diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..962144c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/IO-Socket-SSL-1.94.tar.gz diff --git a/.perl-IO-Socket-SSL.metadata b/.perl-IO-Socket-SSL.metadata new file mode 100644 index 0000000..14eb3f9 --- /dev/null +++ b/.perl-IO-Socket-SSL.metadata @@ -0,0 +1 @@ +7d15be5e83eb5be3c837f95af3aedcf40736153c SOURCES/IO-Socket-SSL-1.94.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/IO-Socket-SSL-1.94-1.953-RT-87052-fix-in-Utils.pm.patch b/SOURCES/IO-Socket-SSL-1.94-1.953-RT-87052-fix-in-Utils.pm.patch new file mode 100644 index 0000000..4881f51 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-1.953-RT-87052-fix-in-Utils.pm.patch @@ -0,0 +1,39 @@ +Fix error reporting in Utils + +Back-ported from: + +From 6e46f6c5dbe1ca1145f68b9b77405590f71efcbc Mon Sep 17 00:00:00 2001 +From: Steffen Ullrich +Date: Mon, 22 Jul 2013 08:33:35 +0200 +Subject: [PATCH] 1.953 - RT#87052 fix in Utils.pm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař + +diff --git a/lib/IO/Socket/SSL/Utils.pm b/lib/IO/Socket/SSL/Utils.pm +index 6a71584..0542593 100644 +--- a/lib/IO/Socket/SSL/Utils.pm ++++ b/lib/IO/Socket/SSL/Utils.pm +@@ -48,7 +48,7 @@ sub PEM_string2cert { + sub PEM_cert2string { + my $cert = shift; + return Net::SSLeay::PEM_get_string_X509($cert) +- or croak("cannot get string from cert"); ++ || croak("cannot get string from cert"); + } + + sub PEM_file2key { +@@ -84,7 +84,7 @@ sub PEM_string2key { + sub PEM_key2string { + my $key = shift; + return Net::SSLeay::PEM_get_string_PrivateKey($key) +- or croak("cannot get string from key"); ++ || croak("cannot get string from key"); + } + + sub CERT_free { +-- +1.8.1.4 + diff --git a/SOURCES/IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch b/SOURCES/IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch new file mode 100644 index 0000000..43a3bc7 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch @@ -0,0 +1,174 @@ +From 24fa6df5e1910269d86cb97bb5cef464fc3111ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Wed, 19 Mar 2014 12:54:22 +0100 +Subject: [PATCH] Added support for ECDH key exchange with key SSL_ecdh_curve +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is port of following upstream commit to 1.94 version: + +commit e067e09bf0c6b5844693169af75ec93b22bfa660 +Author: Steffen Ullrich +Date: Fri Oct 11 18:50:01 2013 +0200 + + 1.955 - added support for ECDH key exchange with key SSL_ecdh_curve + +Signed-off-by: Petr Písař +--- + MANIFEST | 1 + + SSL.pm | 28 +++++++++++++++++++++++ + t/ecdhe.t | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 107 insertions(+) + create mode 100644 t/ecdhe.t + +diff --git a/MANIFEST b/MANIFEST +index afed6c6..3d97511 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -50,6 +50,7 @@ t/auto_verify_hostname.t + t/verify_hostname.t + t/sni.t + t/mitm.t ++t/ecdhe.t + util/export_certs.pl + META.yml Module YAML meta-data (added by MakeMaker) + META.json Module JSON meta-data (added by MakeMaker) +diff --git a/SSL.pm b/SSL.pm +index bcf098f..ad18f7a 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -1756,6 +1756,25 @@ sub new { + Net::SSLeay::DH_free( $dh ); + $rv || return IO::Socket::SSL->error( "Failed to set DH from $f" ); + } ++ ++ if ( my $curve = $arg_hash->{SSL_ecdh_curve} ) { ++ return IO::Socket::SSL->error( ++ "ECDH curve needs Net::SSLeay>=1.56 and OpenSSL>=1.0") ++ if ! defined( &Net::SSLeay::CTX_set_tmp_ecdh ); ++ if ( $curve !~ /^\d+$/ ) { ++ # name of curve, find NID ++ $curve = Net::SSLeay::OBJ_txt2nid($curve) ++ || return IO::Socket::SSL->error( ++ "cannot find NID for curve name '$curve'"); ++ } ++ my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve) or ++ return IO::Socket::SSL->error( ++ "cannot create curve for NID $curve"); ++ Net::SSLeay::CTX_set_tmp_ecdh($ctx,$ecdh) or ++ return IO::Socket::SSL->error( ++ "failed to set ECDH curve context"); ++ Net::SSLeay::EC_KEY_free($ecdh); ++ } + } + + my $verify_cb = $arg_hash->{SSL_verify_callback}; +@@ -2158,11 +2177,20 @@ C option. + + If you want Diffie-Hellman key exchange you need to supply a suitable file here + or use the SSL_dh parameter. See dhparam command in openssl for more information. ++To create a server which provides perfect forward secrecy you need to either ++give the DH parameters or (better, because faster) the ECDH curve. + + =item SSL_dh + + Like SSL_dh_file, but instead of giving a file you use a preloaded or generated DH*. + ++=item SSL_ecdh_curve ++ ++If you want Elliptic Curve Diffie-Hellmann key exchange you need to supply the ++OID or NID of a suitable curve (like 'prime256v1') here. ++To create a server which provides perfect forward secrecy you need to either ++give the DH parameters or (better, because faster) the ECDH curve. ++ + =item SSL_passwd_cb + + If your private key is encrypted, you might not want the default password prompt from +diff --git a/t/ecdhe.t b/t/ecdhe.t +new file mode 100644 +index 0000000..40aed59 +--- /dev/null ++++ b/t/ecdhe.t +@@ -0,0 +1,78 @@ ++#!perl ++# Before `make install' is performed this script should be runnable with ++# `make test'. After `make install' it should work as `perl t/ecdhe.t' ++ ++use strict; ++use warnings; ++use Net::SSLeay; ++use Socket; ++use IO::Socket::SSL; ++ ++if ( grep { $^O =~m{$_} } qw( MacOS VOS vmesa riscos amigaos ) ) { ++ print "1..0 # Skipped: fork not implemented on this platform\n"; ++ exit ++} ++ ++if ( ! defined &Net::SSLeay::CTX_set_tmp_ecdh ) { ++ print "1..0 # Skipped: no support for ecdh with this openssl/Net::SSLeay\n"; ++ exit ++} ++ ++$|=1; ++print "1..4\n"; ++ ++# first create simple ssl-server ++my $ID = 'server'; ++my $addr = '127.0.0.1'; ++my $server = IO::Socket::SSL->new( ++ LocalAddr => $addr, ++ Listen => 2, ++ ReuseAddr => 1, ++ SSL_cert_file => "certs/server-cert.pem", ++ SSL_key_file => "certs/server-key.pem", ++ SSL_ecdh_curve => 'prime256v1', ++) || do { ++ notok($!); ++ exit ++}; ++ok("Server Initialization"); ++ ++# add server port to addr ++$addr.= ':'.(sockaddr_in( getsockname( $server )))[0]; ++ ++my $pid = fork(); ++if ( !defined $pid ) { ++ die $!; # fork failed ++ ++} elsif ( !$pid ) { ###### Client ++ ++ $ID = 'client'; ++ close($server); ++ my $to_server = IO::Socket::SSL->new( ++ PeerAddr => $addr, ++ SSL_verify_mode => 0 ) || do { ++ notok( "connect failed: $SSL_ERROR" ); ++ exit ++ }; ++ ok( "client connected" ); ++ ++ my $cipher = $to_server->get_cipher(); ++ if ( $cipher !~m/^ECDHE-/ ) { ++ notok("bad key exchange: $cipher"); ++ exit; ++ } ++ ok("ecdh key exchange: $cipher"); ++ ++} else { ###### Server ++ ++ my $to_client = $server->accept || do { ++ notok( "accept failed: $SSL_ERROR" ); ++ kill(9,$pid); ++ exit; ++ }; ++ ok( "Server accepted" ); ++ wait; ++} ++ ++sub ok { print "ok # [$ID] @_\n"; } ++sub notok { print "not ok # [$ID] @_\n"; } +-- +1.8.5.3 + diff --git a/SOURCES/IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch b/SOURCES/IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch new file mode 100644 index 0000000..a7da922 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch @@ -0,0 +1,149 @@ +From acf455911cd0b97e247bcd06e365a3fea0ba208c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 8 Dec 2016 13:49:11 +0100 +Subject: [PATCH] Default SSL_ca_file to system-wide store +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch provides a default value for a file with CA certificates. +Similar idea was implemented in upstream version 1.968. + +This patch also decouples default values for CA and client +certificates. This allows to specify SSL_cert_file and SSL_key_file +while not specifying SSL_ca_path and SSL_ca_file to still use +default values for them. + +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 65 +++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 44 insertions(+), 21 deletions(-) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index 4720606..2ea454b 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -326,7 +326,7 @@ sub configure_SSL { + "*******************************************************************\n". + " Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client\n". + " is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER\n". +- " together with SSL_ca_file|SSL_ca_path for verification.\n". ++ " possibly with SSL_ca_file|SSL_ca_path for verification.\n". + " If you really don't want to verify the certificate and keep the\n". + " connection open to Man-In-The-Middle attacks please set\n". + " SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.\n". +@@ -339,24 +339,54 @@ sub configure_SSL { + %$arg_hash = ( %default_args, %$arg_hash ); + + # use default path to certs and ca unless another one was given +- # don't mix default path with user specified path, either we use all +- # or no defaults ++ # don't mix default paths with user specified paths for CA or client ++ # certificates, either we use all from the grup or no defaults + { +- my $use_default = 1; +- for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file SSL_ca_file SSL_ca_path )) { ++ my $use_default_ca = 1; ++ my $dont_use_system_ca_file = (exists $arg_hash->{SSL_ca_file} and ++ not defined($arg_hash->{SSL_ca_file})); ++ for (qw( SSL_ca_file SSL_ca_path )) { + next if ! defined $arg_hash->{$_}; + # some apps set keys '' to signal that it is not set, replace with undef + if ( $arg_hash->{$_} eq '' ) { + $arg_hash->{$_} = undef; + next; + } +- $use_default = 0; ++ $use_default_ca = 0; + } +- if ( $use_default ) { ++ my $use_default_client = 1; ++ for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file )) { ++ next if ! defined $arg_hash->{$_}; ++ # some apps set keys '' to signal that it is not set, replace with undef ++ if ( $arg_hash->{$_} eq '' ) { ++ $arg_hash->{$_} = undef; ++ next; ++ } ++ $use_default_client = 0; ++ } ++ if ( $use_default_ca ) { + my %ca = + -f 'certs/my-ca.pem' ? ( SSL_ca_file => 'certs/my-ca.pem' ) : + -d 'ca/' ? ( SSL_ca_path => 'ca/' ) : + (); ++ if (! %ca and !$dont_use_system_ca_file) { ++ require Mozilla::CA; ++ %ca = ( SSL_ca_file => Mozilla::CA::SSL_ca_file() ); ++ } ++ %$arg_hash = ( %$arg_hash, %ca ); ++ } else { ++ if ( defined( my $f = $arg_hash->{SSL_ca_file} )) { ++ die "SSL_ca_file $f does not exist" if ! -f $f; ++ die "SSL_ca_file $f is not accessable" if ! -r _; ++ } ++ if ( defined( my $d = $arg_hash->{SSL_ca_path} )) { ++ die "only SSL_ca_path or SSL_ca_file should be given" ++ if defined $arg_hash->{SSL_ca_file}; ++ die "SSL_ca_path $d does not exist" if ! -d $d; ++ die "SSL_ca_path $d is not accessable" if ! -r _; ++ } ++ } ++ if ( $use_default_client ) { + my %certs = $is_server ? ( + SSL_key_file => 'certs/server-key.pem', + SSL_cert_file => 'certs/server-cert.pem', +@@ -364,7 +394,7 @@ sub configure_SSL { + SSL_key_file => 'certs/client-key.pem', + SSL_cert_file => 'certs/client-cert.pem', + ); +- %$arg_hash = ( %$arg_hash, %ca, %certs ); ++ %$arg_hash = ( %$arg_hash, %certs ); + } else { + for(qw(SSL_cert_file SSL_key_file)) { + defined( my $file = $arg_hash->{$_} ) or next; +@@ -373,16 +403,6 @@ sub configure_SSL { + die "$_ $f is not accessable" if ! -r _; + } + } +- if ( defined( my $f = $arg_hash->{SSL_ca_file} )) { +- die "SSL_ca_file $f does not exist" if ! -f $f; +- die "SSL_ca_file $f is not accessable" if ! -r _; +- } +- if ( defined( my $d = $arg_hash->{SSL_ca_path} )) { +- die "only SSL_ca_path or SSL_ca_file should be given" +- if defined $arg_hash->{SSL_ca_file}; +- die "SSL_ca_path $d does not exist" if ! -d $d; +- die "SSL_ca_path $d is not accessable" if ! -r _; +- } + } + } + +@@ -1937,8 +1957,11 @@ IO::Socket::SSL -- SSL sockets with IO::Socket interface + + # certificate verification + SSL_verify_mode => SSL_VERIFY_PEER, ++ ++ # location of CA store ++ # need only be given if default store should not be used + SSL_ca_path => '/etc/ssl/certs', # typical CA path on Linux +- # on OpenBSD instead: SSL_ca_file => '/etc/ssl/cert.pem' ++ SSL_ca_file => '/etc/ssl/cert.pem', # typical CA file on BSD + + # easy hostname verification + SSL_verifycn_name => 'foo.bar', # defaults to PeerHost +@@ -2210,9 +2233,9 @@ password required to decrypt your private key. + =item SSL_ca_file + + If you want to verify that the peer certificate has been signed by a reputable +-certificate authority, then you should use this option to locate the file ++certificate authority, then you can use this option to locate the file + containing the certificateZ<>(s) of the reputable certificate authorities if it is +-not already in the file F. ++not already in the file F or in a system-wide certificate authority certificates store. + If you definitely want no SSL_ca_file used you should set it to undef. + + =item SSL_ca_path +-- +2.7.4 + diff --git a/SOURCES/IO-Socket-SSL-1.94-Fix-typo-key-free.patch b/SOURCES/IO-Socket-SSL-1.94-Fix-typo-key-free.patch new file mode 100644 index 0000000..f66c900 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-Fix-typo-key-free.patch @@ -0,0 +1,11 @@ +--- a/lib/IO/Socket/SSL/Utils.pm ++++ b/lib/IO/Socket/SSL/Utils.pm +@@ -94,7 +94,7 @@ sub CERT_free { + + sub KEY_free { + my $key = shift or return; +- Net::SSLeay::EVP_KEY_free($key); ++ Net::SSLeay::EVP_PKEY_free($key); + } + + sub KEY_create_rsa { diff --git a/SOURCES/IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch b/SOURCES/IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch new file mode 100644 index 0000000..6b95469 --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch @@ -0,0 +1,88 @@ +From ffa8a34d793707a8a05652908b69fea7faeede7c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 7 Aug 2014 10:36:40 +0200 +Subject: [PATCH] Respect OpenSSL default ciphers and protocol versions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If application did not specified cipher or protocol version, +IO::Socket::SSL set them to 'ALL:!LOW' and 'SSLv23:!SSLv2'. This +undermined global cryptogphic setting. + +This patch disables these defaults hard-coded into IO::Socket::SSL and +leves the decision on OpenSSL. + +http://rt.cpan.org/Public/Bug/Display.html?id=97816 +https://bugzilla.redhat.com/show_bug.cgi?id=1127322 +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 13 +++++++------ + t/dhe.t | 1 + + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index 3e02e8f..eb4bd05 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -34,13 +34,13 @@ use constant SSL_RECEIVED_SHUTDOWN => 2; + # global defaults + my %DEFAULT_SSL_ARGS = ( + SSL_check_crl => 0, +- SSL_version => 'SSLv23:!SSLv2', ++ SSL_version => '', + SSL_verify_callback => undef, + SSL_verifycn_scheme => undef, # don't verify cn + SSL_verifycn_name => undef, # use from PeerAddr/PeerHost + SSL_npn_protocols => undef, # meaning depends whether on server or client side + SSL_honor_cipher_order => 0, # client order gets preference +- SSL_cipher_list => 'ALL:!LOW', ++ SSL_cipher_list => undef, + + # default for SSL_verify_mode should be SSL_VERIFY_PEER for client + # for now we keep the default of SSL_VERIFY_NONE but complain, if +@@ -1579,7 +1579,7 @@ sub new { + return $ctx_object if ($ctx_object = ${*$ctx_object}{'_SSL_ctx'}); + } + +- my $ver; ++ my $ver=''; + my $disable_ver = 0; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { + m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i +@@ -2049,7 +2049,8 @@ to the specified version. All values are case-insensitive. + + You can limit to set of supported protocols by adding !version separated by ':'. + +-The default SSL_version is 'SSLv23:!SSLv2' which means, that SSLv2, SSLv3 and TLSv1 ++The default SSL_version is defined by underlying cryptographic library. ++E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1 + are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving + only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions + 1.1 and 1.2 while allowing TLS version 1.0. +@@ -2066,8 +2067,8 @@ given value, e.g. something like 'ALL:!LOW:!EXP:!ADH'. Look into the OpenSSL + documentation (L) + for more details. + +-If this option is not set 'ALL:!LOW' will be used. +-To use OpenSSL builtin default (whatever this is) set it to ''. ++If this option is not set or is set to '', OpenSSL builtin default (whatever ++this is) will be used. + + =item SSL_honor_cipher_order + +diff --git a/t/dhe.t b/t/dhe.t +index a2bf565..4010a26 100644 +--- a/t/dhe.t ++++ b/t/dhe.t +@@ -55,6 +55,7 @@ if ( !defined $pid ) { + close($server); + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, ++ SSL_cipher_list => 'ALL:RSA:!aRSA', + SSL_verify_mode => 0 ) || do { + notok( "connect failed: $SSL_ERROR" ); + exit +-- +1.9.3 + diff --git a/SOURCES/IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch b/SOURCES/IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch new file mode 100644 index 0000000..6e2643a --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch @@ -0,0 +1,148 @@ +From 70d5c2746afee9c2b6112246ab1640aa0ebb34c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 6 Oct 2016 14:51:26 +0200 +Subject: [PATCH 2/2] The new syntax for the protocols is TLSv1_1 instead of + TLSv11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is a part of these commits ported to 1.94: + +commit 5c2151176da6a37e7dd16fd2ffc39809f58f6035 +Author: Steffen Ullrich +Date: Wed Jan 15 12:33:49 2014 +0100 + + 1.964: get_sslversion* function, disabling TLS1_1 fixed + + - Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets + the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc + - The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches + the syntax from OpenSSL. The old syntax continues to work in SSL_version. + - New functions get_sslversion and get_sslversion_int which get the SSL version + of the establish session as string or int. + - disable t/io-socket-inet6.t if Acme::Override::INET is installed + +commit bd49a91f755e5027ba5aa1656f32f86486f5c0fd +Author: Steffen Ullrich +Date: Tue Jan 21 17:53:15 2014 +0100 + + 1.966 + - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no + longer with + specifying !TLSv12, only !TLSv1_2 worked + - fixed leak of session objects in SessionCache, if another + session + replaced an existing session (introduced in 1.965) + +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 62 ++++++++++++++++++++++++++++------------------------ + 1 file changed, 34 insertions(+), 28 deletions(-) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index a30ffb1..4720606 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -61,6 +61,15 @@ BEGIN{ + if $@; + } + ++# get constants for SSL_OP_NO_* now, instead calling the releated functions ++# everytime we setup a connection ++my %SSL_OP_NO; ++for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) { ++ my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_); ++ my $sub = "Net::SSLeay::OP_NO_$op"; ++ $SSL_OP_NO{$k} = eval { no strict 'refs'; &$sub } || 0; ++} ++ + our $DEBUG; + use vars qw(@ISA $SSL_ERROR @EXPORT ); + +@@ -1582,32 +1591,27 @@ sub new { + my $ver=''; + my $disable_ver = 0; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { +- m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i ++ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i + or croak("invalid SSL_version specified"); + my $not = $1; + ( my $v = lc($2||$3) ) =~s{^(...)}{\U$1}; +- $v =~s{/}{}; # interpret SSLv2/3 as SSLv23 + if ( $not ) { +- $disable_ver |= +- $v eq 'SSLv2' ? 0x01000000 : # SSL_OP_NO_SSLv2 +- $v eq 'SSLv3' ? 0x02000000 : # SSL_OP_NO_SSLv3 +- $v eq 'TLSv1' ? 0x04000000 : # SSL_OP_NO_TLSv1 +- $v eq 'TLSv11' ? 0x00000400 : # SSL_OP_NO_TLSv1_1 +- $v eq 'TLSv12' ? 0x08000000 : # SSL_OP_NO_TLSv1_2 +- croak("cannot disable version $_"); ++ $disable_ver |= $SSL_OP_NO{$v}; + } else { + croak("cannot set multiple SSL protocols in SSL_version") + if $ver && $v ne $ver; + $ver = $v; ++ $ver =~s{/}{}; # interpret SSLv2/3 as SSLv23 ++ $ver =~s{(TLSv1)(\d)}{$1\_$2}; # TLSv1_1 + } + } + + my $ctx_new_sub = UNIVERSAL::can( 'Net::SSLeay', +- $ver eq 'SSLv2' ? 'CTX_v2_new' : +- $ver eq 'SSLv3' ? 'CTX_v3_new' : +- $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : +- $ver eq 'TLSv11' ? 'CTX_tlsv1_1_new' : +- $ver eq 'TLSv12' ? 'CTX_tlsv1_2_new' : ++ $ver eq 'SSLv2' ? 'CTX_v2_new' : ++ $ver eq 'SSLv3' ? 'CTX_v3_new' : ++ $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : ++ $ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' : ++ $ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' : + 'CTX_new' + ) or return IO::Socket::SSL->error("SSL Version $ver not supported"); + my $ctx = $ctx_new_sub->() or return +@@ -2064,24 +2068,26 @@ See section "SNI Support" for details of SNI the support. + + =item SSL_version + +-Sets the version of the SSL protocol used to transmit data. 'SSLv23' auto-negotiates +-between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv11' or 'TLSv12' +-restrict the protocol to the specified version. All values are case-insensitive. +-Support for 'TLSv11' and 'TLSv12' requires recent versions of Net::SSLeay +-and openssl. ++Sets the version of the SSL protocol used to transmit data. ++'SSLv23' auto-negotiates between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', ++'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict the protocol to the specified version. ++All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can ++also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires ++recent versions of Net::SSLeay and openssl. + + You can limit to set of supported protocols by adding !version separated by ':'. + + The default SSL_version is defined by underlying cryptographic library. +-E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1 +-are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving +-only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions +-1.1 and 1.2 while allowing TLS version 1.0. +- +-Setting the version instead to 'TLSv1' will probably break interaction with lots of +-clients which start with SSLv2 and then upgrade to TLSv1. On the other side some +-clients just close the connection when they receive a TLS version 1.1 request. In this +-case setting the version to 'SSLv23:!SSLv2:!TLSv11:!TLSv12' might help. ++E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and ++TLSv1 are supported for initial protocol handshakes, but SSLv2 will not be ++accepted, leaving only SSLv3 and TLSv1. You can also use !TLSv1_1 and !TLSv1_2 ++to disable TLS versions 1.1 and 1.2 while allowing TLS version 1.0. ++ ++Setting the version instead to 'TLSv1' will probably break interaction with ++lots of clients which start with SSLv2 and then upgrade to TLSv1. On the other ++side some clients just close the connection when they receive a TLS version 1.1 ++request. In this case setting the version to 'SSLv23:!SSLv2:!TLSv1_1:!TLSv1_2' ++might help. + + =item SSL_cipher_list + +-- +2.7.4 + diff --git a/SOURCES/IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch b/SOURCES/IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch new file mode 100644 index 0000000..36be05d --- /dev/null +++ b/SOURCES/IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch @@ -0,0 +1,48 @@ +From f606a25a80a37d5565fed6fc1ce1d8d241dab6c7 Mon Sep 17 00:00:00 2001 +From: Steffen Ullrich +Date: Mon, 14 Oct 2013 14:13:39 +0200 +Subject: [PATCH 1/2] support for handshake protocol TLSv11, TLSv12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index 3279391..a30ffb1 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -1603,9 +1603,11 @@ sub new { + } + + my $ctx_new_sub = UNIVERSAL::can( 'Net::SSLeay', +- $ver eq 'SSLv2' ? 'CTX_v2_new' : +- $ver eq 'SSLv3' ? 'CTX_v3_new' : +- $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : ++ $ver eq 'SSLv2' ? 'CTX_v2_new' : ++ $ver eq 'SSLv3' ? 'CTX_v3_new' : ++ $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : ++ $ver eq 'TLSv11' ? 'CTX_tlsv1_1_new' : ++ $ver eq 'TLSv12' ? 'CTX_tlsv1_2_new' : + 'CTX_new' + ) or return IO::Socket::SSL->error("SSL Version $ver not supported"); + my $ctx = $ctx_new_sub->() or return +@@ -2063,8 +2065,10 @@ See section "SNI Support" for details of SNI the support. + =item SSL_version + + Sets the version of the SSL protocol used to transmit data. 'SSLv23' auto-negotiates +-between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3' or 'TLSv1' restrict the protocol +-to the specified version. All values are case-insensitive. ++between SSLv2 and SSLv3, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv11' or 'TLSv12' ++restrict the protocol to the specified version. All values are case-insensitive. ++Support for 'TLSv11' and 'TLSv12' requires recent versions of Net::SSLeay ++and openssl. + + You can limit to set of supported protocols by adding !version separated by ':'. + +-- +2.7.4 + diff --git a/SPECS/perl-IO-Socket-SSL.spec b/SPECS/perl-IO-Socket-SSL.spec new file mode 100644 index 0000000..b34edc0 --- /dev/null +++ b/SPECS/perl-IO-Socket-SSL.spec @@ -0,0 +1,609 @@ +Name: perl-IO-Socket-SSL +Version: 1.94 +Release: 7%{?dist} +Summary: Perl library for transparent SSL +Group: Development/Libraries +License: GPL+ or Artistic +URL: http://search.cpan.org/dist/IO-Socket-SSL/ +Source0: http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version}.tar.gz +# Correct error reporting, fixed in 1.953, CPAN RT#87052 +Patch0: IO-Socket-SSL-1.94-1.953-RT-87052-fix-in-Utils.pm.patch +# Respect OpenSSL default ciphers and protocol versions BZ#1127322 +Patch1: IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch +# Fix typo in Utils.pm BZ#1097710 +Patch2: IO-Socket-SSL-1.94-Fix-typo-key-free.patch +# Add support for ECDH key exchange, in upstream 1.955, bug #1316377 +Patch3: IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch +# Add support for handshake protocol TLSv11, TLSv12, bug #1335035, +# in upstream 1.955 +Patch4: IO-Socket-SSL-1.94-support-for-handshake-protocol-TLSv11-TLSv12.patch +# The new syntax for the protocols is TLSv1_1 instead of TLSv11, bug #1335035, +# in upstream 1.966 +Patch5: IO-Socket-SSL-1.94-The-new-syntax-for-the-protocols-is-TLSv1_1-instead-.patch +# Default to system wide CA certificate store, bug #1402588, in upstream 1.968 +Patch6: IO-Socket-SSL-1.94-Default-SSL_ca_file-to-system-wide-store.patch +BuildArch: noarch +BuildRequires: openssl >= 0.9.8 +BuildRequires: perl +BuildRequires: perl(Carp) +BuildRequires: perl(constant) +BuildRequires: perl(Errno) +BuildRequires: perl(Exporter) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.46 +BuildRequires: perl(IO::Select) +BuildRequires: perl(IO::Socket) +BuildRequires: perl(IO::Socket::INET) +#BuildRequires: perl(IO::Socket::INET6) ???? +BuildRequires: perl(IO::Socket::IP) >= 0.20 +# Mozilla::CA not used at tests +BuildRequires: perl(Net::LibIDN) +BuildRequires: perl(Net::SSLeay) >= 1.46 +BuildRequires: perl(Scalar::Util) +BuildRequires: perl(Socket) >= 1.9 +BuildRequires: perl(Socket6) +BuildRequires: perl(strict) +BuildRequires: perl(Time::Local) +BuildRequires: perl(vars) +BuildRequires: perl(warnings) +BuildRequires: procps +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl(IO::Socket::IP) >= 0.20 +Requires: perl(Socket) >= 1.95 +Requires: perl(Mozilla::CA) +Requires: perl(Net::LibIDN) +Requires: perl-Net-SSLeay >= 1.55-5 +Requires: openssl >= 0.9.8 + +%description +This module is a true drop-in replacement for IO::Socket::INET that +uses SSL to encrypt data before it is transferred to a remote server +or client. IO::Socket::SSL supports all the extra features that one +needs to write a full-featured SSL client or server application: +multiple SSL contexts, cipher selection, certificate verification, and +SSL version selection. As an extra bonus, it works perfectly with +mod_perl. + +%prep +%setup -q -n IO-Socket-SSL-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 + +%build +perl Makefile.PL INSTALLDIRS=vendor +make %{?_smp_mflags} + +%install +make pure_install DESTDIR=%{buildroot} +find %{buildroot} -type f -name .packlist -exec rm -f {} + +%{_fixperms} %{buildroot} + +%check +make test + +%files +%doc BUGS Changes README docs/ certs/ example/ util/ +%{perl_vendorlib}/IO/ +%{_mandir}/man3/IO::Socket::SSL.3* +%{_mandir}/man3/IO::Socket::SSL::Intercept.3* +%{_mandir}/man3/IO::Socket::SSL::Utils.3* + +%changelog +* Wed Aug 30 2017 Petr Pisar - 1.94-7 +- Default to system wide CA certificate store (bug #1402588) + +* Thu Oct 06 2016 Petr Pisar - 1.94-6 +- Add support for TLSv1.1, TLSv1.2 (bug #1335035) + +* Thu Mar 10 2016 Jitka Plesnikova - 1.94-5 +- Add support for ECDH key exchange (bug #1316377) + +* Fri Mar 04 2016 Jitka Plesnikova - 1.94-4 +- Respect OpenSSL default ciphers and protocol versions (bug #1127322) +- Fix typo in Utils.pm (bug #1097710) + +* Fri Dec 27 2013 Daniel Mach - 1.94-3 +- Mass rebuild 2013-12-27 + +* Wed Aug 07 2013 Petr Šabata - 1.94-2.1 +- Extend the dependency list and remove not needed conditionals +- Modernize the spec + +* Mon Jul 22 2013 Petr Pisar - 1.94-2 +- Correct error reporting (CPAN RT#87052) + +* Sat Jun 1 2013 Paul Howarth - 1.94-1 +- Update to 1.94 + - Makefile.PL reported wrong version of openssl if Net::SSLeay was not + installed, instead of reporting a missing dependency of Net::SSLeay + +* Fri May 31 2013 Paul Howarth - 1.93-1 +- Update to 1.93 + - Need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6 + years ago; remove code to work around older releases + - Changed AUTHOR in Makefile.PL from array back to string, because the array + feature is not available in MakeMaker shipped with 5.8.9 (CPAN RT#85739) +- Set openssl version requirement to 0.9.8 +- Drop ExtUtils::MakeMaker version requirement back to 6.46 + +* Thu May 30 2013 Paul Howarth - 1.92-1 +- Update to 1.92 + - Intercept: use sha1-fingerprint of original cert for id into cache unless + otherwise given + - Fix pod error in IO::Socket::SSL::Utils (CPAN RT#85733) + +* Thu May 30 2013 Paul Howarth - 1.91-1 +- Update to 1.91 + - Added IO::Socket::SSL::Utils for easier manipulation of certificates and + keys + - Moved SSL interception into IO::Socket::SSL::Intercept and simplified it + using IO::Socket::SSL::Utils + - Enhance meta information in Makefile.PL +- Bump openssl version requirement to 0.9.8a +- Need at least version 6.58 of ExtUtils::MakeMaker (CPAN RT#85739) + +* Wed May 29 2013 Paul Howarth - 1.90-1 +- Update to 1.90 + - Support more digests, especially SHA-2 (CPAN RT#85290) + - Added support for easy SSL interception (man in the middle) based on ideas + found in mojo-mitm proxy + - Make 1.46 the minimal required version for Net::SSLeay, because it + introduced lots of useful functions +- BR:/R: openssl ≥ 0.9.7e for P_ASN1_TIME_(get,set)_isotime in Net::SSLeay + +* Tue May 14 2013 Paul Howarth - 1.89-1 +- Update to 1.89 + - If IO::Socket::IP is used it should be at least version 0.20; otherwise we + get problems with HTTP::Daemon::SSL and maybe others (CPAN RT#81932) + - Spelling corrections + +* Thu May 2 2013 Paul Howarth - 1.88-1 +- Update to 1.88 + - Consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key* + and SSL_cert* - some apps like Net::LDAP use it that way + +* Wed Apr 24 2013 Paul Howarth - 1.87-1 +- Update to 1.87 + - Complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are + not readable (CPAN RT#84829) + - Fix use of SSL_key|SSL_file objects instead of files, broken with 1.83 + +* Wed Apr 17 2013 Paul Howarth - 1.86-1 +- Update to 1.86 + - Don't warn about SSL_verify_mode when re-using an existing SSL context + (CPAN RT#84686) + +* Mon Apr 15 2013 Paul Howarth - 1.85-1 +- Update to 1.85 + - Probe for available modules with local __DIE__ and __WARN__handlers + (CPAN RT#84574) + - Fix warning, when IO::Socket::IP is installed and inet6 support gets + explicitly requested (CPAN RT#84619) + +* Sat Feb 16 2013 Paul Howarth - 1.84-1 +- Update to 1.84 + - Disabled client side SNI for openssl version < 1.0.0 because of + CPAN RT#83289 + - Added functions can_client_sni, can_server_sni and can_npn to check + availability of SNI and NPN features + - Added more documentation for SNI and NPN + +* Thu Feb 14 2013 Paul Howarth - 1.83-2 +- Update to 1.831 + - Separated documentation of non-blocking I/O from error handling + - Changed and documented behavior of readline to return the read data on + EAGAIN/EWOULDBLOCK in case of non-blocking socket + (see https://github.com/noxxi/p5-io-socket-ssl/issues/1) +- Bumped release rather than version number to preserve likely upgrade path + and avoid need for epoch or version number ugliness; may revisit this in + light of upstream's future version numbering decisions + +* Mon Feb 4 2013 Paul Howarth - 1.83-1 +- Update to 1.83 + - Server Name Indication (SNI) support on the server side (CPAN RT#82761) + - Reworked part of the documentation, like providing better examples + +* Mon Jan 28 2013 Paul Howarth - 1.82-1 +- Update to 1.82 + - sub error sets $SSL_ERROR etc. only if there really is an error; otherwise + it will keep the latest error, which allows IO::Socket::SSL->new to report + the correct problem, even if the problem is deeper in the code (like in + connect) + - Correct spelling (CPAN RT#82790) + +* Thu Dec 6 2012 Paul Howarth - 1.81-1 +- Update to 1.81 + - Deprecated set_ctx_defaults; new name is set_defaults (the old name is + still available) + - Changed handling of default path for SSL_(ca|cert|key)* keys: if one of + these keys is user defined, don't add defaults for the others, i.e. + don't mix user settings and defaults + - Cleaner handling of module defaults vs. global settings vs. socket + specific settings; global and socket specific settings are both provided + by the user, while module defaults are not + - Make IO::Socket::INET6 and IO::Socket::IP specific tests both run, even + if both modules are installed, by faking a failed load of the other module +- BR: perl(IO::Socket::INET6) and perl(Socket6) unconditionally + +* Fri Nov 30 2012 Paul Howarth - 1.80-1 +- Update to 1.80 + - Removed some warnings in test (missing SSL_verify_mode => 0), which caused + tests to hang on Windows (CPAN RT#81493) + +* Sun Nov 25 2012 Paul Howarth - 1.79-1 +- Update to 1.79 + - Use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort + from sockaddr in _update_peer, because this provides scope too + - Work around systems that don't define AF_INET6 (CPAN RT#81216) + - Prepare transition to a more secure default for SSL_verify_mode; the use of + the current default SSL_VERIFY_NONE will cause a big warning for clients, + unless SSL_verify_mode was explicitly set inside the application to this + insecure value (in the near future the default will be SSL_VERIFY_PEER, and + thus causing verification failures in unchanged applications) + +* Thu Nov 15 2012 Petr Šabata - 1.77-2 +- Added some missing build dependencies + +* Fri Oct 5 2012 Paul Howarth - 1.77-1 +- Update to 1.77 + - support _update_peer for IPv6 too (CPAN RT#79916) + +* Fri Jul 20 2012 Fedora Release Engineering - 1.76-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 28 2012 Petr Pisar - 1.76-2 +- Perl 5.16 rebuild + +* Mon Jun 18 2012 Paul Howarth - 1.76-1 +- Update to 1.76 + - add support for IO::Socket::IP, which supports inet6 and inet4 + (CPAN RT#75218) + - fix documentation errors (CPAN RT#77690) + - made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version + - use inet_pton from either Socket.pm 1.95 or Socket6.pm +- Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6 +- Add runtime dependency for appropriate IPv6 support module so that we can + ensure that we run at runtime what we tested with at build time + +* Thu Jun 14 2012 Petr Pisar - 1.74-2 +- Perl 5.16 rebuild + +* Mon May 14 2012 Paul Howarth - 1.74-1 +- Update to 1.74 + - accept a version of SSLv2/3 as SSLv23, because older documentation could + be interpreted like this + +* Fri May 11 2012 Paul Howarth - 1.73-1 +- Update to 1.73 + - set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW + - make test t/dhe.t hopefully work with more versions of openssl + +* Wed May 9 2012 Paul Howarth - 1.71-1 +- Update to 1.71 + - 1.70 done right: don't disable SSLv2 ciphers; SSLv2 support is better + disabled by the default SSL_version of 'SSLv23:!SSLv2' + +* Tue May 8 2012 Paul Howarth - 1.70-1 +- Update to 1.70 + - make it possible to disable protocols using SSL_version, and make + SSL_version default to 'SSLv23:!SSLv2' + +* Tue May 8 2012 Paul Howarth - 1.69-1 +- Update to 1.69 (changes for CPAN RT#76929) + - if no explicit cipher list is given, default to ALL:!LOW instead of the + openssl default, which usually includes weak ciphers like DES + - new config key SSL_honor_cipher_order and document how to use it to fight + BEAST attack + - fix behavior for empty cipher list (use default) + - re-added workaround in t/dhe.t + +* Mon Apr 16 2012 Paul Howarth - 1.66-1 +- Update to 1.66 + - make it thread safer (CPAN RT#76538) + +* Mon Apr 16 2012 Paul Howarth - 1.65-1 +- Update to 1.65 + - added NPN (Next Protocol Negotiation) support (CPAN RT#76223) + +* Sat Apr 7 2012 Paul Howarth - 1.64-1 +- Update to 1.64 + - ignore die from within eval to make tests more stable on Win32 + (CPAN RT#76147) + - clarify some behavior regarding hostname verification +- Drop patch for t/dhe.t, no longer needed + +* Wed Mar 28 2012 Paul Howarth - 1.62-1 +- Update to 1.62 + - small fix to last version + +* Tue Mar 27 2012 Paul Howarth - 1.61-1 +- Update to 1.61 + - call CTX_set_session_id_context so that server's session caching works with + client certificates too (CPAN RT#76053) + +* Tue Mar 20 2012 Paul Howarth - 1.60-1 +- Update to 1.60 + - don't make blocking readline if socket was set nonblocking, but return as + soon no more data are available (CPAN RT#75910) + - fix BUG section about threading so that it shows package as thread safe + as long as Net::SSLeay ≥ 1.43 is used (CPAN RT#75749) +- BR: perl(constant), perl(Exporter) and perl(IO::Socket) + +* Thu Mar 8 2012 Paul Howarth - 1.59-1 +- Update to 1.59 + - if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful message + when attempting to use it + - modify constant declarations so that 5.6.1 should work again +- Drop %%defattr, redundant since rpm 4.4 + +* Mon Feb 27 2012 Paul Howarth - 1.58-1 +- Update to 1.58 + - fix t/dhe.t for openssl 1.0.1 beta by forcing TLSv1, so that it does not + complain about the too small RSA key, which it should not use anyway; this + workaround is not applied for older openssl versions, where it would cause + failures (CPAN RT#75165) +- Add patch to fiddle the openssl version number in the t/dhe.t workaround + because the OPENSSL_VERSION_NUMBER cannot be trusted in Fedora +- One buildreq per line for readability +- Drop redundant buildreq perl(Test::Simple) +- Always run full test suite + +* Wed Feb 22 2012 Paul Howarth - 1.56-1 +- Update to 1.56 + - add automatic or explicit (via SSL_hostname) SNI support, needed for + multiple SSL hostnames with the same IP (currently only supported for the + client) +- Use DESTDIR rather than PERL_INSTALL_ROOT +- No need to delete empty directories from buildroot + +* Mon Feb 20 2012 Paul Howarth - 1.55-1 +- Update to 1.55 + - work around IO::Socket's work around for systems returning EISCONN etc. on + connect retry for non-blocking sockets by clearing $! if SUPER::connect + returned true (CPAN RT#75101) + +* Wed Jan 11 2012 Paul Howarth - 1.54-1 +- Update to 1.54 + - return 0 instead of undef in SSL_verify_callback to fix uninitialized + warnings (CPAN RT#73629) + +* Mon Dec 12 2011 Paul Howarth - 1.53-1 +- Update to 1.53 + - kill child in t/memleak_bad_handshake.t if test fails (CPAN RT#73146) + +* Wed Dec 7 2011 Paul Howarth - 1.52-1 +- Update to 1.52 + - fix for t/nonblock.t hangs on AIX (CPAN RT#72305) + - disable t/memleak_bad_handshake.t on AIX, because it might hang + (CPAN RT#72170) + - fix syntax error in t/memleak_bad_handshake.t + +* Fri Oct 28 2011 Paul Howarth - 1.49-1 +- Update to 1.49 + - another regression for readline fix: this time it failed to return lines + at EOF that don't end with newline - extended t/readline.t to catch this + case and the fix for 1.48 + +* Wed Oct 26 2011 Paul Howarth - 1.48-1 +- Update to 1.48 + - further fix for readline fix in 1.45: if the pending data were false (like + '0'), it failed to read the rest of the line (CPAN RT#71953) + +* Fri Oct 21 2011 Paul Howarth - 1.47-1 +- Update to 1.47 + - fix for 1.46 - check for mswin32 needs to be /i + +* Tue Oct 18 2011 Paul Howarth - 1.46-1 +- Update to 1.46 + - skip signals test on Windows + +* Thu Oct 13 2011 Paul Howarth - 1.45-1 +- Update to 1.45 + - fix readline to continue when getting interrupt waiting for more data +- BR: perl(Carp) + +* Tue Jul 19 2011 Petr Sabata - 1.44-2 +- Perl mass rebuild + +* Fri May 27 2011 Paul Howarth - 1.44-1 +- Update to 1.44 + - fix invalid call to inet_pton in verify_hostname_of_cert when identity + should be verified as ipv6 address because it contains a colon + +* Wed May 11 2011 Paul Howarth - 1.43-1 +- Update to 1.43 + - add SSL_create_ctx_callback to have a way to adjust context on creation + (CPAN RT#67799) + - describe problem of fake memory leak because of big session cache and how + to fix it (CPAN RT#68073) + - fix t/nonblock.t + - stability improvements for t/inet6.t + +* Tue May 10 2011 Paul Howarth - 1.41-1 +- Update to 1.41 + - fix issue in stop_SSL where it did not issue a shutdown of the SSL + connection if it first received the shutdown from the other side + - try to make t/nonblock.t more reliable, at least report the real cause of + SSL connection errors +- No longer need to re-code docs to UTF-8 + +* Mon May 2 2011 Paul Howarth - 1.40-1 +- Update to 1.40 + - fix in example/async_https_server + - get IDN support from URI (CPAN RT#67676) +- Nobody else likes macros for commands + +* Thu Mar 3 2011 Paul Howarth - 1.39-1 +- Update to 1.39 + - fixed documentation of http verification: wildcards in cn is allowed + +* Tue Feb 08 2011 Fedora Release Engineering - 1.38-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 18 2011 Paul Howarth - 1.38-1 +- Update to 1.38 + - fixed wildcards_in_cn setting for http, wrongly set in 1.34 to 1 instead of + anywhere (CPAN RT#64864) + +* Fri Dec 10 2010 Paul Howarth - 1.37-1 +- Update to 1.37 + - don't complain about invalid certificate locations if user explicitly set + SSL_ca_path and SSL_ca_file to undef: assume that user knows what they are + doing and will work around the problems themselves (CPAN RT#63741) + +* Thu Dec 9 2010 Paul Howarth - 1.36-1 +- Update to 1.36 + - update documentation for SSL_verify_callback based on CPAN RT#63743 and + CPAN RT#63740 + +* Mon Dec 6 2010 Paul Howarth - 1.35-1 +- Update to 1.35 (addresses CVE-2010-4334) + - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be + verified as valid, it will no longer fall back to VERIFY_NONE but throw an + error (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058) + +* Tue Nov 2 2010 Paul Howarth - 1.34-1 +- Update to 1.34 + - schema http for certificate verification changed to wildcards_in_cn=1 + - if upgrading socket from inet to ssl fails due to handshake problems, the + socket gets downgraded back again but is still open (CPAN RT#61466) + - deprecate kill_socket: just use close() + +* Sun May 02 2010 Marcela Maslanova - 1.33-2 +- Mass rebuild with perl-5.12.0 + +* Wed Mar 17 2010 Paul Howarth - 1.33-1 +- Update to 1.33 + - attempt to make t/memleak_bad_handshake.t more stable + - fix hostname checking: only check an IP against subjectAltName GEN_IPADD + +* Tue Feb 23 2010 Paul Howarth - 1.32-1 +- Update to 1.32 (die in Makefile.PL if Scalar::Util has no dualvar support) +- Use %%{_fixperms} macro instead of our own %%{__chmod} incantation + +* Mon Dec 7 2009 Stepan Kasal - 1.31-2 +- Rebuild against perl 5.10.1 + +* Sun Sep 27 2009 Paul Howarth - 1.31-1 +- Update to 1.31 (see Changes for details) + +* Thu Aug 20 2009 Paul Howarth - 1.30-1 +- Update to 1.30 (fix memleak when SSL handshake failed) +- Add buildreq procps needed for memleak test + +* Mon Jul 27 2009 Paul Howarth - 1.27-1 +- Update to 1.27 + - various regex fixes for i18n and service names + - fix warnings from perl -w (CPAN RT#48131) + - improve handling of errors from Net::ssl_write_all + +* Sat Jul 25 2009 Fedora Release Engineering - 1.26-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jul 4 2009 Paul Howarth - 1.26-1 +- Update to 1.26 (verify_hostname_of_cert matched only the prefix for the + hostname when no wildcard was given, e.g. www.example.org matched against a + certificate with name www.exam in it [#509819]) + +* Fri Jul 3 2009 Paul Howarth - 1.25-1 +- Update to 1.25 (fix t/nonblock.t for OS X 10.5 - CPAN RT#47240) + +* Thu Apr 2 2009 Paul Howarth - 1.24-1 +- Update to 1.24 (add verify hostname scheme ftp, same as http) + +* Wed Feb 25 2009 Paul Howarth - 1.23-1 +- Update to 1.23 (complain when no certificates are provided) + +* Sat Jan 24 2009 Paul Howarth - 1.22-1 +- Update to latest upstream version: 1.22 + +* Thu Jan 22 2009 Paul Howarth - 1.20-1 +- Update to latest upstream version: 1.20 + +* Tue Nov 18 2008 Paul Howarth - 1.18-1 +- Update to latest upstream version: 1.18 +- BR: perl(IO::Socket::INET6) for extra test coverage + +* Mon Oct 13 2008 Paul Howarth - 1.17-1 +- Update to latest upstream version: 1.17 + +* Mon Sep 22 2008 Paul Howarth - 1.16-1 +- Update to latest upstream version: 1.16 + +* Sat Aug 30 2008 Paul Howarth - 1.15-1 +- Update to latest upstream version: 1.15 +- Add buildreq and req for perl(Net::LibIDN) to avoid croaking when trying to + verify an international name against a certificate + +* Wed Jul 16 2008 Paul Howarth - 1.14-1 +- Update to latest upstream version: 1.14 +- BuildRequire perl(Net::SSLeay) >= 1.21 + +* Wed Feb 27 2008 Tom "spot" Callaway - 1.12-4 +- Rebuild for perl 5.10 (again) + +* Thu Jan 31 2008 Tom "spot" Callaway - 1.12-3 +- Rebuild for new perl + +* Wed Nov 28 2007 Paul Howarth - 1.12-2 +- Cosmetic spec changes suiting new maintainer's preferences + +* Fri Oct 26 2007 Robin Norwood - 1.12-1 +- Update to latest upstream version: 1.12 +- Fix license tag +- Add BuildRequires for ExtUtils::MakeMaker and Test::Simple +- Fix package review issues: +- Source URL +- Resolves: bz#226264 + +* Tue Oct 16 2007 Tom "spot" Callaway - 1.02-1.1 +- Correct license tag +- Add BR: perl(ExtUtils::MakeMaker) + +* Sat Dec 02 2006 Robin Norwood - 1.02-1 +- Upgrade to latest CPAN version: 1.02 + +* Mon Sep 18 2006 Warren Togami - 1.01-1 +- 1.01 bug fixes (#206782) + +* Sun Aug 13 2006 Warren Togami - 0.998-1 +- 0.998 with more important fixes + +* Tue Aug 01 2006 Warren Togami - 0.994-1 +- 0.994 important bugfixes (#200860) + +* Tue Jul 18 2006 Warren Togami - 0.991-1 +- 0.991 + +* Wed Jul 12 2006 Warren Togami - 0.97-3 +- Import into FC6 + +* Tue Feb 28 2006 Jose Pedro Oliveira - 0.97-2 +- Rebuild for FC5 (perl 5.8.8). +- Rebuild switch: "--with sessiontests". + +* Mon Jul 18 2005 Ville Skyttä - 0.97-1 +- 0.97. +- Convert docs to UTF-8, drop some unuseful ones. + +* Wed Apr 6 2005 Michael Schwendt - 0.96-4 +- Rebuilt + +* Tue Oct 12 2004 Ville Skyttä - 0:0.96-3 +- Disable session test suite even if Net::SSLeay >= 1.26 is available. + +* Wed Jul 7 2004 Ville Skyttä - 0:0.96-0.fdr.2 +- Bring up to date with current fedora.us Perl spec template. +- Include examples in docs. + +* Sat May 1 2004 Ville Skyttä - 0:0.96-0.fdr.1 +- Update to 0.96. +- Reduce directory ownership bloat. +- Require perl(:MODULE_COMPAT_*). + +* Fri Oct 17 2003 Ville Skyttä - 0:0.95-0.fdr.1 +- First build.