diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..52c4602 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/Net-SSLeay-1.85.tar.gz diff --git a/.perl-Net-SSLeay.metadata b/.perl-Net-SSLeay.metadata new file mode 100644 index 0000000..a393e8e --- /dev/null +++ b/.perl-Net-SSLeay.metadata @@ -0,0 +1 @@ +5f1c7b6ccac81efd5b78b1e076c694f96ca5c439 SOURCES/Net-SSLeay-1.85.tar.gz diff --git a/SOURCES/Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch b/SOURCES/Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch new file mode 100644 index 0000000..0f26c6c --- /dev/null +++ b/SOURCES/Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch @@ -0,0 +1,63 @@ +From a00a70b7195438c543191b69382ff20e452548bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 13 Aug 2018 12:33:58 +0200 +Subject: [PATCH] Adapt CTX_get_min_proto_version tests to system-wide policy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In our distribution, /etc/crypto-policies/back-ends/opensslcnf.config +can override default minimal SSL/TLS protocol version. If it does, +t/local/09_ctx_new.t test will fail because OpenSSL will return +different then 0 value. + +This patch parses the configuration file and adjusts expect values in +the test. + +Signed-off-by: Petr Písař +--- + t/local/09_ctx_new.t | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/t/local/09_ctx_new.t b/t/local/09_ctx_new.t +index 6d06f21..c584856 100644 +--- a/t/local/09_ctx_new.t ++++ b/t/local/09_ctx_new.t +@@ -109,14 +109,32 @@ else + # Having TLS_method() does not necessarily that proto getters are available + if ($ctx_tls && exists &Net::SSLeay::CTX_get_min_proto_version) + { ++ my $min_ver = 0; ++ # Adjust minimal version to system-wide crypto policy ++ if (open(my $f, '<', '/etc/crypto-policies/back-ends/opensslcnf.config')) { ++ while(<$f>) { ++ if (/^MinProtocol = ([\w.]+)\b/) { ++ if ($1 eq 'TLSv1') { ++ $min_ver = 0x0301; ++ } elsif ($1 eq 'TLSv1.1') { ++ $min_ver = 0x0302; ++ } elsif ($1 eq 'TLSv1.2') { ++ $min_ver = 0x0303; ++ } elsif ($1 eq 'TLSv1.3') { ++ $min_ver = 0x0304; ++ } ++ } ++ } ++ close($f); ++ } + my $ver; + $ver = Net::SSLeay::CTX_get_min_proto_version($ctx_tls); +- is($ver, 0, 'TLS_method CTX has automatic minimum version'); ++ is($ver, $min_ver, 'TLS_method CTX has automatic minimum version'); + $ver = Net::SSLeay::CTX_get_max_proto_version($ctx_tls); + is($ver, 0, 'TLS_method CTX has automatic maximum version'); + + $ver = Net::SSLeay::get_min_proto_version($ssl_tls); +- is($ver, 0, 'SSL from TLS_method CTX has automatic minimum version'); ++ is($ver, $min_ver, 'SSL from TLS_method CTX has automatic minimum version'); + $ver = Net::SSLeay::get_max_proto_version($ssl_tls); + is($ver, 0, 'SSL from TLS_method CTX has automatic maximum version'); + +-- +2.14.4 + diff --git a/SOURCES/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch b/SOURCES/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch new file mode 100644 index 0000000..b5b44e0 --- /dev/null +++ b/SOURCES/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch @@ -0,0 +1,237 @@ +From b01291bf88dd84529c93973da7c275e0ffe5cc1f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 3 Aug 2018 14:30:22 +0200 +Subject: [PATCH] Adapt to OpenSSL 1.1.1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +OpenSSL 1.1.1 defaults to TLS 1.3 that handles session tickets and +session shutdowns differently. This leads to failing various Net-SSLeay +tests that exhibits use cases that are not possible with OpenSSL 1.1.1 +anymore or where the library behaves differently. + +Since Net-SSLeay is a low-level wrapper, Net-SSLeay will be corrected +in tests. Higher-level code as IO::Socket::SSL and other Net::SSLeay +applications need to be adjusted on case-to-case basis. + +This patche changes: + +- Retry SSL_read() and SSL_write() (by sebastian [...] breakpoint.cc) +- Disable session tickets in t/local/07_sslecho.t. +- Adaps t/local/36_verify.t to a session end when Net::SSLeay::read() + returns undef. + +https://rt.cpan.org/Public/Bug/Display.html?id=125218 +https://github.com/openssl/openssl/issues/5637 +https://github.com/openssl/openssl/issues/6904 +Signed-off-by: Petr Písař +--- + SSLeay.xs | 56 ++++++++++++++++++++++++++++++++++++++++++++++++---- + lib/Net/SSLeay.pod | 46 ++++++++++++++++++++++++++++++++++++++++++ + t/local/07_sslecho.t | 15 ++++++++++++-- + t/local/36_verify.t | 2 +- + 4 files changed, 112 insertions(+), 7 deletions(-) + +diff --git a/SSLeay.xs b/SSLeay.xs +index bf148c0..5aed4d7 100644 +--- a/SSLeay.xs ++++ b/SSLeay.xs +@@ -1999,7 +1999,17 @@ SSL_read(s,max=32768) + int got; + PPCODE: + New(0, buf, max, char); +- got = SSL_read(s, buf, max); ++ ++ do { ++ int err; ++ ++ got = SSL_read(s, buf, max); ++ if (got > 0) ++ break; ++ err = SSL_get_error(s, got); ++ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) ++ break; ++ } while (1); + + /* If in list context, return 2-item list: + * first return value: data gotten, or undef on error (got<0) +@@ -2051,10 +2061,20 @@ SSL_write(s,buf) + SSL * s + PREINIT: + STRLEN len; ++ int err; ++ int ret; + INPUT: + char * buf = SvPV( ST(1), len); + CODE: +- RETVAL = SSL_write (s, buf, (int)len); ++ do { ++ ret = SSL_write (s, buf, (int)len); ++ if (ret > 0) ++ break; ++ err = SSL_get_error(s, ret); ++ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) ++ break; ++ } while (1); ++ RETVAL = ret; + OUTPUT: + RETVAL + +@@ -2083,8 +2103,20 @@ SSL_write_partial(s,from,count,buf) + if (len < 0) { + croak("from beyound end of buffer"); + RETVAL = -1; +- } else +- RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); ++ } else { ++ int ret; ++ int err; ++ ++ do { ++ ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); ++ if (ret > 0) ++ break; ++ err = SSL_get_error(s, ret); ++ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) ++ break; ++ } while (1); ++ RETVAL = ret; ++ } + OUTPUT: + RETVAL + +@@ -6957,4 +6989,20 @@ SSL_export_keying_material(ssl, outlen, label, p) + + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x1010100fL ++ ++int ++SSL_CTX_set_num_tickets(SSL_CTX *ctx,size_t num_tickets) ++ ++size_t ++SSL_CTX_get_num_tickets(SSL_CTX *ctx) ++ ++int ++SSL_set_num_tickets(SSL *ssl,size_t num_tickets) ++ ++size_t ++SSL_get_num_tickets(SSL *ssl) ++ ++#endif ++ + #define REM_EOF "/* EOF - SSLeay.xs */" +diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod +index 2e1aae3..bca7be4 100644 +--- a/lib/Net/SSLeay.pod ++++ b/lib/Net/SSLeay.pod +@@ -4437,6 +4437,52 @@ getticket($ssl,$ticket,$data) -> $return_value + + This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb. + ++=item * CTX_set_num_tickets ++ ++B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 ++ ++Set number of session tickets that will be sent to a client. ++ ++ my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets); ++ # $ctx - value corresponding to openssl's SSL_CTX structure ++ # $number_of_tickets - number of tickets to send ++ # returns: 1 on success, 0 on failure ++ ++Set to zero if you do not no want to support a session resumption. ++ ++=item * CTX_get_num_tickets ++ ++B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 ++ ++Get number of session tickets that will be sent to a client. ++ ++ my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx); ++ # $ctx - value corresponding to openssl's SSL_CTX structure ++ # returns: number of tickets to send ++ ++=item * set_num_tickets ++ ++B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 ++ ++Set number of session tickets that will be sent to a client. ++ ++ my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets); ++ # $ssl - value corresponding to openssl's SSL structure ++ # $number_of_tickets - number of tickets to send ++ # returns: 1 on success, 0 on failure ++ ++Set to zero if you do not no want to support a session resumption. ++ ++=item * get_num_tickets ++ ++B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 ++ ++Get number of session tickets that will be sent to a client. ++ ++ my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx); ++ # $ctx - value corresponding to openssl's SSL structure ++ # returns: number of tickets to send ++ + =item * set_shutdown + + Sets the shutdown state of $ssl to $mode. +diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t +index 5e16b04..5dc946a 100644 +--- a/t/local/07_sslecho.t ++++ b/t/local/07_sslecho.t +@@ -13,7 +13,8 @@ BEGIN { + plan skip_all => "fork() not supported on $^O" unless $Config{d_fork}; + } + +-plan tests => 78; ++plan tests => 79; ++$SIG{'PIPE'} = 'IGNORE'; + + my $sock; + my $pid; +@@ -61,6 +62,16 @@ Net::SSLeay::library_init(); + ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list'); + my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + ok($errs eq '', "set_cert_and_key: $errs"); ++ SKIP: { ++ skip 'Disabling session tickets requires OpenSSL >= 1.1.1', 1 ++ unless (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f); ++ # TLS 1.3 server sends session tickets after a handhake as part of ++ # the SSL_accept(). If a client finishes all its job including closing ++ # TCP connectino before a server sends the tickets, SSL_accept() fails ++ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives ++ # SIGPIPE signal. ++ ok(Net::SSLeay::CTX_set_num_tickets($ctx, 0), 'Session tickets disabled'); ++ } + + $pid = fork(); + BAIL_OUT("failed to fork: $!") unless defined $pid; +@@ -351,7 +362,7 @@ waitpid $pid, 0; + push @results, [ $? == 0, 'server exited with 0' ]; + + END { +- Test::More->builder->current_test(51); ++ Test::More->builder->current_test(52); + for my $t (@results) { + ok( $t->[0], $t->[1] ); + } +diff --git a/t/local/36_verify.t b/t/local/36_verify.t +index 92afc52..e55b138 100644 +--- a/t/local/36_verify.t ++++ b/t/local/36_verify.t +@@ -282,7 +282,7 @@ sub run_server + + # Termination request or other message from client + my $msg = Net::SSLeay::read($ssl); +- if ($msg eq 'end') ++ if (defined $msg and $msg eq 'end') + { + Net::SSLeay::write($ssl, 'end'); + exit (0); +-- +2.14.4 + diff --git a/SOURCES/Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch b/SOURCES/Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch new file mode 100644 index 0000000..19e69e6 --- /dev/null +++ b/SOURCES/Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch @@ -0,0 +1,30 @@ +From 8d83cf9cb0ff0fea802e522f4980124a8075a63f Mon Sep 17 00:00:00 2001 +From: Chris Novakovic +Date: Thu, 9 Aug 2018 17:56:26 +0100 +Subject: [PATCH] Add missing call to va_end() in TRACE() + +In SSLeay.xs, TRACE() makes a call to va_start() without a corresponding +call to va_end() before the function returns. Add the missing call to +va_end(). + +This closes RT#126028. Thanks to Jitka Plesnikova for the report and +patch. +--- + SSLeay.xs | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/SSLeay.xs b/SSLeay.xs +index 04070d3..630f09e 100644 +--- a/SSLeay.xs ++++ b/SSLeay.xs +@@ -222,6 +222,7 @@ static void TRACE(int level,char *msg,...) { + va_start(args,msg); + vsnprintf(buf,4095,msg,args); + warn("%s",buf); ++ va_end(args); + } + } + +-- +2.14.4 + diff --git a/SOURCES/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch b/SOURCES/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch new file mode 100644 index 0000000..953d39f --- /dev/null +++ b/SOURCES/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch @@ -0,0 +1,57 @@ +From 173cd9c1340f1f5231625a1dd4ecaea10c207622 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Tue, 14 Aug 2018 16:55:52 +0200 +Subject: [PATCH] Avoid SIGPIPE in t/local/36_verify.t +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +t/local/36_verify.t fails randomly with OpenSSL 1.1.1: + + # Failed test 'Verify callback result and get_verify_result are equal' + # at t/local/36_verify.t line 111. + # got: '-1' + # expected: '0' + # Failed test 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY' + # at t/local/36_verify.t line 118. + # got: '-1' + # expected: '43' + Bailout called. Further testing stopped: failed to connect to server: Connection refused + FAILED--Further testing stopped: failed to connect to server: Connection refused + +I believe this because TLSv1.3 server can generate SIGPIPE if a client +disconnects too soon. + +Signed-off-by: Petr Písař +--- + t/local/36_verify.t | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/t/local/36_verify.t b/t/local/36_verify.t +index e55b138..2837288 100644 +--- a/t/local/36_verify.t ++++ b/t/local/36_verify.t +@@ -266,10 +266,20 @@ sub run_server + + return if $pid != 0; + ++ $SIG{'PIPE'} = 'IGNORE'; + my $ctx = Net::SSLeay::CTX_new(); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + my $ret = Net::SSLeay::CTX_check_private_key($ctx); + BAIL_OUT("Server: CTX_check_private_key failed: $cert_pem, $key_pem") unless $ret == 1; ++ if (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f) { ++ # TLS 1.3 server sends session tickets after a handhake as part of ++ # the SSL_accept(). If a client finishes all its job including closing ++ # TCP connectino before a server sends the tickets, SSL_accept() fails ++ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives ++ # SIGPIPE signal. ++ my $ret = Net::SSLeay::CTX_set_num_tickets($ctx, 0); ++ BAIL_OUT("Session tickets disabled") unless $ret; ++ } + + while (1) + { +-- +2.14.4 + diff --git a/SOURCES/Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch b/SOURCES/Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch new file mode 100644 index 0000000..ce79109 --- /dev/null +++ b/SOURCES/Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch @@ -0,0 +1,624 @@ +From cb4a91f8619afbdcba40a513ce1d2e5bd652c511 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 13 Aug 2018 17:27:13 +0200 +Subject: [PATCH] Generate 2048-bit keys for tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Distributions are experimenting with OpenSSL configured with security +level 2. That requires at least 2048-bit RSA keys otherwise tests +fail. + +This patch regenerates testing keys, certificates and revocation lists +used in tests to meet the security level. The patch also updates +scripts used for generating them. + +Signed-off-by: Petr Písař +--- + MANIFEST | 4 ++++ + examples/makecert.pl | 13 +++++----- + examples/req.conf | 2 +- + t/data/cert.pem | 42 ++++++++++++++++---------------- + t/data/key.pem | 43 +++++++++++++++++++++------------ + t/data/key.pem.e | 47 +++++++++++++++++++++++------------- + t/data/test_CA1.conf | 37 +++++++++++++++++++++++++++++ + t/data/test_CA1.crl.der | Bin 389 -> 438 bytes + t/data/test_CA1.crlnumber | 1 + + t/data/test_CA1.crt.der | Bin 550 -> 831 bytes + t/data/test_CA1.crt.pem | 30 +++++++++++++---------- + t/data/test_CA1.key.der | Bin 610 -> 1190 bytes + t/data/test_CA1.key.pem | 38 +++++++++++++++++++---------- + t/data/test_CA1_index.txt | 2 ++ + t/data/test_CA1_index.txt.attr | 0 + t/data/testcert_wildcard.crt.pem | 50 +++++++++++++++++++++++---------------- + t/local/07_sslecho.t | 2 +- + t/local/50_digest.t | 22 ++++++++--------- + 18 files changed, 215 insertions(+), 118 deletions(-) + create mode 100644 t/data/test_CA1.conf + create mode 100644 t/data/test_CA1.crlnumber + create mode 100644 t/data/test_CA1_index.txt + create mode 100644 t/data/test_CA1_index.txt.attr + +diff --git a/MANIFEST b/MANIFEST +index 2f18a0a..cedca78 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -60,12 +60,16 @@ t/data/key.pem.e + t/data/pkcs12-full.p12 + t/data/pkcs12-no-chain.p12 + t/data/pkcs12-no-passwd.p12 ++t/data/test_CA1.conf + t/data/test_CA1.crl.der ++t/data/test_CA1.crlnumber + t/data/test_CA1.crt.der + t/data/test_CA1.crt.pem + t/data/test_CA1.encrypted_key.pem + t/data/test_CA1.key.der + t/data/test_CA1.key.pem ++t/data/test_CA1_index.txt ++t/data/test_CA1_index.txt.attr + t/data/testcert_extended.crt.pem + t/data/testcert_extended.crt.pem_dump + t/data/testcert_key_2048.pem +diff --git a/examples/makecert.pl b/examples/makecert.pl +index 221f720..3fc26ae 100644 +--- a/examples/makecert.pl ++++ b/examples/makecert.pl +@@ -25,18 +25,17 @@ open (REQ, "|$exe_path req -config $conf " + . "-x509 -days 3650 -new -keyout $key $egd >$cert") + or die "cant open req. check your path ($!)"; + print REQ <test_CA1.crlnumber ++# Then generate CRL in DER format: ++# openssl ca -config test_CA1.conf -gencrl -out test_CA1.crl.pem ++# Finally convert it to DER format into test_CA1.crl.der: ++# openssl crl -inform pem -outform der test_CA1.crl.der ++# ++[ req ] ++distinguished_name = req_distinguished_name ++prompt = no ++x509_extensions = req_ext ++ ++[ req_distinguished_name ] ++C = US ++O = Demo1 ++CN = CA1 ++ ++[ req_ext ] ++basicConstraints=critical,CA:TRUE ++keyUsage=keyCertSign,cRLSign ++subjectKeyIdentifier=hash ++authorityKeyIdentifier=keyid,issuer ++ ++[ ca ] ++default_ca = test_CA1 ++ ++[ test_CA1 ] ++database = test_CA1_index.txt ++crlnumber = test_CA1.crlnumber ++certificate = test_CA1.crt.pem ++private_key = test_CA1.key.pem ++default_md = sha256 ++default_crl_days = 30 +diff --git a/t/data/test_CA1.crl.der b/t/data/test_CA1.crl.der +index 5f2cf7cda71eb473f8732060d87718b8be25bf1b..c3948335cddf709f0d88598194ea850b95b64e62 100644 +GIT binary patch +literal 438 +zcmXqLV%%iVIGc%)(SVnYQ>)FR?K>|cBR4C9fwm#H0Vf-CC<~h~Q)sXup8*eu!^Oku +zlA4=uXvky01>!UFFgrUMit`#;7+4sZ7#bNH7+OYwxt4~;P_BWFfd~_`kVzy^+{nP# +zz|z3bz{1!f3L*+p4G}dkwJ^1eS^%^OY__Zj3o{cV6Pml2n;01xvTf1={1^(`!uN&U +zy1D$z!d +zK(NAL+o-QKJDKL{$5%W%Qu_a~6<1Vi_y3ulM^4A+rC2{Xxz3Sk=7bfy^F)@hzK|@D +zIBXx|tdyzu%S1Me9gqjXu!+HsnzDu_MMlJk(HIfK--YpfRl|ml!Z;0DKyxS&wvNS;Sy$b +zNzKhSG~_Yh0`ZxJnVlUC#d!^l42%sd4Gaw|3=E>cToWJ@!ZoNduwh~rGKoZ1W^55< +zpawQWR+NRAi;>wt0%)GB1dE^qzmWloaS+`QQ$dy(m|B=xqUvVErW>dZ=$HjSmqY9k +zVPR%sWJ2>Nb7LdJ&gZOGTXHu?F8yjC8E|4>4tL(IwIUA6Q%e5DS9)(%=5@V%dy&E= +zSKXJ3wr|=fQak06ZIn{w&XC=a;nwl02@A_^UFh+h^6s&p_s$s0;$jc4!gm(uR;hk) +u(v$Eiu=u;vQ^{mgDnm=ScfrSX`&!d>w`Z+0OaHazVsy4$i0A>|I~f3)J7|*t + +diff --git a/t/data/test_CA1.crlnumber b/t/data/test_CA1.crlnumber +new file mode 100644 +index 0000000..9e22bcb +--- /dev/null ++++ b/t/data/test_CA1.crlnumber +@@ -0,0 +1 @@ ++02 +diff --git a/t/data/test_CA1.crt.der b/t/data/test_CA1.crt.der +index 8031955a343260c858d3ad207938f08543809bc4..01e7c745fd99c3233f5c8f0eb92484471f1e6a85 100644 +GIT binary patch +literal 831 +zcmXqLVzxGDVp3kf%*4pV#L4h!Rc|(n^zzjPylk9WZ60mkc^MhGSs4tp4Y>_C*_cCF +z*o2uvgAMr%ct9L39#)ss+ScLnI3E4S}tPIRejQk7+O^jSjO^l2TFU4Y)bsjn9&-i?Hs&q=A15=@= +z>!IHz*TPipFv*?#_mQLg?FFOSz&z8$bK7_>$0fIRaD}fpv*~_bxOZ0cy%0&egJN#} +zKNCM@Ox<%qIaoMK@qxr|xm7W5Y%lt)y1rb@J$vriJwGNiRH$tDSiYiu;hOK!PafU1 +zlq9kFVb+~F8uRvY&x*OmFzF`O(*s9plJf8Fz9y%jc=nWP#JjsJOs}NF)SK?z +zNUGiO(PP?rFZT)3+dC%tPFbMQ?N#0)%3;^m?lbM@orSCR9z4++IHj({jYGv~-icmc +zfpvf8KCW2g_>)&a=TTf~!bI1kP`MjlUw_`co?pCvPg?%ub5j;dJ8fiQW@KPooL~@V +zzz>WBSz$)T|17Kq%s|S38zjKb!UBw4HUn7@hmS>!MPzaDm*x*!=2i(vU5$O%@%4J~ +ziZFizd62X+i-dt#19kg$ts?a!4s2uWUb7RTOM13ub+P~&%i3Ge_C(*xwEf-i|w9$T} +zo?TQ_EX`T*;OXQ)mF+%LbM!lRzT`|ip?rv|%0uzc{hXLA`3a>v +l%Vo_{f4yg3QW-yG+pTNNPH}S6KC2$lyK_)5e5FtFCIFX)M(Y3o + +literal 550 +zcmXqLVp1|_V(ebP%*4pV#4KbIX28qFsnzDu_MMlJk(HIfK--YpfRl|ml!Z;0DKyxS +z&wvNS;Sy$bNzKhSG~_Yh0`ZxJnVlUC4HU$A4UG&8fe;L$B>0UCfxyTZh)gX_Eu%;? +zu5muHYZzG>m>YW;3>rI`8XFl-$1E`8ZhxQoW%}E^(-)5zuP)O~a+#rP@aTeGoWJ{( +zXgP+1ym_Q+4dv5G%?1N@UH{9~UgOTc3yPDo=c}pQWZ+{f_e+(4r{n*-`?}`mBQ3BKfT4BAKFhfzu$ALtxWyw`TX372cgWX +zDrFZW@R#+3|K8ETVa~P;(_UkRhzeJz%(CBZS4(PJ-c%Vr!4^hO`C;*BmAud+QxjSt;28TJ +zs$A?n(N3z@rxr(Roz1-Xkbrn3u<>`Of1#}RTjb*1IUaG@PsLLPp=#WmD4x9wnq1ZZ +zlGzI7z{GrFZ{54r9v~sj$|YFt-2?*a8&)TR-q>P&xbaAquS!Rd8@Gs(O_ZQ0i%NHd +z6$n0thfJ3F+@Y$y!N`SClzwzZ2qZF|$c;@9uKbr8o_`bK_}^-kRm%0)c@5_lO}qDXFA+69pqis@XK5Zt9P6>eWhsat4Mw +z>-Jh8^bgLA1c+!a4(9g96RrOhEyK@nA0jc$=LmS|_FvW_dn?7JcZ*ml8dXDWJK^47 +zF!D1T&av8Xuu)7_*zK~S!`*S}7=DN6gKQQ0<)rt2qobj~XlLA)Zw}ZZbfwB20)c@5 +z@ejL}jhdZAB~SViby=b*wtDO2`6nq>X9$yQ{J|wmjuegURG7J_r4d>PTh^I4)C?Q* +z9)Veux$pD=*W~t~fc3D2LC(V9)3%*NbWD_@PSuC5aq5mV{dADtK;!->+`VD6eMs3r +z>tv8Zly{`|`pbq6?6z3BPwceJbg!1B0)c>OnzB=!%DPz1Jd5Z;OPHXh>3ez8rdzt8 +z>ldlW>A6}3#u%Wp?p{Q7UnDu2v&i@eCRzc*#+vB$fG^eIKGEc~7vQ5jtv*+Z+=YL< +z?n-H)#v>Fj@46BN6Xjmym)&Au+JJalkJU>97e>dTnKzFRku +zs(->U-3ulc3C-6jZ +z@Xa5J4~-GMFDGKVjdT%l6+scKi(o>4^t-B*j_mPRlXLiWs^#?&{}6`gNSrD!Fs +z6Q1~>kmz>A=cmsy`o;aNZ|s@8XEs$`9qUEZ`V1-=dlq~O$gm&Y!T7wdiWgQ#JrxazG-J6cx0ZM|Fn$ONT|>~UES-}LGo_SzNV{ytC(g?*8)KR(8hC!krOVdrh*Ks +zd`0U%Xz1ZNDdpp(Q-ZHDAc~L2!3|vwNCvtUWL8u7>(Z4GjRs)xCH|#FF!a58{W&}{ +z0zm+n1A9Wx<*{9*1xyFCRMgl~1D9zM%W(zs!=IYCha^1D*1?1kQO&Oo%Q5-^0(KcMVE}bJ%YaHAjLWP*J)Z*iCOl +zI+!uWic4hG^Gw;tz5A6uxa7VAqrLZAb?m`@6A=PI0MW|-r=v@lMzw7_Wv4G)sakMm +w4XEt$gdSh2A*|=jsV7%bB;&F&mlQ=Y8`dPBSMURc#tTr?jsQ)2o|)_GXMYp + +diff --git a/t/data/test_CA1.key.pem b/t/data/test_CA1.key.pem +index 78f0c3b..f3bd4a0 100644 +--- a/t/data/test_CA1.key.pem ++++ b/t/data/test_CA1.key.pem +@@ -1,15 +1,27 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIICXgIBAAKBgQDLXKA2C4fvafSX7W7L0cQzq3YtYkSYLTDi0C5eT0fUWx5AxXbx +-4FBd3KDfAr7KWLqXpz2T0CMcBn/pNdNWY7G1OCRdu8eXBwTelOIclK9lYZAw5EI8 +-2SOOJUGIsF0ZDeoUrJX40DkrhedXLSOR5L8EfHso7ub4M4tWjDwU7UKy1QIDAQAB +-AoGAOryhJZsFAziWRf91HfeTdN0UQB1+9HkxAoHgsqqxc3tx7IFcTpZcgA/Gg0M2 +-uhkQo9bRKU1XprOV5FUAmpYm8E1YmlkdjbkT/JAA2/s4hJH3Z5Bp6rngQzqb1cqw +-6Wcfg7n5w6TVAX4Jk2Z1wYF2BMRQyolVKawSRa2B5YJ4hQ0CQQD5XLOpIcjZx8F6 +-1E5S0P6L4qb3xtuH3hLlGQmGJvh+vmlnIXhknpr/tIzWSKjQPV3d69ZB8m7Ovqar +-gKuYZkzXAkEA0MZziJETLqmmggyrfEXrPmjo4Tkp5eOlU4KvMiCKj8fBDV0OSAa6 +-FWRWU/jr0pURjQZg8SX+pUUw9L16/Tk8MwJBAJgDe0LP5bFdpQVMB7NU1NhSA5dp +-EstxBfPDn5q4hyQ8z+Se8tXkGnlnh7PZ94962Y5ABw2MzSAb+V7zwafWNWECQQDJ +-QQTOeUtMiC4C38PPoHcNSoRz2G8TNUeCIVBRuhzYTW9EOpgxxopLZNXzTNnHvfuV +-PrjkvgOjvfdbdezBfhMRAkEA0cr/p6NLmEa1bTtlpy9dqVpwZg2o7PKEHl+qIazn +-zKknV1Ik47IylxRFMRvWJJ9X8AOFxgtQ1I4ATXuemeoaYA== ++MIIEogIBAAKCAQEA6RZdponExk8B55tlG2RRQAJxSUXC+3TWViTcAh7J/vEId+3Q ++Mn1RbjVhzrYM015jhYgKV6jMst9uV0tqW95UGT7BFkZP+WHxaJW80CNTE1oh4Bj7 ++Hqpc7D3RTqrXpxZHa53NvPiQgHgksPF3qH+hrPdb5OLdOR5x2U/FUwahatycKJ69 ++C5pc1gCS2QrlwMR8Ym/du9YeICHNyiVY7t0EAuobVieC3thifbjxSJavSkeQG7eI ++kk2UoCiLSneEFQg+hodMlvncoaq9wciFUZR+dEYIJDKeyI1NEK78neN4okH5DRAs ++4l51YJFFYlUe2PXr87uvDxd/vGZvk86UoRtCsQIDAQABAoIBAG746Ql7GiZYQ03j ++nBWYg154SztZbWWO0OUek2inBADO/PssTC1doMFZxQFHh3+ytqtCg7oMcbjPy5bg ++HvkyNtP2HrPeMgFHckoa0FRAHTNffDVXb2fAMJGBNP/BMv8oCkTgUq2fohyoFr/v ++lsqwSWcyNZwZrr2dExMleYr34y4ehdNrnw06GZiI7WtJTgcunW20Xfe7tfBzl2Te ++QaYLgr4nS1zAYLskB5vajAxia19ksyy/Ox69/bw/qdq0w5EqYL0ZkyZpBjvWoE24 ++2/dBwD0g6FXGkv1tTgw3dW7MYyEe+SkaT52DaGr5bJ6ImzPZW5WK4/GlOA26c+Np ++jd6a5eECgYEA94ghPSmppHkTBSNGqtk0oW7qj3Lq1UqAcgaGO+v2WiD0D86MBIho ++Lw7m9scTrf8VLcPPcB8iMc3nCHjp9l/WInsrxaZ3i1gpGlVDbTvh3mAw8jMczrHa ++cLBRTFbY7bKiw91x6hh+h+eDbBX65aT3f6OjocBoZ9yXbw7YInSlyh0CgYEA8Q+7 ++lo2anUQlT/oSdVmiKbZ66+T5JylWZwiTbPzBJUyOFI3tVJi5qKURWghb1pk41Awb ++8x6BWZS57/QB1+T2oID1sIVBzsLg07adRHRMlKJO1YeuceqONP10kN5A4/4o3L1h ++tH1I2UDrZJBClHek9vrLhg7stli5T+y0zHSvlqUCgYBpmrJTncq6WM08i+hCS5ig ++pul7edOmW7qg6xepyOm5WgXGGKCz7l5EdV8kOZqzyPgIJloBw8aa6PWAL9XhPtHk ++tBfgozytPleK3IV/vOSIMxGuww+vP0Gqgg6tOwAhqOy4E2neLcUNxj/ThS0dfFv7 ++IJ1XDPd+GCajQvoC+TEiIQKBgDvhxJ+pnXbjrsEnRd6Q3Y+vHOnsf1gTFLuTjcvN ++Hc2+Lq08dHBHYBdcqerLmMS+WzeRqn/CXC98mpPY8XxIDFvirSWkdKyADImLG5Yd ++rcheaWbxxYvW0GypaYNzMntwb4YmJVdIqAgP8GmSzHdFIV2Y/2XV30eM0rvf+Smw ++8s1hAoGABG5kHNz7vLUl0YhdX9uuC2eNAyfwRHHwzR+KD40RvS8nYruNdBFxFUER ++rItgQoD0u6qUjuzxWJNz+HWq5fURccov5xWdb0+laCWtE574oJDodsTnp88y+sX9 ++rW/smbxnNlVdHetF1PoMKhl7FnwKyLAf3sH4vK+KF1ZHPRalyTs= + -----END RSA PRIVATE KEY----- +diff --git a/t/data/test_CA1_index.txt b/t/data/test_CA1_index.txt +new file mode 100644 +index 0000000..2a43cd5 +--- /dev/null ++++ b/t/data/test_CA1_index.txt +@@ -0,0 +1,2 @@ ++R 120309010800Z 120309010838Z 123459 unknown /C=US/O=Demo1/CN=foo ++R 120309005800Z 120309005859Z 12345A unknown /C=US/O=Demo1/CN=bar +diff --git a/t/data/test_CA1_index.txt.attr b/t/data/test_CA1_index.txt.attr +new file mode 100644 +index 0000000..e69de29 +diff --git a/t/data/testcert_wildcard.crt.pem b/t/data/testcert_wildcard.crt.pem +index 7270c0c..4ca418d 100644 +--- a/t/data/testcert_wildcard.crt.pem ++++ b/t/data/testcert_wildcard.crt.pem +@@ -2,15 +2,15 @@ Certificate: + Data: + Version: 3 (0x2) + Serial Number: 137826015233 (0x2017121801) +- Signature Algorithm: sha256WithRSAEncryption ++ Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = Demo1, CN = CA1 + Validity +- Not Before: Dec 18 17:15:18 2017 GMT +- Not After : Dec 19 17:15:18 2032 GMT ++ Not Before: Aug 14 10:19:01 2018 GMT ++ Not After : Aug 15 10:19:01 2033 GMT + Subject: C = US, ST = State, L = City, O = Company, OU = Unit, CN = *.example.com, emailAddress = wildcard@example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption +- RSA Public-Key: (2048 bit) ++ Public-Key: (2048 bit) + Modulus: + 00:bd:5e:c6:d8:01:f5:cf:85:fe:eb:9b:60:dd:e8: + 8a:98:09:59:5a:71:fc:a2:ad:38:73:0a:cd:d9:5e: +@@ -45,21 +45,28 @@ Certificate: + X509v3 Subject Key Identifier: + 4B:42:86:BA:E2:BE:3D:40:0D:11:1D:66:E7:BE:94:39:B2:84:D3:06 + X509v3 Authority Key Identifier: +- keyid:C8:1C:DA:92:0A:A9:48:08:3A:76:76:15:38:04:F1:34:D9:15:D0:20 ++ keyid:A3:73:F4:83:F0:B4:9D:7A:10:1A:D5:5D:E1:88:F5:D7:73:A8:56:4F + + Signature Algorithm: sha256WithRSAEncryption +- 20:cb:ec:9d:8b:e8:2d:61:74:5e:30:b0:95:88:4e:80:09:df: +- c9:7f:b0:c9:d2:19:4e:2c:5a:eb:02:0f:ce:e8:8a:52:fa:22: +- 59:b1:c3:7b:39:db:f0:7d:9a:91:19:ef:d5:f7:73:5b:6b:47: +- 3d:48:c3:c7:4a:2e:7b:7f:3d:ff:65:53:11:21:95:2c:00:fd: +- 39:76:25:8e:05:68:c4:b9:cc:bd:ca:28:60:bf:6d:4c:00:d0: +- 4e:b4:4c:62:6b:34:48:2c:60:b9:33:76:3f:3b:72:57:11:ec: +- f4:2d:5f:b3:f1:a1:c8:d4:5b:5f:23:6b:b0:ec:28:5a:0b:43: +- 7f:e3 ++ 07:43:9b:e0:21:e6:e1:40:35:09:f3:d6:62:0d:7c:d2:6d:78: ++ 75:6e:59:57:00:d9:4a:b2:cd:9f:9c:d2:38:85:bc:f4:d0:bd: ++ b5:20:06:af:ed:ae:0a:19:2a:01:af:25:4b:e3:3a:c7:58:a9: ++ 5f:bc:86:6a:24:30:2d:0d:bb:1d:3f:dd:98:75:9a:4c:1d:d0: ++ a1:8e:43:11:b9:3a:ba:c5:e4:ec:0c:6c:da:b5:34:2a:ab:3f: ++ fb:87:27:d2:32:ca:f9:65:1f:f2:ed:e7:7e:c0:11:30:5e:3a: ++ f7:97:58:52:ff:e1:be:93:cd:96:03:48:53:bf:58:65:a5:20: ++ 09:d9:9b:7c:03:f0:39:61:28:01:92:3e:27:ed:bd:0d:94:06: ++ cd:dc:d2:34:04:99:29:fa:5e:1b:bd:70:0f:86:5e:30:df:33: ++ fc:4c:89:b5:56:a1:f6:24:c9:1f:aa:86:ef:51:62:39:22:a9: ++ a1:ed:d2:42:f6:c0:c9:45:7f:d7:ce:3a:18:ec:5a:8e:57:2e: ++ 48:c7:d8:90:1b:a6:2d:30:4b:ad:3a:f4:a7:90:ed:da:37:2f: ++ b9:9c:ba:3c:08:b6:d7:53:d9:ae:34:5f:9a:02:8a:65:20:93: ++ 17:be:e5:7e:3a:11:10:8e:d2:0c:58:bf:20:32:02:f8:05:de: ++ cd:2e:82:f1 + -----BEGIN CERTIFICATE----- +-MIIDhjCCAu+gAwIBAgIFIBcSGAEwDQYJKoZIhvcNAQELBQAwKzELMAkGA1UEBhMC +-VVMxDjAMBgNVBAoTBURlbW8xMQwwCgYDVQQDEwNDQTEwHhcNMTcxMjE4MTcxNTE4 +-WhcNMzIxMjE5MTcxNTE4WjCBijELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRl ++MIIEBzCCAu+gAwIBAgIFIBcSGAEwDQYJKoZIhvcNAQELBQAwKzELMAkGA1UEBhMC ++VVMxDjAMBgNVBAoMBURlbW8xMQwwCgYDVQQDDANDQTEwHhcNMTgwODE0MTAxOTAx ++WhcNMzMwODE1MTAxOTAxWjCBijELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRl + MQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdDb21wYW55MQ0wCwYDVQQLDARVbml0 + MRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMSMwIQYJKoZIhvcNAQkBFhR3aWxkY2Fy + ZEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1e +@@ -72,8 +79,11 @@ LU5cgpUvoGJ4WWUGAbcCAwEAAaOB0TCBzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW + MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAXBgNVHSAEEDAOMAUGAyoEBTAFBgMpAwQw + RgYDVR0RBD8wPYINKi5leGFtcGxlLmNvbYEUd2lsZGNhcmRAZXhhbXBsZS5jb22H + BAoUHiiHECABDbgBSAEAAAAAAAAAADEwHQYDVR0OBBYEFEtChrrivj1ADREdZue+ +-lDmyhNMGMB8GA1UdIwQYMBaAFMgc2pIKqUgIOnZ2FTgE8TTZFdAgMA0GCSqGSIb3 +-DQEBCwUAA4GBACDL7J2L6C1hdF4wsJWIToAJ38l/sMnSGU4sWusCD87oilL6Ilmx +-w3s52/B9mpEZ79X3c1trRz1Iw8dKLnt/Pf9lUxEhlSwA/Tl2JY4FaMS5zL3KKGC/ +-bUwA0E60TGJrNEgsYLkzdj87clcR7PQtX7PxocjUW18ja7DsKFoLQ3/j ++lDmyhNMGMB8GA1UdIwQYMBaAFKNz9IPwtJ16EBrVXeGI9ddzqFZPMA0GCSqGSIb3 ++DQEBCwUAA4IBAQAHQ5vgIebhQDUJ89ZiDXzSbXh1bllXANlKss2fnNI4hbz00L21 ++IAav7a4KGSoBryVL4zrHWKlfvIZqJDAtDbsdP92YdZpMHdChjkMRuTq6xeTsDGza ++tTQqqz/7hyfSMsr5ZR/y7ed+wBEwXjr3l1hS/+G+k82WA0hTv1hlpSAJ2Zt8A/A5 ++YSgBkj4n7b0NlAbN3NI0BJkp+l4bvXAPhl4w3zP8TIm1VqH2JMkfqobvUWI5Iqmh ++7dJC9sDJRX/XzjoY7FqOVy5Ix9iQG6YtMEutOvSnkO3aNy+5nLo8CLbXU9muNF+a ++AoplIJMXvuV+OhEQjtIMWL8gMgL4Bd7NLoLx + -----END CERTIFICATE----- +diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t +index 5dc946a..74e317a 100644 +--- a/t/local/07_sslecho.t ++++ b/t/local/07_sslecho.t +@@ -285,7 +285,7 @@ my @results; + push @results, [ $issuer eq $cert_name, 'cert issuer' ]; + push @results, [ $subject eq $cert_name, 'cert subject' ]; + push @results, [ substr($cn, length($cn) - 1, 1) ne "\0", 'tailing 0 character is not returned from get_text_by_NID' ]; +- push @results, [ $fingerprint eq '96:9F:25:FD:42:A7:FC:4D:8B:FF:14:76:7F:2E:07:AF:F6:A4:10:96', 'SHA-1 fingerprint' ]; ++ push @results, [ $fingerprint eq 'C7:BC:62:F8:50:40:4D:0B:1D:9A:A1:16:39:8D:91:67:91:A4:1D:9D', 'SHA-1 fingerprint' ]; + + return 1; + } +diff --git a/t/local/50_digest.t b/t/local/50_digest.t +index c181837..b2de4dc 100644 +--- a/t/local/50_digest.t ++++ b/t/local/50_digest.t +@@ -179,17 +179,17 @@ SKIP: { + + my $file1 = File::Spec->catfile('t', 'data', 'cert.pem'); + my $results1 = { +- md2 => '6d89cda9599a54d03652f9464e8b6e51', +- md4 => 'ada352f40f1ca64f4168a8aae7c1a281', +- md5 => 'e060f11c6afa9e1f59a8e7c873aa3423', +- mdc2 => 'e9ca1fd1cfccfb450b402a0dd446db28', +- ripemd160 => 'cbd50056558b01b5e9ec67901b518462b5393e5b', +- sha => '79de0d0cc736d98b65f5d6b3ac89e65ca8d3b2a7', +- sha1 => '0267dd25bbd8930c537716d972dd9ba128846428', +- sha224 => '5b42d5a3b16a6cee821b03c41f0428b09b70695becb0aaafbc7d6419', +- sha256 => '764633a51af4ef374cabb1ea859cc324680cfeff694797e90562e19ffb71ab26', +- sha512 => '37e3a2e84aec822922c51d4d8d37bf003e1d85f55a4bf2fae2940a5aab5b32f7601c2a9cde5b9c6391aaa4ffef1e845f11d2f0b6a37a9b2f48fb7f6469f0a51c', +- whirlpool => 'b2dc90dbbc60e5e2dc28de3bdeab45fb2fa6d13d86ff14908130624a242e38ecc195b3b11a7ef137b77a24e9a0ba5be061ac1baa11892369286d613569199458', ++ md2 => '99c30267cbf14bc2841a5b7749ba1cc2', ++ md4 => 'd7dc371997d08d4da70501ecdfe6e09e', ++ md5 => 'e3fdc3024e8380af1d8dd3a2705ad5c9', ++ mdc2 => '44c546567b06aba23e6a808ad2210ad6', ++ ripemd160 => 'a8f3023b46590fff58733db0993fb0e66a7c2e33', ++ sha => '72bd01553288bc5e4ba558a85970d12a7c296e28', ++ sha1 => '9af9b8d6efc1efce1957944b6041fb3e299834b0', ++ sha224 => 'fc1ef172129181a1c104467a01300f6b12c472df93f65c545acd0b3b', ++ sha256 => 'c49f7c37cfb711b1e660da7567608f9433d1faf6cc903793aedbf61b6c66cfcd', ++ sha512 => 'de0fb6197c8e586bc16faf19eb53336ddc2971c2fb0c8ad24accf8bc1fd483357e98b6fc38efcd09c574ecb4ba82bf8f1451e29ba758dc8537a27f57bdc19d44', ++ whirlpool => 'f775be3610857166dd466ce9ae481c65d3938f6794b0b17294cb533b0a721b42de3726dbc15f22156778f333ddafb6db8997765a3e30ed436f6cab561ffab5de', + }; + + my $file2 = File::Spec->catfile('t', 'data', 'binary-test.file'); +-- +2.14.4 + diff --git a/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch b/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch new file mode 100644 index 0000000..aa4b338 --- /dev/null +++ b/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch @@ -0,0 +1,225 @@ +From e0b42b0120b941b5675e4071445424dc8a1230e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Wed, 15 Aug 2018 14:46:52 +0200 +Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from + read()/write() up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/core.t test +because it tests non-blocking socket operations and expects to see +SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE errors and to handle them +byt itself. + +This patch purifies Net::SSLeay::{read,write}() to behave exactly as +underlying OpenSSL functions. The retry is moved to +Net::SSLeay::ssl_read_all. All relevant Net::SSLeay::{read,write}() calls in +tests are changed into Net::SSLea::ssl_{read,write}_all(). + +All applications should implement the retry themsleves or use +ssl_*_all() instead. + +Signed-off-by: Petr Písař +--- + SSLeay.xs | 28 +++++++--------------------- + lib/Net/SSLeay.pm | 22 +++++++++++++++------- + t/local/07_sslecho.t | 12 ++++++------ + t/local/36_verify.t | 9 +++++---- + 4 files changed, 33 insertions(+), 38 deletions(-) + +diff --git a/SSLeay.xs b/SSLeay.xs +index 5aed4d7..7cb6eab 100644 +--- a/SSLeay.xs ++++ b/SSLeay.xs +@@ -1997,19 +1997,13 @@ SSL_read(s,max=32768) + PREINIT: + char *buf; + int got; ++ int succeeded = 1; + PPCODE: + New(0, buf, max, char); + +- do { +- int err; +- +- got = SSL_read(s, buf, max); +- if (got > 0) +- break; +- err = SSL_get_error(s, got); +- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) +- break; +- } while (1); ++ got = SSL_read(s, buf, max); ++ if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got)) ++ succeeded = 0; + + /* If in list context, return 2-item list: + * first return value: data gotten, or undef on error (got<0) +@@ -2017,13 +2011,13 @@ SSL_read(s,max=32768) + */ + if (GIMME_V==G_ARRAY) { + EXTEND(SP, 2); +- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); ++ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); + PUSHs(sv_2mortal(newSViv(got))); + + /* If in scalar or void context, return data gotten, or undef on error. */ + } else { + EXTEND(SP, 1); +- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); ++ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); + } + + Safefree(buf); +@@ -2066,15 +2060,7 @@ SSL_write(s,buf) + INPUT: + char * buf = SvPV( ST(1), len); + CODE: +- do { +- ret = SSL_write (s, buf, (int)len); +- if (ret > 0) +- break; +- err = SSL_get_error(s, ret); +- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) +- break; +- } while (1); +- RETVAL = ret; ++ RETVAL = SSL_write (s, buf, (int)len); + OUTPUT: + RETVAL + +diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm +index 3adf12c..afc6c8f 100644 +--- a/lib/Net/SSLeay.pm ++++ b/lib/Net/SSLeay.pm +@@ -579,14 +579,22 @@ sub debug_read { + sub ssl_read_all { + my ($ssl,$how_much) = @_; + $how_much = 2000000000 unless $how_much; +- my ($got, $errs); ++ my ($got, $rv, $errs); + my $reply = ''; + + while ($how_much > 0) { +- $got = Net::SSLeay::read($ssl, ++ ($got, $rv) = Net::SSLeay::read($ssl, + ($how_much > 32768) ? 32768 : $how_much + ); +- last if $errs = print_errs('SSL_read'); ++ if (! defined $got) { ++ my $err = Net::SSLeay::get_error($ssl, $rv); ++ if ($err != Net::SSLeay::ERROR_WANT_READ() and ++ $err != Net::SSLeay::ERROR_WANT_WRITE()) { ++ $errs = print_errs('SSL_read'); ++ last; ++ } ++ next; ++ } + $how_much -= blength($got); + debug_read(\$reply, \$got) if $trace>1; + last if $got eq ''; # EOF +@@ -839,14 +847,14 @@ sub ssl_read_until ($;$$) { + $found = index($match, $delim); + + if ($found > -1) { +- #$got = Net::SSLeay::read($ssl, $found+$len_delim); ++ #$got = Net::SSLeay::ssl_read_all($ssl, $found+$len_delim); + #read up to the end of the delimiter +- $got = Net::SSLeay::read($ssl, ++ $got = Net::SSLeay::ssl_read_all($ssl, + $found + $len_delim + - ((blength($match)) - (blength($got)))); + $done = 1; + } else { +- $got = Net::SSLeay::read($ssl, $peek_length); ++ $got = Net::SSLeay::ssl_read_all($ssl, $peek_length); + $done = 1 if ($peek_length == $max_length - blength($reply)); + } + +@@ -857,7 +865,7 @@ sub ssl_read_until ($;$$) { + } + } else { + while (!defined $max_length || length $reply < $max_length) { +- $got = Net::SSLeay::read($ssl,1); # one by one ++ $got = Net::SSLeay::ssl_read_all($ssl,1); # one by one + last if print_errs('SSL_read'); + debug_read(\$reply, \$got) if $trace>1; + last if $got eq ''; +diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t +index 74e317a..7f19027 100644 +--- a/t/local/07_sslecho.t ++++ b/t/local/07_sslecho.t +@@ -134,10 +134,10 @@ my @results; + + push @results, [ Net::SSLeay::get_cipher($ssl), 'get_cipher' ]; + +- push @results, [ Net::SSLeay::write($ssl, $msg), 'write' ]; ++ push @results, [ Net::SSLeay::ssl_write_all($ssl, $msg), 'write' ]; + shutdown($s, 1); + +- my ($got) = Net::SSLeay::read($ssl); ++ my $got = Net::SSLeay::ssl_read_all($ssl); + push @results, [ $got eq uc($msg), 'read' ]; + + Net::SSLeay::free($ssl); +@@ -177,7 +177,7 @@ my @results; + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl); + +- Net::SSLeay::write($ssl, $msg); ++ Net::SSLeay::ssl_write_all($ssl, $msg); + + shutdown $s, 2; + close $s; +@@ -231,15 +231,15 @@ my @results; + Net::SSLeay::set_fd($ssl3, $s3); + + Net::SSLeay::connect($ssl1); +- Net::SSLeay::write($ssl1, $msg); ++ Net::SSLeay::ssl_write_all($ssl1, $msg); + shutdown $s1, 2; + + Net::SSLeay::connect($ssl2); +- Net::SSLeay::write($ssl2, $msg); ++ Net::SSLeay::ssl_write_all($ssl2, $msg); + shutdown $s2, 2; + + Net::SSLeay::connect($ssl3); +- Net::SSLeay::write($ssl3, $msg); ++ Net::SSLeay::ssl_write_all($ssl3, $msg); + shutdown $s3, 2; + + close $s1; +diff --git a/t/local/36_verify.t b/t/local/36_verify.t +index 2837288..b04be13 100644 +--- a/t/local/36_verify.t ++++ b/t/local/36_verify.t +@@ -252,8 +252,9 @@ sub client { + Net::SSLeay::set_fd($ssl, $cl); + Net::SSLeay::connect($ssl); + my $end = "end"; +- Net::SSLeay::write($ssl, $end); +- ok($end eq Net::SSLeay::read($ssl), 'Successful termination'); ++ Net::SSLeay::ssl_write_all($ssl, $end); ++ Net::SSLeay::shutdown($ssl); ++ ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination'); + return; + } + +@@ -291,10 +292,10 @@ sub run_server + next unless $ret == 1; + + # Termination request or other message from client +- my $msg = Net::SSLeay::read($ssl); ++ my $msg = Net::SSLeay::ssl_read_all($ssl); + if (defined $msg and $msg eq 'end') + { +- Net::SSLeay::write($ssl, 'end'); ++ Net::SSLeay::ssl_write_all($ssl, 'end'); + exit (0); + } + } +-- +2.14.4 + diff --git a/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch b/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch new file mode 100644 index 0000000..2f8a1d2 --- /dev/null +++ b/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch @@ -0,0 +1,70 @@ +From 122c80853a9bd66f21699fc79a689b3028d00d3b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 17 Aug 2018 13:08:44 +0200 +Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from + write_partial() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/nonblock.t test +because it tests non-blocking socket operations and expects to see +SSL_ERROR_WANT_WRITE errors and to handle them byt itself. + +This patch purifies Net::SSLeay::write_partial() to behave exactly as +underlying OpenSSL SSL_write() function. The retry is already +presented in Net::SSLeay::ssl_write_all(). + +All applications should implement the retry themsleves or use +ssl_*_all() instead. + +Signed-off-by: Petr Písař +--- + SSLeay.xs | 16 ++-------------- + lib/Net/SSLeay.pod | 3 ++- + 2 files changed, 4 insertions(+), 15 deletions(-) + +diff --git a/SSLeay.xs b/SSLeay.xs +index 7cb6eab..fc7677f 100644 +--- a/SSLeay.xs ++++ b/SSLeay.xs +@@ -2089,20 +2089,8 @@ SSL_write_partial(s,from,count,buf) + if (len < 0) { + croak("from beyound end of buffer"); + RETVAL = -1; +- } else { +- int ret; +- int err; +- +- do { +- ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); +- if (ret > 0) +- break; +- err = SSL_get_error(s, ret); +- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) +- break; +- } while (1); +- RETVAL = ret; +- } ++ } else ++ RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); + OUTPUT: + RETVAL + +diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod +index bca7be4..8b5f738 100644 +--- a/lib/Net/SSLeay.pod ++++ b/lib/Net/SSLeay.pod +@@ -4819,7 +4819,8 @@ Check openssl doc L Does not exactly correspond to any low level API function + +-Writes a fragment of data in $data from the buffer $data into the specified $ssl connection. ++Writes a fragment of data in $data from the buffer $data into the specified ++$ssl connection. This is a non-blocking function like L. + + my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data); + # $ssl - value corresponding to openssl's SSL structure +-- +2.14.4 + diff --git a/SPECS/perl-Net-SSLeay.spec b/SPECS/perl-Net-SSLeay.spec new file mode 100644 index 0000000..3b7ca50 --- /dev/null +++ b/SPECS/perl-Net-SSLeay.spec @@ -0,0 +1,903 @@ +%if ! (0%{?rhel}) +%{bcond_without perl_Net_SSLeay_enables_optional_test} +%else +%{bcond_with perl_Net_SSLeay_enables_optional_test} +%endif + +# Provides/Requires filtering is different from rpm 4.9 onwards +%global rpm49 %(rpm --version | perl -p -e 's/^.* (\\d+)\\.(\\d+).*/sprintf("%d.%03d",$1,$2) ge 4.009 ? 1 : 0/e' 2>/dev/null || echo 0) + +Name: perl-Net-SSLeay +Version: 1.85 +Release: 5%{?dist} +Summary: Perl extension for using OpenSSL +License: Artistic 2.0 +URL: http://search.cpan.org/dist/Net-SSLeay/ +Source0: http://search.cpan.org/CPAN/authors/id/M/MI/MIKEM/Net-SSLeay-%{version}.tar.gz +# Add missing call to va_end() in TRACE() (CPAN RT# 126028) +Patch0: Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch +# Adapt to OpenSSL 1.1.1, bug #1610376, CPAN RT#125218 +Patch1: Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch +# Adapt tests to system-wide crypto policy, bug #1610376 +Patch2: Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch +# Adapt tests to security level 2 system-wide crypt policy, bug #1610376, +# CPAN RT#126270 +Patch3: Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch +# Avoid SIGPIPE in t/local/36_verify.t, bug #1610376, CPAN RT#125218 +Patch4: Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch +# Revert retry in Net::SSLeay::{read,write}(), bug #1610376, CPAN RT#125218 +Patch5: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch +# Revert retry in Net::SSLeay::write_partial(), bug #1610376, CPAN RT#125218 +Patch6: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch +# =========== Module Build =========================== +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: gcc +# git-core for Generate-2048-bit-keys-for-tests.patch binary patch +BuildRequires: git-core +BuildRequires: make +BuildRequires: openssl +BuildRequires: openssl-devel +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: perl(Cwd) +BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(File::Path) +BuildRequires: perl(lib) +# =========== Module Runtime ========================= +BuildRequires: perl(AutoLoader) +BuildRequires: perl(Carp) +BuildRequires: perl(Exporter) +BuildRequires: perl(MIME::Base64) +BuildRequires: perl(Socket) +BuildRequires: perl(XSLoader) +# =========== Test Suite ============================= +BuildRequires: perl(Config) +BuildRequires: perl(File::Spec) +BuildRequires: perl(HTTP::Tiny) +BuildRequires: perl(IO::Handle) +BuildRequires: perl(IO::Socket::INET) +BuildRequires: perl(strict) +BuildRequires: perl(Test::More) >= 0.61 +BuildRequires: perl(threads) +BuildRequires: perl(warnings) +# =========== Optional Test Suite ==================== +%if %{with perl_Net_SSLeay_enables_optional_test} +BuildRequires: perl(Test::Exception) +BuildRequires: perl(Test::NoWarnings) +BuildRequires: perl(Test::Pod) >= 1.0 +BuildRequires: perl(Test::Warn) +%endif +# =========== Module Runtime ========================= +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl(MIME::Base64) +Requires: perl(XSLoader) + +# Don't "provide" private Perl libs or the redundant unversioned perl(Net::SSLeay) provide +%global __provides_exclude ^(perl\\(Net::SSLeay\\)$|SSLeay\\.so) + +%description +This module offers some high level convenience functions for accessing +web pages on SSL servers (for symmetry, same API is offered for +accessing http servers, too), a sslcat() function for writing your own +clients, and finally access to the SSL API of SSLeay/OpenSSL package +so you can write servers or clients for more complicated applications. + +%prep +%autosetup -S git -n Net-SSLeay-%{version} + +# Fix permissions in examples to avoid bogus doc-file dependencies +chmod -c 644 examples/* + +# Remove redundant unversioned provide if we don't have rpm 4.9 or later +%if ! %{rpm49} +%global provfilt /bin/sh -c "%{__perl_provides} | grep -Fvx 'perl(Net::SSLeay)'" +%global __perl_provides %{provfilt} +%endif + +%build +PERL_MM_USE_DEFAULT=1 perl Makefile.PL \ + INSTALLDIRS=vendor \ + OPTIMIZE="%{optflags}" +make %{?_smp_mflags} + +%install +make pure_install DESTDIR=%{buildroot} +find %{buildroot} -type f -name .packlist -delete +find %{buildroot} -type f -name '*.bs' -empty -delete +%{_fixperms} -c %{buildroot} + +# Remove script we don't want packaged +rm -f %{buildroot}%{perl_vendorarch}/Net/ptrtstrun.pl + +%check +make test + +# Check for https://bugzilla.redhat.com/show_bug.cgi?id=1222521 +perl -Iblib/{arch,lib} -MNet::SSLeay -e 'Net::SSLeay::CTX_v3_new()' + +%files +%if 0%{?_licensedir:1} +%license LICENSE +%else +%doc LICENSE +%endif +%doc Changes Credits QuickRef README examples/ +%{perl_vendorarch}/auto/Net/ +%dir %{perl_vendorarch}/Net/ +%{perl_vendorarch}/Net/SSLeay/ +%{perl_vendorarch}/Net/SSLeay.pm +%doc %{perl_vendorarch}/Net/SSLeay.pod +%{_mandir}/man3/Net::SSLeay.3* +%{_mandir}/man3/Net::SSLeay::Handle.3* + +%changelog +* Wed Aug 15 2018 Petr Pisar - 1.85-5 +- Revert retry in Net::SSLeay::{read,write}() (bug #1610376) +- Revert retry in Net::SSLeay::write_partial() (bug #1610376) + +* Tue Aug 14 2018 Petr Pisar - 1.85-4 +- Avoid SIGPIPE in t/local/36_verify.t (bug #1610376) + +* Mon Aug 13 2018 Petr Pisar - 1.85-3 +- Adapt to OpenSSL 1.1.1 (bug #1610376) +- Adapt tests to system-wide crypto policy (bug #1610376) +- Adapt tests to security level 2 system-wide crypt policy (bug #1610376) + +* Mon Aug 13 2018 Jitka Plesnikova - 1.85-2 +- Add missing call to va_end() in TRACE() (bug #1607018) + +* Wed Mar 14 2018 Paul Howarth - 1.85-1 +- Update to 1.85 + - Preparations for transferring maintenace to a new maintainer + - Fixed test failure in t/local/33_x509_create_cert.t for some versions of + OpenSSL + - Fixed free() error that causes "Free to wrong pool ..." message on Windows + +* Thu Feb 08 2018 Fedora Release Engineering - 1.84-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 17 2018 Paul Howarth - 1.84-1 +- Update to 1.84 + - Fixed an error in t/local/04_basic.t causing a test failure if + Test::Exception not installed + +* Tue Jan 16 2018 Paul Howarth - 1.83-1 +- Update to 1.83 + - Fixed a problem with exporting OPENSSL_NO_NEXTPROTONEG even though they + are not available on LibreSSL + - Add support for SSL_set_default_passwd_cb* for OpenSSL 1.1.0f and later; + LibreSSL does not support these functions, at least yet + - Add new functions related to SSL_CTX_new + - Add two new functions introduced in OpenSSL 1.1.0, a number of constants + and a couple of const qualifiers to SSLeay.xs; tests and documentation .pod + were also updated + - Added support for SSL_use_certificate_chain_file function introduced in + OpenSSL 1.1.0 + - Fixed LibreSSL version detection to correctly parse LibreSSL minor version + - Fix memory leaks in OCSP handling + - Add new functions for certificate verification introduced in OpenSSL 1.02, + a number of constants, new test data files, new tests and updates to .pod + documentation; the new functions provide access to the built-in wildcard + check functionality available in OpenSSL 1.0.2 and later + - Added X509_STORE_CTX_new and X509_verify_cert + - SSL_OCSP_response_verify now clears the error queue if OCSP_basic_verify + fails but the intermediate certificate succeeds + +* Tue Oct 31 2017 Paul Howarth - 1.82-1 +- Update to 1.82 + - Added support for building under Linuxbrew (a linuxbrew version of MacOS + Homebrew) + - Implement SSL_CTX_set_psk_client_callback() and + SSL_set_psk_client_callback() + - Skip the NPN test if the SSL library is LibreSSL + - Fixed a problem with a variable declaration in + ssleay_session_secret_cb_invoke + - Bugfix: tlsext_status_cb_invoke(...): free ocsp_response only when + allocated; the same callback is used on a server side for OCSP stapling + and in that case ocsp_response is NULL and not used + - New feature: Added a binding + SSL_set_session_ticket_ext_cb(ssl, callback, data); a callback used by + EAP-FAST/EAP-TEAT to parse and process TLS session ticket + - New feature: Added a binding SSL_set_session_ticket_ext(ssl, ticket); used + by EAP-FAST/EAP-TEAP to define TLS session ticket value + - Bugfix: tlsext_ticket_key_cb_invoke(...): allow SHA256 HMAC key to be 32 + bytes instead of 16 bytes (which OpenSSL will pad with zeros up to 32 + bytes) + - New feature: Added following bindings: + - X509_get_ex_data(cert, idx) + - X509_get_ex_new_index(argl, argp, new_func, dup_func, free_func) + - X509_get_app_data(cert) + - X509_set_ex_data(cert, idx, data) + - X509_set_app_data(cert, arg) + - X509_STORE_CTX_get_ex_new_index(argl, argp, new_func, dup_func, free_func) + - X509_STORE_CTX_get_app_data(x509_store_ctx) + - X509_STORE_CTX_set_app_data(x509_store_ctx, arg) + - New feature: Added an implementation for + SSL_get_finished(ssl, buf, count=2*EVP_MAX_MD_SIZE) + - New feature: Added an implementation for + SSL_get_peer_finished(ssl, buf, count=2*EVP_MAX_MD_SIZE) + - Bugfix: SSL_get_keyblock_size(s): Calculate key block size correctly also + with AEAD ciphers, which don’t use digest functions + - New feature: Added a binding SSL_set_tlsext_status_ocsp_resp(ssl, staple); + used by a server side to include OCSP staple in ServerHello + - Bugfix: SSL_OCSP_response_verify(ssl, rsp, svreq, flags): check that chain + and last are not NULL before trying to use them + - Bugfix: inc/Module/Install/PRIVATE/Net/SSLeay.pm: Don’t quote include and + lib paths +- Drop EL-5 support + - Drop BuildRoot: and Group: tags + - Drop explicit buildroot cleaning in %%install section + - Drop explicit %%clean section + +* Thu Aug 03 2017 Fedora Release Engineering - 1.81-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.81-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 1.81-2 +- Perl 5.26 rebuild + +* Tue Mar 28 2017 Paul Howarth - 1.81-1 +- Update to 1.81 + - Enable RSA_get_key_parameters with LibreSSL - again + - Fixed memory leak in X509_get_subjectAltNames + - Added . to lib path in Makefile.PL to accommodate people who are using a + perl with -Ddefault_inc_excludes_dot + - Fixed build failure if engine support not present + - Improvements to get_my_thread_id to work around possibility of ERRSV not + being defined, e.g. on OpenWRT + +* Sat Feb 11 2017 Fedora Release Engineering - 1.80-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 5 2017 Paul Howarth - 1.80-1 +- Update to 1.80 + - Fix unexpected changes in the control flow of the Perl program that seemed + to be triggered by the ticket key callback + +* Tue Jan 3 2017 Paul Howarth - 1.79-1 +- Update to 1.79 + - Patch to fix a few inline variable declarations that cause errors for older + compilers + - Patch: Generated C code is not compatible with MSVC, AIX cc, probably + others; added some PREINIT blocks and replaced 2 cases of INIT with PREINIT + - Fix compile failure if the OpenSSL library it's built against has + compression support compiled out + - Added RSA_get_key_parameters() to return a list of pointers to RSA key + internals (only available prior to OpenSSL 1.1) + - Fix some documentation typos + - Testing with openssl-1.1.0b + +* Wed Oct 12 2016 Paul Howarth - 1.78-2 +- Rebuild for OpenSSL 1.1.0 in Fedora 26 + +* Sun Aug 14 2016 Paul Howarth - 1.78-1 +- Update to 1.78 + - Fixed broken (since 1.75) OCSP code and tests + +* Thu Aug 11 2016 Paul Howarth - 1.77-2 +- Fix OCSP (CPAN RT#116795) + +* Mon Aug 1 2016 Paul Howarth - 1.77-1 +- Update to 1.77 + - Fixed incorrect size to memset in tlsext_ticket_key_cb_invoke + +* Sun Jul 31 2016 Paul Howarth - 1.76-1 +- Update to 1.76 + - Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5: + - Conditionally remove threading locking code, not needed in 1.1 + - Rewrite code that accesses inside X509_ATTRIBUTE struct + - SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa, SSL_CTX_set_tmp_rsa_callback, + SSL_set_tmp_rsa_callback support not available in 1.1 + - SSL_session_reused is now native + - SSL_get_keyblock_size modifed to use new API + - OCSP functions modified to use new API under 1.1 + - SSL_set_state removed with 1.1 + - SSL_get_state and SSL_state are now equivalent and available in all + versions + - SSL_CTX_v2_new removed + - SESSION_set_master_key removed with 1.1; code that previously used + SESSION_set_master_key must now set $secret in the session_secret + callback set with SSL_set_session_secret_cb + - With 1.1, $secret in the session_secret callback set with + SSL_set_session_secret_cb can be changed to alter the master key + (required by EAP-FAST) + - Added a function EC_KEY_generate_key similar to RSA_generate_key and a + function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA; using + these functions it is easy to create and use EC keys in the same way as RSA + keys + - Testing with LibreSSL 2.4.1 + - Provide support for cross context (and cross process) session sharing using + the stateless TLS session tickets + - Added documentation about downloading latest version from SVN + - Added missing Module/install files to SVN + +* Thu Jul 21 2016 Paul Howarth - 1.74-3 +- Fix FTBFS when perl isn't in the SRPM build root + +* Sun May 15 2016 Jitka Plesnikova - 1.74-2 +- Perl 5.24 rebuild + +* Tue Apr 12 2016 Paul Howarth - 1.74-1 +- Update to 1.74 + - README.OSX was missing from the distribution + +* Mon Apr 11 2016 Paul Howarth - 1.73-1 +- Update to 1.73 + - Added X509_get_X509_PUBKEY + - Added README.OSX with instructions on how to build for recent OS X + - Added info about using OPENSSL_PREFIX to README.Win32 + - Added comments in POD about installation documentation + - Added '/usr/local/opt/openssl/bin/openssl' to Openssl search path for + latest version of OSX homebrew openssl +- Simplify find commands using -delete + +* Thu Feb 04 2016 Fedora Release Engineering - 1.72-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jan 15 2016 Paul Howarth - 1.72-2 +- Prefer %%global over %%define + +* Tue Sep 22 2015 Paul Howarth - 1.72-1 +- Update to 1.72 + - Fixed a problem where SvPVx_nolen was undefined in some versions of perl; + replaced with SvPV_nolen + - Fixed a cast warning on Darwin + +* Fri Sep 18 2015 Paul Howarth - 1.71-1 +- Update to 1.71 + - Conditionalize support for MD4, MD5 + - Added support for linking libraries in /usr/local/lib64 for some flavours + of Linux like RH Tikanga + - Fixes to X509_check_host, X509_check_ip, SSL_CTX_set_alpn_protos, and + SSL_set_alpn_protos so they will compile on MSVC and AIX cc + - Fixed typos in documentation for X509_NAME_new and X509_NAME_hash + - Version number in META.yml is now quoted +- Explicitly BR: perl-devel, needed for EXTERN.h + +* Fri Jun 26 2015 Paul Howarth - 1.70-1 +- Update to 1.70 + - The new OpenSSL 1.0.2 X509_check_* functions are not available in current + LibreSSL, so disable them in SSLeay.xs + - Fixed a problem with building against OSX homebrew's openssl + - Removed a test in t/local/33_x509_create_cert.t that fails due to changes + in 1.0.1n and later + +* Thu Jun 18 2015 Fedora Release Engineering - 1.69-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 09 2015 Jitka Plesnikova - 1.69-2 +- Perl 5.22 rebuild + +* Sun Jun 7 2015 Paul Howarth - 1.69-1 +- Update to 1.69 + - Testing with OpenSSL 1.0.2, 1.0.2a OK + - Completed LibreSSL compatibility + - Improved compatibility with OpenSSL 1.0.2a + - Added the X509_check_* functions introduced in OpenSSL 1.0.2 + - Added support for X509_V_FLAG_TRUSTED_FIRST constant + - Allow get_keyblock_size to work correctly with OpenSSL 1.0.1 onwards + +* Fri Jun 05 2015 Jitka Plesnikova - 1.68-3 +- Perl 5.22 rebuild + +* Mon May 18 2015 Paul Howarth - 1.68-2 +- SSLv3_method not dropped in OpenSSL 1.0.2, so revert that change (#1222521) + +* Fri Jan 30 2015 Paul Howarth - 1.68-1 +- Update to 1.68 + - Improvements to inc/Module/Install/PRIVATE/Net/SSLeay.pm to handle the case + where there are muliple OPENSSLs installed + - Fixed a documentation error in get_peer_cert_chain + - Fixed a problem with building on Windows that prevented correct OpenSSL + directory detection with version 1.0.1j as delivered with Shining Light + OpenSSL + - Fixed a problem with building on Windows that prevented finding MT or MD + versions of SSL libraries + - Updated doc in README.Win32 to build with Microsoft Visual Studio 2010 + Express + - Added Windows crypt32 library to Windows linking as some + compilers/platforms seem to require it and it is innocuous otherwise + - Fixed a failure in t/external/20_cert_chain.t where some platforms do not + have HTTPS in /etc/services + - Recent 1.0.2 betas have dropped the SSLv3_method function; we leave out + the function on newer versions, much the same as the SSLv2 deprecation is + handled + - Fix the ALPN test, which was incorrectly failing on OpenSSL due to the + LibreSSL check (earlier versions bailed out before that line) + - Fixed a problem on OSX when macports openssl 1.x is installed: headers from + macport were found but older OSX openssl libraries were linked, resulting + in "Symbol not found: _EVP_MD_do_all_sorted" + - Added notes about runtime error "no OPENSSL_Applink", when calling + Net::SSLeay::P_PKCS12_load_file +- Don't change %%{__perl_provides} unless we need to + +* Tue Sep 09 2014 Jitka Plesnikova - 1.66-2 +- Perl 5.20 mass + +* Mon Sep 8 2014 Paul Howarth - 1.66-1 +- Update to 1.66 + - Fixed compile problem with perl prior to 5.8.8, similar to CPAN RT#76267 + - Fixed a problem with Socket::IPPROTO_TCP on early perls + - After discussions with the community and the original author Sampo + Kellomaki, the license conditions have been changed to "Perl Artistic + License 2.0" +- License changed to Artistic 2.0 +- Use %%license where possible + +* Thu Aug 28 2014 Jitka Plesnikova - 1.65-3 +- Perl 5.20 rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 1.65-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jul 15 2014 Paul Howarth - 1.65-1 +- Update to 1.65 + - Added note to docs to make it clear that X509_get_subjectAltNames returns a + packed binary IP address for type 7 - GEN_IPADD + - Improvements to SSL_OCSP_response_verify to compile under non-c99 compilers + - Port to Android, includes Android-specific version of RSA_generate_key + - Added LibreSSL support + - Patch that fixes the support for SSL_set_info_callback and adds + SSL_CTX_set_info_callback and SSL_set_state; support for these functions is + necessary to either detect renegotiation or to enforce renegotiation + - Fixed a problem with SSL_set_state not available on some early OpenSSLs + - Removed arbitrary size limits from calls to tcp_read_all in tcpcat() and + http_cat() + - Removed unnecessary Debian_CPANTS.txt from MANIFEST - again + +* Wed Jun 11 2014 Paul Howarth - 1.64-1 +- Update to 1.64 + - Test ocsp.t now does not fail if HTTP::Tiny is not installed + - Fixed repository in META.yml + - Fixed a problem with SSL_get_peer_cert_chain: if the SSL handshake results + in an anonymous authentication, like ADH-DES-CBC3-SHA, get_peer_cert_chain + will not return an empty list, but instead return the SSL object + - Fixed a problem where patch + https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3009244d + caused a failed test in t/local/33_x509_create_cert.t + +* Sun Jun 8 2014 Paul Howarth - 1.63-3 +- Fix failing test with openssl-1.0.1h (upstream commit 414, CPAN RT#96256) + +* Sat Jun 7 2014 Fedora Release Engineering - 1.63-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon May 19 2014 Paul Howarth - 1.63-1 +- Update to 1.63 + - Improvements to OCSP support: it turns out that some CAs (like Verisign) + sign the OCSP response with the CA we have in the trust store and don't + attach this certifcate in the response, but OpenSSL by itself only + considers the certificates included in the response and + SSL_OCSP_response_verify added the certificates in the chain too, so now + we also add the trusted CA from the store which signed the lowest chain + certificate, at least if we could not verify the OCSP response without + doing it + - Fixed some compiler warnings +- BR: perl(HTTP::Tiny) for test suite + +* Mon May 12 2014 Paul Howarth - 1.61-1 +- Update to 1.61 + - Fixed a typo in an error message + - Fixed a problem with building with openssl that does not support OCSP + - Fixed some newly introduced warnings if compiled with -Wall + - Fixed format string issue causing build failures + - Changed calloc to Newx and free to Safefree, otherwise there might be + problems because calloc is done from a different memory pool than free + (depends on the build options for perl, but seen on Windows) + +* Sat May 10 2014 Paul Howarth - 1.59-1 +- Update to 1.59 + - Fixed local/30_error.t so that tests do not fail if diagnostics are enabled + - Fixed error messages about undefined strings used with length or split + - Improvements to configuration of OPTIMIZE flags, to prevent overriding of + perl's expected optimization flags + - SSL_peek() now returns openssl error code as second item when called in + array context, same as SSL_read + - Fixed some warnings + - Added support for tlsv1.1 tlsv1.2 via $Net::SSLeay::ssl_version + - Improve examples in 'Using other perl modules based on Net::SSLeay' + - Added support for OCSP + - Added missing t/external/ocsp.t +- Add patch to stop gcc complaining about format string usage + +* Wed Jan 15 2014 Paul Howarth - 1.58-1 +- Update to 1.58 + - Always use size_t for strlen() return value + - t/external/20_cert_chain.t was missing from dist + - Version number in META.yml was incorrect + - Improvements to test t/external/20_cert_chain.t to provoke following bug: + fixed crash due to SSL_get_peer_cert_chain incorrectly free'ing the chain + after use + - Fixed a problem when compiling against openssl where OPENSSL_NO_EC is set +- Drop Fedora/EL ECC support patch, no longer needed + +* Sun Jan 12 2014 Paul Howarth - 1.57-1 +- Update to 1.57 + - Fixed remaining problems with test suite: pod coverage and kwalitee tests + are only enabled with RELEASE_TESTING=1 + +* Wed Jan 8 2014 Paul Howarth - 1.56-1 +- Update to 1.56 + - Fixed a typo in documentation of BEAST Attack + - Added LICENSE file copied from OpenSSL distribution to prevent complaints + from various versions of kwalitee + - Adjusted license: in META.yml to be 'openssl' + - Adds support for the basic operations necessary to support ECDH for PFS, + e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh + - Improvements to t/handle/external/50_external.t to handle the case when a + test connection was not possible + - Added support for ALPN TLS extension + - Fixed a use-after-free error + - Fixed a problem with invalid comparison on OBJ_cmp result in + t/local/36_verify.t + - Added support for get_peer_cert_chain() + - Fixed a bug that could cause stack faults: mixed up PUTBACK with SPAGAIN in + ssleay_RSA_generate_key_cb_invoke(); a final PUTBACK is needed here + - Fixed cb->data checks and wrong refcounts on &PL_sv_undef + - Deleted support for SSL_get_tlsa_record_byname: it is not included in + OpenSSL git master +- Drop upstreamed patch for CPAN RT#91215 +- Skip the Pod Coverage test, as there are naked subroutines in this release +- ECC support not available in Fedora/EL until OpenSSL 1.0.1e, so patch the + source accordingly to fix builds for F-12 .. F-17 + +* Fri Dec 6 2013 Paul Howarth - 1.55-6 +- Fix usage of OBJ_cmp in the test suite (CPAN RT#91215) + +* Sun Dec 1 2013 Paul Howarth - 1.55-5 +- Drop the kwalitee test for now as it's too fussy for the current code + +* Wed Aug 14 2013 Jitka Plesnikova - 1.55-4 +- Perl 5.18 re-rebuild of bootstrapped packages + +* Sat Aug 03 2013 Fedora Release Engineering - 1.55-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Petr Pisar - 1.55-2 +- Perl 5.18 rebuild + +* Sat Jun 8 2013 Paul Howarth - 1.55-1 +- update to 1.55 + - added support for TLSV1_1 and TLSV1_2 methods with SSL_CTX_tlsv1_1_new(), + SSL_CTX_tlsv1_2_new(), TLSv1_1_method() and TLSv1_2_method(), where + available in the underlying openssl + - added CRL support functions X509_CRL_get_ext(), X509_CRL_get_ext_by_NID(), + X509_CRL_get_ext_count() + - fixed a problem that could cause content with a value of '0' to be + incorrectly encoded by do_httpx3 and friends (CPAN RT#85417) + - added support for SSL_get_tlsa_record_byname() required for DANE support in + openssl-1.0.2 and later + - testing with openssl-1.0.2-stable-SNAP-20130521 + - added X509_NAME_new and X509_NAME_hash + +* Sat Mar 23 2013 Paul Howarth - 1.54-1 +- update to 1.54 + - added support for SSL_export_keying_material where present (i.e. in OpenSSL + 1.0.1 and later) + - changed t/handle/external/50_external.t to use www.airspayce.com instead of + perldition.org, who no longer have an https server + - patch to fix a crash: P_X509_get_crl_distribution_points on an X509 + certificate with values in the CDP extension that do not have an ia5 string + would cause a segmentation fault when accessed + - change in t/local/32_x509_get_cert_info.t to not use + Net::SSLeay::ASN1_INTEGER_get, since it works differently on 32 and 64 bit + platforms + - updated author and distribution location details to airspayce.com + - improvement to test 07_sslecho.t so that if set_cert_and_key fails we can + tell why + +* Thu Feb 14 2013 Fedora Release Engineering - 1.52-2 +- rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 9 2013 Paul Howarth - 1.52-1 +- update to 1.52 + - rebuild package with gnu format tar, to prevent problems with unpacking on + other systems such as old Solaris + +* Fri Dec 14 2012 Paul Howarth - 1.51-1 +- update to 1.51 + - fixed a problem where SSL_set_SSL_CTX is not available with + OpenSSL < 0.9.8f (CPAN RT#81940) +- fix bogus date in spec changelog + +* Thu Dec 13 2012 Paul Howarth - 1.50-1 +- update to 1.50 + - fixed a problem where t/handle/external/50_external.t would crash if any of + the test sites were not contactable + - now builds on VMS, added README.VMS + - fixed a few compiler warnings in SSLeay.xs; most of them are just + signed/unsigned pointer mismatches but there is one that actually fixes + returning what would be an arbitrary value off the stack from + get_my_thread_id if it happened to be called in a non-threaded build + - added SSL_set_tlsext_host_name, SSL_get_servername, SSL_get_servername_type, + SSL_CTX_set_tlsext_servername_callback for server side Server Name + Indication (SNI) support + - fixed a problem with C++ comments preventing builds on AIX and HPUX + - perdition.org not available for tests, changed to www.open.com.au + - added SSL_FIPS_mode_set + - improvements to test suite so it succeeds with and without FIPS mode + enabled + - added documentation, warning not to pass UTF-8 data in the content + argument to post_https + +* Tue Sep 25 2012 Paul Howarth - 1.49-1 +- update to 1.49 + - fixed problem where on some platforms test t/local/07_tcpecho.t would bail + out if it could not bind port 1212; it now tries a number of ports to bind + to until successful + - improvements to unsigned casting + - improvements to Net::SSLeay::read to make it easier to use with + non-blocking IO: it modifies Net::SSLeay::read() to return the result from + SSL_read() as the second return value, if Net::SSLeay::read() is called in + list context (its behavior should be unchanged if called in scalar or void + context) + - fixed a problem where t/local/kwalitee.t fails with + Module::CPANTS::Analyse 0.86 + - fixed a number of typos + - fixed a compiler warning from Compiling with gcc-4.4 and -Wall + - Fixed problems with get_https4: documentation was wrong, $header_ref was + not correctly set and $server_cert was not returned + - fixed a problem that could cause a Perl exception about no blength method + on undef (CPAN RT#79309) + - added documentation about how to mitigate various SSL/TLS vulnerabilities + - SSL_MODE_* are now available as constants +- drop upstreamed pod encoding patch + +* Mon Aug 20 2012 Paul Howarth - 1.48-6 +- fix POD encoding (CPAN RT#78281) +- classify buildreqs by usage +- BR:/R: perl(XSLoader) + +* Mon Aug 13 2012 Petr Pisar - 1.48-5 +- specify all dependencies + +* Fri Jul 20 2012 Fedora Release Engineering - 1.48-4 +- rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 10 2012 Petr Pisar - 1.48-3 +- perl 5.16 re-rebuild of bootstrapped packages + +* Wed Jun 13 2012 Petr Pisar - 1.48-2 +- perl 5.16 rebuild + +* Wed Apr 25 2012 Paul Howarth - 1.48-1 +- update to 1.48 + - removed unneeded Debian_CPANTS.txt from MANIFEST + - fixed incorrect documentation about the best way to call CTX_set_options + - fixed problem that caused "Undefined subroutine utf8::encode" in + t/local/33_x509_create_cert.t (on perl 5.6.2) + - in examples and pod documentation, changed #!/usr/local/bin/perl + to #!/usr/bin/perl + - t/local/06_tcpecho.t now tries a number of ports to bind to until + successful +- no longer need to fix shellbangs in examples + +* Thu Apr 19 2012 Paul Howarth - 1.47-3 +- simplify Test::Kwalitee conditional + +* Thu Apr 19 2012 Marcela Mašláňová - 1.47-2 +- make module Kwalitee conditional + +* Wed Apr 4 2012 Paul Howarth - 1.47-1 +- update to 1.47 + - fixed overlong lines and spelling errors in pod + - fixed extra "garbage" files in 1.46 tarball + - fixed incorrect fail reports on some 64 bit platforms + - fix to avoid FAIL reports from cpantesters with missing openssl + - use my_snprintf from ppport.h to prevent link failures with perl 5.8 and + earlier when compiled with MSVC + +* Tue Apr 3 2012 Paul Howarth - 1.46-1 +- update to 1.46 (see Changes file for details) +- BR: openssl as well as openssl-devel, needed for building +- no longer need help to find openssl +- upstream no longer shipping TODO +- drop %%defattr, redundant since rpm 4.4 + +* Sat Feb 25 2012 Paul Howarth - 1.45-1 +- update to 1.45 (see Changes file for full details) + - added thread safety and dynamic locking, which should complete thread + safety work, making Net::SSLeay completely thread-safe + - lots of improved documentation +- BR: perl(Test::Pod::Coverage) +- install Net/SSLeay.pod as %%doc + +* Thu Jan 12 2012 Paul Howarth - 1.42-2 +- use DESTDIR rather than PERL_INSTALL_ROOT +- use %%{_fixperms} macro rather than our own chmod incantation +- BR: perl(AutoLoader), perl(Exporter), perl(Socket) + +* Mon Oct 3 2011 Paul Howarth - 1.42-1 +- update to 1.42 + - fixed incorrect documentation of how to enable CRL checking + - fixed incorrect letter in Sebastien in Credits + - changed order of the Changes file to be reverse chronological + - fixed a compile error when building on Windows with MSVC6 +- drop UTF8 patch, no longer needed + +* Sun Sep 25 2011 Paul Howarth - 1.41-1 +- update to 1.41 + - fixed incorrect const signatures for 1.0 that were causing warnings; now + have clean compile with 0.9.8a through 1.0.0 +- BR: perl(Carp) + +* Fri Sep 23 2011 Paul Howarth - 1.40-1 +- update to 1.40 + - fixed incorrect argument type in call to SSL_set1_param + - fixed a number of issues with pointer sizes; removed redundant pointer cast + tests from t/ + - added Perl version requirements to SSLeay.pm + +* Wed Sep 21 2011 Paul Howarth - 1.39-1 +- update to 1.39 + - downgraded Module::Install to 0.93 since 1.01 was causing problems in the + Makefile + +* Fri Sep 16 2011 Paul Howarth - 1.38-1 +- update to 1.38 + - fixed a problem with various symbols that only became available in OpenSSL + 0.9.8 such as X509_VERIFY_PARAM and X509_POLICY_NODE, causing build + failures with older versions of OpenSSL (CPAN RT#71013) + +* Fri Sep 16 2011 Paul Howarth - 1.37-1 +- update to 1.37 + - added X509_get_fingerprint + - added support for SSL_CTX_set1_param, SSL_set1_param and selected + X509_VERIFY_PARAM_* OBJ_* functions + - fixed the prototype for randomize() + - fixed an uninitialized value warning in $Net::SSLeay::proxyauth + - allow net-ssleay to compile if SSLV2 is not present + - fixed a problem where sslcat (and possibly other functions) expect RSA + keys and will not load DSA keys for client certificates + - removed SSL_CTX_v2_new and SSLv2_method() for OpenSSL 1.0 and later + - added CTX_use_PKCS12_file +- this release by MIKEM => update source URL + +* Tue Jul 19 2011 Petr Sabata - 1.36-7 +- Perl mass rebuild + +* Thu Jul 14 2011 Paul Howarth - 1.36-6 +- BR: perl(Test::Kwalitee) if we're not bootstrapping +- explicitly BR: pkgconfig +- use a patch rather than a scripted iconv to fix the character encoding +- modernize provides filter +- stop running the tests in verbose mode +- nobody else likes macros for commands + +* Wed Jul 13 2011 Iain Arnell - 1.36-5 +- drop obsolete BRs Array::Compare, Sub::Uplevel, Tree::DAG_Node + +* Tue Feb 08 2011 Fedora Release Engineering - 1.36-4 +- rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Dec 21 2010 Marcela Maslanova - 1.36-3 +- rebuild to fix problems with vendorarch/lib (#661697) + +* Tue May 04 2010 Marcela Maslanova - 1.36-2 +- mass rebuild with perl-5.12.0 + +* Sun Jan 31 2010 Paul Howarth - 1.36-1 +- update to 1.36 (see Changes for details) +- drop svn patches + +* Mon Dec 7 2009 Stepan Kasal - 1.35-8 +- rebuild against perl 5.10.1 + +* Sat Aug 22 2009 Paul Howarth - 1.35-7 +- update to svn trunk (rev 252), needed due to omission of MD2 functionality + from OpenSSL 1.0.0 (CPAN RT#48916) + +* Fri Aug 21 2009 Tomas Mraz - 1.35-6 +- rebuilt with new openssl + +* Sun Jul 26 2009 Fedora Release Engineering - 1.35-5 +- rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sun Mar 8 2009 Paul Howarth - 1.35-4 +- filter out unwanted provides for perl shared objects +- run tests in verbose mode + +* Thu Feb 26 2009 Fedora Release Engineering - 1.35-3 +- rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Jan 17 2009 Tomas Mraz - 1.35-2 +- rebuild with new openssl + +* Mon Jul 28 2008 Paul Howarth - 1.35-1 +- update to 1.35 +- drop flag and patch for enabling/disabling external tests - patch now upstream +- external hosts patch no longer needed as we don't do external tests +- filter out unversioned provide for perl(Net::SSLeay) +- use the distro openssl flags rather than guessing them + +* Wed Feb 27 2008 Tom "spot" Callaway - 1.32-5 +- rebuild for perl 5.10 (again) + +* Tue Feb 19 2008 Fedora Release Engineering - 1.32-4 +- autorebuild for GCC 4.3 + +* Thu Jan 31 2008 Tom "spot" Callaway - 1.32-3 +- rebuild for new perl + +* Wed Dec 5 2007 Paul Howarth - 1.32-2 +- rebuild with new openssl + +* Wed Nov 28 2007 Paul Howarth - 1.32-1 +- update to 1.32, incorporate new upstream URLs +- cosmetic spec changes suiting new maintainer's preferences +- fix argument order for find with -depth +- remove patch for CVE-2005-0106, fixed upstream in 1.30 (#191351) + (http://rt.cpan.org/Public/Bug/Display.html?id=19218) +- remove test patch, no longer needed +- re-encode Credits as UTF-8 +- include TODO as %%doc +- add buildreqs perl(Array::Compare), perl(MIME::Base64), perl(Sub::Uplevel), + perl(Test::Exception), perl(Test::NoWarnings), perl(Test::Pod), + perl(Test::Warn), perl(Tree::DAG_Node) +- add patch needed to disable testsuite non-interactively +- run test suite but disable external tests by default; external tests can be + enabled by using rpmbuild --with externaltests +- add patch to change hosts connected to in external tests + +* Fri Nov 16 2007 Parag Nemade - 1.30-7 +- Merge Review (#226272) Spec cleanup + +* Tue Nov 6 2007 Stepan Kasal - 1.30-6 +- fix a typo in description (#231756, #231757) + +* Tue Oct 16 2007 Tom "spot" Callaway - 1.30-5.1 +- correct license tag +- add BR: perl(ExtUtils::MakeMaker) + +* Tue Aug 21 2007 Warren Togami - 1.30-5 +- rebuild + +* Fri Jul 14 2006 Warren Togami - 1.30-4 +- import into FC6 + +* Tue Feb 28 2006 Jose Pedro Oliveira - 1.30-3 +- Rebuild for FC5 (perl 5.8.8). + +* Fri Jan 27 2006 Jose Pedro Oliveira - 1.30-2 +- CVE-2005-0106: patch from Mandriva + http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:023 + +* Sun Jan 15 2006 Ville Skyttä - 1.30-1 +- 1.30. +- Optionally run the test suite during build with "--with tests". + +* Wed Nov 9 2005 Ville Skyttä - 1.26-3 +- Rebuild for new OpenSSL. +- Cosmetic cleanups. + +* Wed Apr 6 2005 Michael Schwendt - 1.26-2 +- rebuilt + +* Mon Dec 20 2004 Ville Skyttä - 0:1.26-1 +- Drop fedora.us release prefix and suffix. + +* Mon Oct 25 2004 Ville Skyttä - 0:1.26-0.fdr.2 +- Convert manual page to UTF-8. + +* Tue Oct 12 2004 Ville Skyttä - 0:1.26-0.fdr.1 +- Update to unofficial 1.26 from Peter Behroozi, adds get1_session(), + enables session caching with IO::Socket::SSL (bug 1859, bug 1860). +- Bring outdated test14 up to date (bug 1859, test suite still not enabled). + +* Sun Jul 11 2004 Ville Skyttä - 0:1.25-0.fdr.4 +- Rename to perl-Net-SSLeay, provide perl-Net_SSLeay for compatibility + with the rest of the world. + +* Wed Jul 7 2004 Ville Skyttä - 0:1.25-0.fdr.3 +- Bring up to date with current fedora.us Perl spec template. +- Include examples in docs. + +* Sun Feb 8 2004 Ville Skyttä - 0:1.25-0.fdr.2 +- Reduce directory ownership bloat. + +* Fri Oct 17 2003 Ville Skyttä - 0:1.25-0.fdr.1 +- First build.