All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
Upstream changes:
2.072
- add PEM_certs2file and PEM_file2certs in IO::Socket::SSL::Utils based
on idea by rovo89 in #101
- certs/*.p12 used for testing should now work with OpenSSL 3.0 too #108
- update public suffix database
2.070 2021/02/26
- changed bugtracker in Makefile.PL to github, away from obsolete rt.cpan.org
2.069 2021/01/22
- IO::Socket::Utils CERT_asHash and CERT_create now support subject and issuer
with multiple same parts (like multiple OU). In this case an array ref instead
of a scalar is used as hash value.
https://github.com/noxxi/p5-io-socket-ssl/issues/95
2.067 2020/02/14
- fix memory leak on incomplete handshake
https://github.com/noxxi/p5-io-socket-ssl/issues/92
Thanks to olegwtf
- add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers
This can decrease memory usage at the costs of more allocations
https://rt.cpan.org/Ticket/Display.html?id=129463
- more detailed error messages when loading of certificate file failed
https://github.com/noxxi/p5-io-socket-ssl/issues/89
- fix for ip_in_cn == 6 in verify_hostname scheme
https://rt.cpan.org/Ticket/Display.html?id=131384
- deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
- fix warning when no ecdh support is available
- documentation update regarding use of select and TLS 1.3
- various fixes in documentation
https://github.com/noxxi/p5-io-socket-ssl/issues/91https://github.com/noxxi/p5-io-socket-ssl/issues/90https://github.com/noxxi/p5-io-socket-ssl/issues/87https://github.com/noxxi/p5-io-socket-ssl/issues/81
- stability fix t/core.t
2.066 2019/03/06
- fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
2.065 2019/03/05
- make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN. Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first
https://rt.cpan.org/Ticket/Display.html?id=128716
- prefer AES for server side cipher default since it is usually
hardware-accelerated
2.064 2019/03/04
- make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint - https://rt.cpan.org/Ticket/Display.html?id=127773
- fix t/sessions.t and improve stability of t/verify_hostname.t on windows
- use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are set
- update fingerprints for live tests
2.063 2019/03/01
- support for both RSA and ECDSA certificate on same domain
- update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (ie. more than just the
patchlevel differs).
2.062 2019/02/24
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+). This makes leaf certificates or intermediate certificates in
the trust store be usable as full trust anchors too.
2.061 2019/02/23
- Support for TLS 1.3 session reuse. Needs Net::SSLeay 1.86+.
Note that the previous (and undocumented) API for the session cache has been
changed.
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client. Needs Net::SSLeay 1.86+.
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided. Thanks to jorton[AT]redhat[DOT]com.
Needs Net::SSLeay 1.86+.
Upstream changes:
2.060 2018/09/16
- support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too)
Thanks to ppisar[AT]redhat.com for major help
see also https://rt.cpan.org/Ticket/Display.html?id=126899
TLS 1.3 support is not complete yet for session resume
2.059 2018/08/15
- fix memleak when CRL are used.
Thanks to Franz Skale for report and patch
https://rt.cpan.org/Ticket/Display.html?id=125867
- fix memleak when using stop_SSL and threads, reported by Paul Evans
https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132
2.058 2018/07/19
- fix t/session_ticket.t: it failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
2.057 2018/07/18
- fix memory leak which occured with explicit stop_SSL in connection with
non-blocking sockets or timeout - https://rt.cpan.org/Ticket/Display.html?id=125867
Thanks to Paul Evans for reporting
- fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP
nor IO::Socket::INET6 - https://rt.cpan.org/Ticket/Display.html?id=124963
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting number
or callback to create serial number based on the original certificate
- new function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct value
2.056 2018/02/19
- Intercept - fix creation of serial number: base it on binary digest instead of
treating hex fingerprint as binary. Allow use of own serial numbers again.
- t/io-socket-ip.t - skip test if no IPv6 support on system RT#124464
- update PublicSuffix
2.055 2018/02/15
- use SNI also if hostname was given all-uppercase
- Utils::CERT_create - don't add authority key for issuer since Chrome does
not like this
- Intercept:
- change behavior of code based cache to better support synchronizing
within multiprocess/threaded setups
- don't use counter for serial number but somehow base it on original
certificate in order to avoid conflicts with reuse of serial numbers
after restart
- RT#124431 - better support platforms w/o IPv6
- RT#124306 - spelling fixes in documentation
2.054 2018/01/22
- added missing test certificates to MANIFEST
2.053 2018/01/21
- small behavior fixes
- if SSL_fingerprint is used and matches don't check for OCSP
- Utils::CERT_create - small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- update PublicSuffix
- updates for documentation, especially regarding pitfalls with forking or using
non-blocking sockets. Spelling fixes.
- test fixes and improvements
- stability improvements for live tests
- regenerate certificate in certs/ and make sure they are limited to the
correct purpose. Checkin program used to generate certificates.
- adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
2.052 2017/10/22
- disable NPN support if LibreSSL>=2.6.1 is detected since they've replaced the
functions with dummies instead of removing NPN completly or setting
OPENSSL_NO_NEXTPROTONEG
- t/01loadmodule.t shows more output helpful in debugging problems
- update fingerprints for extenal tests
- update documentation to make behavior of syswrite more clear
2.051 2017/09/05
- syswrite: if SSL_write sets SSL_ERROR_SYSCALL but no $! (as seen with
OpenSSL 1.1.0 on Windows) set $! to EPIPE to propagate a useful error up
https://github.com/noxxi/p5-io-socket-ssl/issues/62
2.050 2017/08/18
- removed unecessary settings of SSL_version and SSL_cipher_list from tests
- protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not supported
as is the case with openssl versions in latest Debian (buster)
2.047 2017/02/16
- better fix for problem which 2.046 tried to fix but broke LWP this way
2.046 2017/02/15
- cleanup everything in DESTROY and make sure to start with a fresh %{*self}
in configure_SSL because it can happen that a GLOB gets used again without
calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
2.045 2017/02/13
- fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
objects -> github pull#55
- optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD
if perl is compiled w/o thread support
- small fix in t/protocol_version.t to use older versions of Net::SSLeay
with openssl build w/o SSLv3 support
- when setting SSL_keepSocketOnError to true the socket will not be closed
on fatal error. This is a modified version of
https://github.com/noxxi/p5-io-socket-ssl/pull/53/
2.044 2017/01/26
- protect various 'eval'-based capability detections at startup with a localized
__DIE__ handler. This way dynamically requiring IO::Socket::SSL as done by
various third party software should cause less problems even if there is a
global __DIE__ handler which does not properly deal with 'eval'.
2.043 2017/01/06
- make t/session_ticket.t work with OpenSSL 1.1.0. With this version the
session does not get reused any longer if it was not properly closed which
is now done using an explicit close by the client which causes a
proper SSL_shutdown
2.042 2017/01/05
- enable session ticket callback with Net::SSLeay>=1.80
2.040 2016/12/17
- fix detection of default CA path for OpenSSL 1.1.x
- Utils::CERT_asHash now includes the signature algorithm used
- Utils::CERT_asHash can now deal with large serial numbers
2.039 2016/11/20
- OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1 on
EOF without proper SSL shutdown. Since it looks like that this behavior will
be kept at least for 1.1.1+ adapt to the changed API by treating errno=NOERR
on SSL_ERROR_SYSCALL as EOF.
2.038 2016/09/17
- restrict session ticket callback to Net::SSLeay 1.79+ since version before
contains bug. Add test for session reuse
- extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
- fix t/external/ocsp.t to use different server (under my control) to check
OCSP stapling
Changes for 2.036 not documented.
2.035 2016/08/11
- fixes for issues introduced in 2.034
- return with error in configure_SSL if context creation failed. This
might otherwise result in an segmentation fault later.
- apply builtin defaults before any (user configurable) global settings
(i.e. done with set_defaults, set_default_context...) so that builtins
don't replace user settings
Thanks to joel[DOT]a[DOT]berger[AT]gmail[DOT]com for reporting
------------------------------------------
2.034 2016/08/08
- move handling of global SSL arguments into creation of context, so that these
get also applied when creating a context only.
2.033 2016/07/15
- support for session ticket reuse over multiple contexts and processes
(if supported by Net::SSLeay)
- small optimizations, like saving various Net::SSLeay constants into variables
and access variables instead of calling the constant sub all the time
- make t/dhe.t work with openssl 1.1.0
2.032 2016/07/12
- Set session id context only on the server side. Even if the documentation for
SSL_CTX_set_session_id_context makes clear that this function is server side
only it actually affects hndling of session reuse on the client side too and
can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session in
different context" at the client.
2.031 2016/07/08
- fix for bug in session handling introduced in 2.031, RT#115975
Thanks to paul[AT]city-fan[DOT]org for reporting
2.030 2016/07/08
- Utils::CERT_create - don't add given extensions again if they were already
added. Firefox croaks with sec_error_extension_value_invalid if (specific?)
extensions are given twice.
- assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
with the reverse order as in the PKCS12 file, because that's what it does.
- support for creating ECC keys in Utils once supported by Net::SSLeay
- remove internal sub session_cache and access cache directly (faster)
2.029 2016/07/26
- fix del_session method in case a single item was in the cache
- use SSL_session_key as the real key for the cache and not some derivate of it,
so that it works to remove the entry using the same key
2.028 2016/07/26
- add del_session method to session cache
2.027 2016/04/20
- only added Changes for 2.026
2.026 2016/04/20
- update default server and client ciphers based on recommendation of
Mozilla and what the current browsers use. Notably this finally disables
RC4 for the client (was disabled for server long ago) and adds CHACHA20.
2.025 2016/04/04
- Resolved memleak if SSL_crl_file was used: RT#113257, RT#113530
Thanks to avi[DOT]maslati[AT]forescout[DOT]com and
mark[DOT]kurman[AT]gmail[DOT]com for reporting the problem
2.024 2016/02/06
- Work around issue where the connect fails on systems having only a loopback
interface and where IO::Socket::IP is used as super class (default when
available). Since IO::Socket::IP sets AI_ADDRCONFIG by default connect to
localhost would fail on this systems. This happened at least for the tests,
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813796
Workaround is to explicitely set GetAddrInfoFlags to 0 if no GetAddrInfoFlags
is set but the Family/Domain is given. In this case AI_ADDRCONFIG would not
be useful anyway but would cause at most harm.
---------------
2.023 2016/01/30
- OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS connection
was not fully established (commit: f73c737c7ac908c5d6407c419769123392a3b0a9).
This somehow resulted in Net::SSLeay::shutdown returning 0 (i.e. keep trying)
which caused an endless loop. It will now ignore this result in case the TLS
connection was not yet established and consider the TLS connection closed
instead.
2.022 2015/12/10
- fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash.
Thanks to Mark.Martinec[AT]ijs[DOT]si for reporting in #110253
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
2.020 2015/09/20
- support multiple directories in SSL_ca_path as proposed in RT#106711
by dr1027[AT]evocat[DOT]ne. Directories can be given as array or as string
with a path separator, see documentation.
- typos fixed thanks to jwilk https://github.com/noxxi/p5-io-socket-ssl/pull/34
---------------
2.019 2015/09/01
- work around different behavior of getnameinfo from Socket and Socket6 by
using a different wrapper depending on which module I use for IPv6.
Thanks to bluhm for reporting.
2.017 2015/08/24
- checks for readability of files/dirs for certificates and CA no longer use
-r because this is not safe when ACLs are used. Thanks to BBYRD, RT#106295
- new method sock_certificate similar to peer_certificate based on idea of
Paul Evans, RT#105733
- get_fingerprint can now take optional certificate as argument and compute
the fingerprint of it. Useful in connection with sock_certificate.
- check for both EWOULDBLOCK and EAGAIN since these codes are different on
some platforms. Thanks to Andy Grundman, RT#106573
- enforce default verification scheme if none was specified, i.e. no longer
just warn but accept. If really no verification is wanted a scheme of
'none' must be explicitely specified.
- support different cipher suites per SNI hosts
2.016 2015/06/02
- add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
(since 1.02) and available with Net::SSLeay. RT#104759 (thanks GAAS)
- work around hanging prompt() with older perl in Makefile.PL RT#104731
- make t/memleak_bad_handshake.t work on cygwin and other systems having
/proc/pid/statm, see RT#104659
- add better debugging based on patch from H.Merijn Brand
2.014 2015/05/13
- work around problem with IO::Socket::INET6 on windows, by explicitly using
Domain AF_INET in the tests.
Fixes RT#104226 reported by CHORNY
