SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for perl-IO-Socket-SSL-1.962-8.1.noarch.rpm :
Fri Apr 17 14:00:00 2015 vcizekAATTsuse.com
- add DHE-RSA to the default client cipher list to support PFS with
older machines (bnc#924976)

* added perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch

Fri Nov 29 13:00:00 2013 cooloAATTsuse.com
- updated to 1.962
- work around problems with older F5 BIG-IP by offering fewer ciphers on the
client side by default, so that the client hello stays below 255 byte
- IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
are not self-signed (by giving issuer_
*)

Tue Nov 26 13:00:00 2013 cooloAATTsuse.com
- updated to 1.960
only documentation enhancements:
- clarify with text and example code, that within event loops not only
select/poll should be used, but also pending has to be called.
- better introduction into SSL, at least mention anonymous authentication as
something you don\'t want and should take care with the right cipher
- make it more clear, that user better does not change the cipher list, unless
he really know what he is doing
1.959 2013/11/12
- bugfix test core.t windows only
1.958 2013/11/11
- cleanup: remove workaround for old IO::Socket::INET6 but instead require at
least version 2.55 which is now 5 years old
- fix t/session.t #RT90240, thanks to paul[AT]city-fan[DOT]org
1.957 2013/11/11
- fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous
authorization. With the DH param given by default since 1.956 old versions of
openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
authorization) instead of AES256-SHA and thus the check for the peer
certificate failed (because ADH does not exchanges certificates).
Fixed by explicitly specifying HIGH:!aNULL as cipher
RT#90221, thanks to paul[AT]city-fan[DOT]org
- cleaned up tests:
- remove ssl_settings.req and 02settings.t, because all tests now create a
simple socket at 127.0.0.1 and thus global settings are no longer needed.
- some tests did not have use strict(!), fixed it.
- removed special handling for older Net::SSLeay versions, which are less than
our minimum requirement
- some syntax enhancements, removed some SSL_version and SSL_cipher_list
options where they were not really needed

Fri Oct 4 14:00:00 2013 cooloAATTsuse.com
- updated to 1.954
- accept older versions of ExtUtils::MakeMaker and add meta information
like link to repository only for newer versions.

Sat Jul 27 14:00:00 2013 cooloAATTsuse.com
- updated to 1.953
- fixes to IO::Socket::SSL::Utils, thanks to rurban[AT]x-ray[DOT]at,
RT#87052
- fix t/acceptSSL-timeout.t on Win32, RT#86862

Wed Jul 3 14:00:00 2013 lnusselAATTsuse.de
- new version 0.951

* better document builtin defaults for key,cert,CA and how they are depreceated

* use Net::SSLeay::SSL_CTX_set_default_verify_paths to use
openssl\'s builtin defaults for CA unless CA path/file was given

* MAJOR BEHAVIOR CHANGE:
ssl_verify_mode now defaults to verify_peer for client. Until
now it used verify_none, but loudly complained since 1.79 about
it. It will not complain any longer, but the connection might
probably fail. Please don\'t simply disable ssl verification, but
instead set SSL_ca_file etc so that verification succeeds!

* MAJOR BEHAVIOR CHANGE:
it will now complain if the builtin defaults of certs/my-ca.pem
or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert
and key are used, e.g. no certificates are specified explicitly.
In the future these insecure (relative path!) defaults will be
removed and the CA replaced with the system defaults.

* Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
installed instead of reporting missing dependency to Net::SSLeay.

* need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
years ago. Remove code to work around older releases.

* changed AUTHOR in Makefile.PL from array back to string, because the
array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)

* Intercept: use sha1-fingerprint of original cert for id into cache unless
otherwise given

* Fix pod error in IO::Socket::SSL::Utils RT#85733

* added IO::Socket::SSL::Utils for easier manipulation of certificates and keys

* moved SSL interception into IO::Socket::SSL::Intercept and simplified it
using IO::Socket::SSL::Utils

* enhance meta information in Makefile.PL

* RT#85290, support more digest, especially SHA-2.
Thanks to ujvari[AT]microsec[DOT]hu

* added support for easy SSL interception (man in the middle) based
on ideas found in mojo
*mitm proxy (which was written by Karel Miko)

* make 1.46 the minimal required version for Net::SSLeay, because it
introduced lots of useful functions.

* if IO::Socket::IP is used it should be at least version 0.20, o

* Spelling corrections, thanks to dsteinbrunner
- remove the dependency on IO::Socket::INET6 as it breaks the test suite

Sat May 11 14:00:00 2013 larsAATTlinux-schulserver.de
- update to 1.88
+ consider a value of \'\' the same as undef for SSL_ca_(path|file)
+ complain if given SSL_(key|cert|ca)_(file|path) do not exist or
if they are not readable
+ disabled client side SNI for openssl version < 1.0.0
+ added functions can_client_sni, can_server_sni, can_npn to check
avaibility of SNI and NPN features. Added more documentation for
SNI and NPN
+ Server Name Indication (SNI) support on the server side
+ sub error sets $SSL_ERROR etc only if there really is an error,
otherwise it will keep the latest error. This causes
IO::Socket::SSL->new.. to report the correct problem, even if
the problem is deeper in the code (like in connect)
+ deprecated set_ctx_defaults, new name ist set_defaults
+ changed handling of default path for SSL_(ca|cert|key)
* keys: either
if one of these keys is user defined don\'t add defaults for the
others, e.g. don\'t mix user settings and defaults
+ cleaner handling of module defaults vs. global settings vs. socket
specific settings
+ prepare transition to a more secure default for SSL_verify_mode.
The use of the current default SSL_VERIFY_NONE will cause a big warning
for clients, unless SSL_verify_mode was explicitly set inside the
application to this insecure value.
In the near future the default will be SSL_VERIFY_PEER, and thus
causing verification failures in unchanged applications.
+ use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and
PeerPort from sockaddr in _update_peer, because this provides scope
+ work around systems which don\'t defined AF_INET6
+ update_peer for IPv6 also
+ no longer depend on Socket.pm 1.95 for inet_pton, but use
Socket6.pm if no current Socket.pm is available
+ made it possible to explicitly disable TLSv11 and TLSv12 in
SSL_version
+ fixed documentation errors
+ add support to IO::Socket::IP which support inet6 and inet4
+ make it possible to disable protols using SSL_version, make
SSL_version default to \'SSLv23:!SSLv2\'
+ remove SSLv2 from default cipher list
+ if no explicit cipher list is given it will now default to ALL:!LOW
instead of the openssl default, which usually includes weak ciphers
+ new config key SSL_honor_cipher_order and documented how to use it
+ make it thread safer
+ added NPN (Next Protocol Negotiation) support
+ call CTX_set_session_id_context so that servers session caching
works with client certificates too
+ don\'t make blocking readline if socket was set nonblocking, but
return as soon no more data are available
+ if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful
message when attempting to use it
+ add automatic or explicit (via SSL_hostname) SNI support, needed
for multiple SSL hostnames with same IP. Currently only supported
for the client
- enable tests

Wed Feb 22 13:00:00 2012 vcizekAATTsuse.com
- update to 1.55
- work around IO::Sockets work around for systems returning EISCONN etc
on connect retry for non-blocking sockets by clearing $! if SUPER::connect
returned true.
https://rt.cpan.org/Ticket/Display.html?id=75101
Thanks for Manoj Kumar for reporting.

Fri Jan 13 13:00:00 2012 vcizekAATTsuse.com
- update to 1.54
- return 0 instead of undef in SSL_verify_callback to fix unitialized
warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for
reporting the bug and MIKEM for the fix.
https://rt.cpan.org/Ticket/Display.html?id=73629

Sun Dec 11 13:00:00 2011 pascal.bleserAATTopensuse.org
- update to 1.53:

* kill child in t/memleak_bad_hanshake.t if test fails RT#73146

Thu Dec 8 13:00:00 2011 vcizekAATTsuse.com
- update to 1.52
- fix syntax error in t/memleak_bad_handshake.t
- disable t/memleak_bad_handshake.t on AIX, because it might hang
https://rt.cpan.org/Ticket/Display.html?id=72170

Mon Oct 31 13:00:00 2011 vcizekAATTsuse.com
- update to 1.49
- another regression for readline fix, this time it failed to return lines
at eof which don\'t end with newline. Extended t/readline.t to catch this

Thu Oct 27 14:00:00 2011 vcizekAATTsuse.com
- update to 1.48
- bugfix for readline fix in 1.45. If the pending data where false
(like \'0\') it failed to read rest of line.
Thanks to Victor Popov for reporting
https://rt.cpan.org/Ticket/Display.html?id=71953

Mon Oct 24 14:00:00 2011 vcizekAATTsuse.com
- update to 1.47
fix for 1.46 - check for mswin32 needs to be /i. Thanks to
Alexandr Ciornii for reporting

Wed Oct 19 14:00:00 2011 vcizekAATTsuse.com
- update to 1.46
- added test for signals

Mon Oct 17 14:00:00 2011 vcizekAATTsuse.com
- update to 1.45
- fix readline to continue when getting interrupt waiting for more
data. Thanks to kgc[AT]corp[DOT]sonic[DOT]net for reporting problem

Fri May 27 14:00:00 2011 pascal.bleserAATTopensuse.org
- update to 1.44:

* fix invalid call to inet_pton in verify_hostname_of_cert when identity
should be verified as ipv6 address, because it contains colon

Wed May 11 14:00:00 2011 pascal.bleserAATTopensuse.org
- update to 1.43: no user-visible changes: fixes in testsuite

Tue May 10 14:00:00 2011 pascal.bleserAATTopensuse.org
- update to 1.42:

* add SSL_create_ctx_callback to have a way to adjust context on creation
RT#67799

* describe problem of fake memory leak because of big session cache and how
to fix it, see RT#68073
- changes from 1.41:

* fix issue in stop_SSL where it did not issue a shutdown of the SSL
connection if it first received the shutdown from the other side

Wed May 4 14:00:00 2011 cooloAATTopensuse.org
- updated to 1.40
- integrated patch from GAAS to get IDN support from URI.
https://rt.cpan.org/Ticket/Display.html?id=67676
- fix in exampel/async_https_server.
Thanks to DetlefPilzecker[AT]web[DOT]de for reporting

Fri Mar 4 13:00:00 2011 vcizekAATTnovell.com
- update to 1.39
- fixed documentation of http verification: wildcards in cn is allowed
- close should undef _SSL_fileno, because the fileno is no longer
valid (SSL connection and socket are closed)

Wed Jan 19 13:00:00 2011 vcizekAATTnovell.com
- update to 1.38
- fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1
instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for
reporting
https://rt.cpan.org/Ticket/Display.html?id=64864

Thu Dec 16 13:00:00 2010 anickaAATTsuse.cz
- update to 1.37

* don\'t complain about invalid certificate locations if user
explicitly set SSL_ca_path and SSL_ca_file to undef. Assume that
user knows what he is doing and will work around the problems
by itself.

* update documentation for SSL_verify_callback based on

Tue Dec 7 13:00:00 2010 anickaAATTsuse.cz
- update to 1.35 (fixes bnc#657907)

* if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot
be verified as valid it will no longer fall back to VERIFY_NONE
but throw an error.

Wed Dec 1 13:00:00 2010 cooloAATTnovell.com
- switch to perl_requires macro

Wed Nov 24 13:00:00 2010 chrisAATTcomputersalat.de
- recreated by cpanspec 1.78
o fix deps
- noarch pkg
- removed Obsoletes/Provides p_iossl

Mon Nov 1 13:00:00 2010 anickaAATTsuse.cz
- update to 1.34

* schema http for certificate verification changed to
wildcards_in_cn=1, because according to rfc2818 this is valid
and also seen in the wild

* if upgrading socket from inet to ssl fails due to handshake
problems the socket gets downgraded, but is still open.

* depreceate kill_socket, just use close()

Thu Mar 25 13:00:00 2010 anickaAATTsuse.cz
- update to 1.33

* attempt to make t/memleak_bad_handshake.t more stable, it fails
for unknown reason on various systems

* fix hostname checking: an IP should only be checked against
subjectAltName GEN_IPADD, never against GEN_DNS or CN.

Tue Feb 23 13:00:00 2010 anickaAATTsuse.cz
- update to 1.32

* Makefile.PL: die if Scalar::Util has no dualvar support instead of
only complaining.

Wed Jan 13 13:00:00 2010 anickaAATTsuse.cz
- update to 1.31

* add and export constants for SSL_VERIFY_
*

* set SSL_use_cert if cert is given and not SSL_server

* support alternative CRL file with SSL_crl_file thanks to patch of
w[DOT]phillip[DOT]moore[AT]gmail[DOT]com

* make t/memleak_bad_handshake.t more stable (increase listen queue,
ignore errors on connect, don\'t run on windows..)

* t/memleak_bad_handshake.t don\'t write errors with ps to stderr,
- o vsize argument is not supported on all platforms, just skip
test then

* make sure that idn_to_ascii gets no \\0 bytes from identity, because
it simply cuts the string their (using C semantics). Not really a
security problem because IDN like identity is provided by user in
hostname, not by certificate.

* fix test t/memleak_bad_handshake.t

* fixed thanks for version 1.28

* fix memleak when SSL handshake failed.

Sun Jan 10 13:00:00 2010 jengelhAATTmedozas.de
- enable parallel build

Mon Aug 3 14:00:00 2009 anickaAATTsuse.cz
- update to 1.27

* changed possible local/utf-8 depended \\w in some regex against more
explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service
names can\'t have \'-\' inside

* fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131
where eli[AT]dvns[DOT]com reported warnings when perl -w was used.
While there made it more aware of errors in Net::ssl_write_all (return
undef not 0 in generic_write)

* SECURITY BUGFIX!
fix Bug in verify_hostname_of_cert where it matched only the prefix for
the hostname when no wildcard was given, e.g. www.example.org matched
against a certificate with name www.exam in it
Thanks to MLEHMANN for reporting

* t/nonblock.t: increase number of bytes written to fix bug with OS X 10.5
https://rt.cpan.org/Ticket/Display.html?id=47240

Mon Apr 6 14:00:00 2009 anickaAATTsuse.cz
- update to 1.24

* add verify hostname scheme ftp, same as http

* renew test certificates again (root CA expired, now valid for
10 years)


  
ICM