ); + + my %DEFAULT_SSL_CLIENT_ARGS = ( +@@ -186,63 +185,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( + SSL_ca_file => undef, + SSL_ca_path => undef, + +- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes +- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html +- # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771 +- # Ubuntu worked around this by disabling TLSv1_2 on the client side for +- # a while. Later a padding extension was added to OpenSSL to work around +- # broken F5 but then IronPort croaked because it did not understand this +- # extension so it was disabled again :( +- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so +- # that packet stays small enough. We try the same here. +- +- SSL_cipher_list => join(" ", +- +- # SSLabs report for Chrome 48/OSX. +- # This also includes the fewer ciphers Firefox uses. +- 'ECDHE-ECDSA-AES128-GCM-SHA256', +- 'ECDHE-RSA-AES128-GCM-SHA256', +- 'DHE-RSA-AES128-GCM-SHA256', +- 'ECDHE-ECDSA-CHACHA20-POLY1305', +- 'ECDHE-RSA-CHACHA20-POLY1305', +- 'ECDHE-ECDSA-AES256-SHA', +- 'ECDHE-RSA-AES256-SHA', +- 'DHE-RSA-AES256-SHA', +- 'ECDHE-ECDSA-AES128-SHA', +- 'ECDHE-RSA-AES128-SHA', +- 'DHE-RSA-AES128-SHA', +- 'AES128-GCM-SHA256', +- 'AES256-SHA', +- 'AES128-SHA', +- 'DES-CBC3-SHA', +- +- # IE11/Edge has some more ciphers, notably SHA384 and DSS +- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM +- # ciphers IE/Edge offers because they look like a large mismatch +- # between a very strong HMAC and a comparably weak (but sufficient) +- # encryption. Similar all browsers which do SHA384 can do ECDHE +- # so skip the DHE*SHA384 ciphers. +- 'ECDHE-RSA-AES256-GCM-SHA384', +- 'ECDHE-ECDSA-AES256-GCM-SHA384', +- # 'ECDHE-RSA-AES256-SHA384', +- # 'ECDHE-ECDSA-AES256-SHA384', +- # 'ECDHE-RSA-AES128-SHA256', +- # 'ECDHE-ECDSA-AES128-SHA256', +- # 'DHE-RSA-AES256-GCM-SHA384', +- # 'AES256-GCM-SHA384', +- 'AES256-SHA256', +- # 'AES128-SHA256', +- 'DHE-DSS-AES256-SHA256', +- # 'DHE-DSS-AES128-SHA256', +- 'DHE-DSS-AES256-SHA', +- 'DHE-DSS-AES128-SHA', +- 'EDH-DSS-DES-CBC3-SHA', +- +- # Just to make sure, that we don't accidentally add bad ciphers above. +- # This includes dropping RC4 which is no longer supported by modern +- # browsers and also excluded in the SSL libraries of Python and Ruby. +- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP" +- ) + ); + + # set values inside _init to work with perlcc, RT#95452 +--- lib/IO/Socket/SSL.pod ++++ lib/IO/Socket/SSL.pod +@@ -1054,12 +1054,8 @@ documentation (L= 0.88 BuildRequires: perl(utf8) BuildRequires: procps @@ -89,7 +91,7 @@ mod_perl. # Use system-default SSL version too %patch1 -# Prevent tests from dying on SIGPIPE (CPAN RT#126899) +# Add a test for PHA %patch2 -p1 %build @@ -105,26 +107,44 @@ find %{buildroot} -type f -name .packlist -delete make test %files +# GPL+ or Artistic %doc BUGS Changes README docs/ certs/ example/ %dir %{perl_vendorlib}/IO/ %dir %{perl_vendorlib}/IO/Socket/ +%dir %{perl_vendorlib}/IO/Socket/SSL/ %doc %{perl_vendorlib}/IO/Socket/SSL.pod %{perl_vendorlib}/IO/Socket/SSL.pm -%{perl_vendorlib}/IO/Socket/SSL/ +%{perl_vendorlib}/IO/Socket/SSL/Intercept.pm +%{perl_vendorlib}/IO/Socket/SSL/Utils.pm %{_mandir}/man3/IO::Socket::SSL.3* %{_mandir}/man3/IO::Socket::SSL::Intercept.3* -%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3* %{_mandir}/man3/IO::Socket::SSL::Utils.3* +# MPLv2.0 +%{perl_vendorlib}/IO/Socket/SSL/PublicSuffix.pm +%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3* %changelog +* Wed Jun 26 2019 Paul Howarth - 2.066-3 +- PublicSuffix.pm is licensed MPLv2.0 (#1724434) + +* Mon Jun 17 2019 Petr Pisar - 2.066-2 +- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1633636) + +* Thu Jun 13 2019 Petr Pisar - 2.066-1 +- Update to 2.066 (bug #1632600) + +* Thu Feb 07 2019 Petr Pisar - 2.060-3 +- Client sends a post-handshake-authentication extension if a client key and + a certificate are available (bug #1633636) + * Mon Sep 24 2018 Petr Pisar - 2.060-2 - Prevent tests from dying on SIGPIPE (bug #1610017) * Mon Sep 17 2018 Paul Howarth - 2.060-1 - Update to 2.060 (bug #1610017) - - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too); - see also CPAN RT#126899 - - TLS 1.3 support is not complete yet for session resume + - Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay ≥ 1.86); see + also CPAN RT#126899 + - TLS 1.3 support is not complete yet for session reuse * Tue Aug 21 2018 Petr Pisar - 2.059-2 - Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1610017)