All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
1.90 2021-01-21
- New stable release incorporating all changes from developer releases
1.89_01 to 1.89_05.
- Summary of major changes since version 1.88:
- Formalised libssl version support policy: all stable versions of OpenSSL
in the 0.9.8 - 1.1.1 branches (with the exception of 0.9.8 - 0.9.8b) and
all stable releases of LibreSSL in the 2.0 - 3.1 series are supported.
The LibreSSL 3.2 series is not yet fully supported because its TLSv1.3
implementation is not currently libssl-compatible.
- Added support for LibreSSL on Windows when built with Visual C++.
- Exposed P_X509_CRL_add_extensions, several SSL_CIPHER functions, and
several stack functions.
- Fixed crashes in the callback functions CTX_set_next_proto_select_cb and
CTX_set_alpn_select_cb.
- The test suite is now compatible with OpenSSL 1.1.1e onwards, as well as
OpenSSL security level 2 (the default on many Linux distributions).
1.89_05 2021-01-21
- Expose SSL_get_ciphers. Thanks to github user dylc5190.
- Expose SSL_CIPHER_get_version and fix SSL_CIPHER_description
and SSL_CIPHER_get_bits. Also fixed and enhanced
documentation for these and related SSL_CIPHER functions.
- Clarify libssl version support policy: all stable versions of OpenSSL in
the 0.9.8 - 1.1.1 branches (with the exception of 0.9.8 - 0.9.8b) and all
stable releases of LibreSSL in the 2.0 - 3.1 series are supported.
- Direct bug reports to the GitHub repository, since rt.cpan.org will shut
down on 2021-03-01.
1.89_04 2021-01-13
- Fix crashes in the callback functions CTX_set_next_proto_select_cb() and
CTX_set_alpn_select_cb() caused by the use of a pointer returned by
SSL_select_next_proto() which may already have been freed under certain
circumstances. Fixes GH-222. Thanks to dylc5190 for the report.
- Remove the dependency on the AES128-SHA cipher suite in the test script
64_ticket_sharing.t. Fixes GH-231.
- Remove checks and warnings in Makefile.PL relating to the use of RSAref,
which was removed from OpenSSL in version 0.9.7.
1.89_03 2020-12-12
- Expose the following functions:
- X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain
- sk_X509_pop, sk_X509_shift, sk_X509_unshift,
- sk_X509_insert, sk_X509_delete, sk_x509_value, sk_X509_num
Thanks to Dan Freed.
- Correct the minimum OpenSSL version required for the following functions
to be made available (previously they were all declared to be present in
1.1.0-pre1, which caused Net::SSLeay to crash at run-time when built
against OpenSSL versions between 1.1.0-pre1 and 1.1.0-pre3):
- CTX_set_max_proto_version (added in 1.1.0-pre2)
- CTX_set_min_proto_version (added in 1.1.0-pre2)
- SESSION_up_ref (added in 1.1.0-pre4)
- set_max_proto_version (added in 1.1.0-pre2)
- set_min_proto_version (added in 1.1.0-pre2)
- Correct the minimum OpenSSL version required for get_SSL_CTX and SSL_ctrl
to be made available (previously they were declared to be present from
0.9.8f onwards, when in reality they are available in all 0.9.8 versions).
- Replace the PKI used by the test suite with one generated by the
generate-test-pki helper script. All entities in the new PKI have 2048-bit
RSA private keys and CSRs, certificates and CRLs with SHA-256 digests,
allowing the test suite to execute under OpenSSL security level 2 (now the
default security level for OpenSSL in many Linux distributions).
- Initialise libssl consistently in the test suite.
- Don't rely on the availability of specific SSL/TLS protocol versions or
cipher suites in the test suite; instead, dynamically select from any of
the available protocol versions and cipher suites permitted by libssl.
Fixes RT#132425. Thanks to Graham Ollis for the initial report of the test
suite failing on Ubuntu 20.04 with the Ubuntu-packaged OpenSSL, whose
configuration forbids the use of TLSv1.1 and below at run-time by default.
1.89_02 2020-08-07
- Add support for the P_X509_CRL_add_extensions function. Thanks to
Manuel Mausz for the patch.
- X509_get_subjectAltNames now knows how to return
GEN_RID. The returned value is an ASN OID in text format
with current maximum length of 2500 characters. Updated
t/local/33_x509_create_cert.t to use GEN_RID and all other
supported types with certificate request and signed
certificate. These relate to GitHub issue GH-149 opened by
s482dcaw.
- Support for 64-bit Windows versions of OpenSSL from 1.0.0-beta1
through to 1.0.0b has been withdrawn due to malfunctions occurring in
Perl programs that use fork(). This mainly affects users of Strawberry
Perl x64 5.12.3.20180709, which ships with OpenSSL 1.0.0-beta4.
Affected users should build Net-SSLeay against OpenSSL 1.0.0c or
above; users of Strawberry Perl x64 5.12.3.20180709 may instead find
it easier to upgrade to Strawberry Perl x64 5.14.4.1 or above. See
https://github.com/radiator-software/p5-net-ssleay/issues/189 for more
information.
1.89_01 2020-03-22
- Fix the repository URL in Makefile.PL (git:// rather than git@),
which was preventing it from being added to META.json. Thanks to
Dan Book.
- When building Net-SSLeay, exit if an OpenSSL executable cannot be
found in PATH. Fixes RT#131060. Thanks to Nigel Horne for the report.
- Remove non-OCSP external tests, many of which unnecessarily duplicate
local tests or fail for reasons outside of our control. Fixes
RT#129542. Thanks to Andreas Vögele for the bug report that
ultimately led to this change.
- Add support for LibreSSL on Windows when built with Visual C++.
Thanks to Graham Ollis for the patch.
- In SSL_CTX_free() and SSL_free(), clean callback-related data from
the global hash after freeing ctx, not before. This allows callbacks
to be executed during freeing. Thanks to Steffen Ullrich for the
patch.
- t/local/07_sslecho.t started failing with OpenSSL 1.1.1e. Updated
the test file with missing calls to Net::SSLeay::shutdown(). Also
added one call in SSLeay.pm sslcat() function. Enabling SSLeay trace
level 3 showed 'unexpected eof while reading' errors which were added
to OpenSSL with commit db943f43. This fixes GitHub issue GH-160
reported by Brett T. Warden.
- t/local/01_pod.t now requires Test::Pod 1.41 to work with Pod syntax
used with Net::SSLeay 1.88 and later. This fixes GitHub issue GH-147
reported by Ulrik Haugen.
1.88 2019-05-10
- New stable release incorporating all changes from developer
releases 1.86_01 to 1.86_11.
- From this release, Net-SSLeay is switching to an "odd/even"
developer/stable release version numbering system, like that of
many core modules (e.g. ExtUtils::MakeMaker): developer releases
will have an odd minor version number (and the usual "_xx" suffix),
and stable releases will have an even minor version number. This
means there is no Net-SSLeay 1.87.
- Summary of major changes since version 1.85:
- Mike McCauley has stepped down as maintainer. The new maintainers
are Chris Novakovic, Heikki Vatiainen and Tuure Vartiainen.
- The source code has moved from the now-defunct Debian Subversion
server (alioth.debian.org) to GitHub
(https://github.com/radiator-software/p5-net-ssleay).
- Net-SSLeay is provided under the terms of the Artistic License
2.0 - this has been the case since version 1.66, but references
to other licenses remained in the source code, causing ambiguity.
- Perl 5.8.1 or newer is now required to use Net-SSLeay. This has
already been the case for some time in practice, as the test
suite hasn't fully passed on Perl 5.6 for several years.
- Much-improved compatibility with OpenSSL 1.1.1, and improved
support for TLS 1.3.
- Fixed a long-standing bug in cb_data_advanced_put() that caused
memory leaks when callbacks were frequently added and removed.
- Support in the test suite for "hardened" OpenSSL configurations
that set a default security level of 2 or higher (e.g., in the
OpenSSL packages that ship with recent versions of Debian, Fedora
and Ubuntu).
1.85 2018-03-14
Preparations for transferring maintenace to a new maintainer
Fixed test failure in t/local/33_x509_create_cert.t for some version of OpenSSL.
Fixed free() error that causes "Free to wrong pool ..." merssage on Windows.
Reported and patched by Steffen Ullrich.
Use TEST_DEPENDS.
1.84 2018-01-17
Fixed an error in t/local/04_basic.t causing a test failure if
Test::Exception not installed. Reported by Joel Berger.
1.83 2018-01-16
Fixed a problem with exporting OPENSSL_NO_NEXTPROTONEG even though they are not availble on LibreSSL.
Patch patch-SSLeay_xs-NO_NPN from Alexander Bluhm.
Patch from Heikki Vatiainen adds support for SSL_set_default_passwd_cb* for
OpenSSL 1.1.0f and later. LibreSSL does not support these functions, at
least yet.
Patch from Heikki Vatiainen adds new functions related to SSL_CTX_new.
Patch from Heikki Vatiainen adds two new functions introduced in OpenSSL 1.1.0, a number
of constants and a couple of const qualifiers to SSLeay.xs. Tests and
documentation .pod were also updated.
Patch from Heikki Vatiainen adds one new OpenSSL 1.1.0 function and has a minor fix for
LibreSSL version detection:
* Added support for SSL_use_certificate_chain_file
function introduced in OpenSSL 1.1.0.
* Fixed LibreSSL version detection to correctly parse
LibreSSL minor version.
Patch from Steffen Ulrich to fix memory leaks in OCSP handling. Thanks.
Patch from Heikki Vatiainen adds new functions for certificate verification introduced in
OpenSSL 1.02, a number of constants, new test data files, new tests and
updates to .pod documentation.
The new functions provide access to the built-in wildcard check
functionality available in OpenSSL 1.0.2 and later.
The patch also adds new tests for the new functions and updates some of
the current tests for CTX_set_default_passwd_cb* functions.
Added X509_STORE_CTX_new and X509_verify_cert.
SSL_OCSP_response_verify now clears the error queue if OCSP_basic_verify fails but the
intermediate certificate succeeds. Patch from Stefan Ullrich.
1.82 2017-10-31
Added support for building under Linuxbrew (a linuxbrew version of MacOS Homebrew)
Patch from Matthew Altus, that implements SSL_CTX_set_psk_client_callback() and SSL_set_psk_client_callback().
Patch to build with LibreSSL has no support for NPN
Also skip the NPN test if the SSL library is LibreSSL.
Fixed a problem with a variable declaration in ssleay_session_secret_cb_invoke reported by Graham Ollis.
Significant patch set from Open System Consultants:
- Bugfix: tlsext_status_cb_invoke(...): free ocsp_response only when allocated.
- The same callback is used on a server side for OCSP stapling and in that
case ocsp_response is NULL and not used.
- New feature: Added a binding SSL_set_session_ticket_ext_cb(ssl,callback,data)
- A callback used by EAP-FAST/EAP-TEAT to parse and process TLS session ticket.
- Tests are in t/local/65_ticket_sharing_2.t
- New feature: Added a binding SSL_set_session_ticket_ext(ssl,ticket)
- Used by EAP-FAST/EAP-TEAP to define TLS session ticket value.
- Tests are in t/local/65_ticket_sharing_2.t
- Bugfix: tlsext_ticket_key_cb_invoke(...): allow SHA256 HMAC key to be 32 bytes
instead of 16 bytes (which OpenSSL will pad with zeros up to 32 bytes).
- New feature: Added following bindings:
- X509_get_ex_data(cert,idx)
- X509_get_ex_new_index(argl,argp,new_func,dup_funL,free_func)
- X509_get_app_data(cert)
- X509_set_ex_data(cert,idx,data)
- X509_set_app_data(cert,arg)
- X509_STORE_CTX_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
- X509_STORE_CTX_get_app_data(x509_store_ctx)
- X509_STORE_CTX_set_app_data(x509_store_ctx,arg)
- New feature: Added an implementation for SSL_get_finished(ssl,buf,count=2*EVP_MAX_MD_SIZE)
- Tests are in t/local/43_misc_functions.t
- New feature: Added an implementation for SSL_get_peer_finished(ssl,buf,count=2*EVP_MAX_MD_SIZE)
- Tests are in t/local/43_misc_functions.t
- Bugfix: SSL_get_keyblock_size(s): Calculate key block size correctly also with AEAD ciphers
which don’t use digest functions.
- New feature: Added a binding SSL_set_tlsext_status_ocsp_resp(ssl,staple)
- Used by a server side to include OCSP staple in ServerHello.
- Bugfix: SSL_OCSP_response_verify(ssl,rsp,svreq,flags): check that chain and last are not NULL
before trying to use them.
- Bugfix: inc/Module/Install/PRIVATE/Net/SSLeay.pm: Don’t quote include and lib paths.
1.81
Patch from Alexander Bluhm to enable RSA_get_key_parameters with
LibreSSL. Again.
Fixed memory leak in X509_get_subjectAltNames. Reported and patched by Jim Westfall.
Added . to lib path in Makefile.PL to accommodate people who are using a perl with -Ddefault_inc_excludes_dot.
Fixed build failure if engine support not present. Patch from Paul Green.
Improvements to get_my_thread_id to work around possibility of ERRSV not being defined eg on OpenWRT.
1.80 2017-01-05
Patch from Steffen Ulrich that fixed unexpected changes in the
control flow of the Perl program which seemed to be triggered by the
ticket key callback. Thanks Steffen.
1.79 2017-01-03
Patch to fix a few inline variable declarations that cause errors for
older compilers. From Andy Grundman. Thanks.
Patch: Generated C code is not compatible with MSVC, AIX cc,
probably others. Added some PREINIT blocks and replaced 2 cases of INIT with
PREINIT. From Andy Grundman. Thanks.
Patch to fix: Fails to compile if the OpenSSL library it's built
against has compression support compiled out. From Stephan
Wall. Thanks.
Added RSA_get_key_parameters() to return a list of pointers to RSA key
internals.
Patch to fix some documentation typos courtesy gregor herrmann.
RSA_get_key_parameters() is now only available prior OpenSSL 1.1.
Testing with openssl-1.1.0b.
1.77 2016-08-01
Fixed incorrect size to memset in tlsext_ticket_key_cb_invoke.
1.76 2016-07-31
Replaced bzero with memset. Bzero not present on windows.
1.75 2016-07-31
Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5:
- Conditionally remove threading locking code, not needed in 1.1
- Rewrite code that accesses inside X509_ATTRIBUTE struct.
- SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa,
SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback support
not available in 1.1.
- SSL_session_reused is now native
- SSL_get_keyblock_size modifed to use new API
- OCSP functions modified to use new API under 1.1
- SSL_set_state removed with 1.1
- SSL_get_state and SSL_state are now equivalent and available in all
versions
- SSL_CTX_v2_new removed
- SESSION_set_master_key removed with 1.1. Code that previously used
SESSION_set_master_key must now set $secret in the session_secret
callback set with SSL_set_session_secret_cb
- With 1.1, $secret in the session_secret
callback set with SSL_set_session_secret_cb can be changed to alter
the master key (required by EAP-FAST).
Added a function EC_KEY_generate_key similar to RSA_generate_key and a
function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA. Using
these functions it is easy to create and use EC keys in the same way as
RSA keys. Patch provided by Steffen Ullrich. Thanks Steffen.
Testing with LibreSSL 2.4.1, with compatibility patch from Steffen
Ullrich. Thanks Steffen.
Patch from Steffen Ulrich provides support for cross context (and cross process)
session sharing using the stateless TLS session tickets. It uses the
SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and
decryption of the tickets but provides a more simplified
interface. Includes new function CTX_set_tlsext_ticket_getkey_cb.
To not conflict with the OpenSSL name in case the more complex interface
will be implemented ever the current simplified interface is called
slightly different: CTX_set_tlsext_ticket_*get*key_cb.
Added documentation about downloading latest version from SVN.
Added missing Module/install files to SVN.
1.74 2016-04-12
README.OSX was missing from the distribution
1.73 2016-04-11
Added X509_get_X509_PUBKEY. Patch supplied by GUILHEM. Thanks.
Added README.OSX with instructions on how to build for recent OS X.
Added info about using OPENSSL_PREFIX to README.Win32.
Added comments in POD about installation documentation.
Added '/usr/local/opt/openssl/bin/openssl' to Openssl search path for
latest version of OSX homebrew openssl. Patch from Shoichi Kaji.
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
1.72 2015-09-22
Fixed a problem where SvPVx_nolen was undefined in some versions of
perl. Reported by Karen Etheridge. Replaced with SvPV_nolen.
Fixed a cast warning on Darwin reported by Karen Etheridge.
1.71 2015-09-18
Patch from Ben Kaduk: Conditionalise support for MD4, MD5.
Added support for linking libraries in /usr/local/lib64 for some flavours
of Linux like RH Tikanga.
Fixes to X509_check_host, X509_check_ip, SSL_CTX_set_alpn_protos, and
SSL_set_alpn_protos so they will compile on MSVC and AIX cc. Thanks to
AGRUNDMA.
Fixed typos in documentation for X509_NAME_new and X509_NAME_hash
incorrect version 1.45 instead of 1.55 given.
Version number in META.yml is now quoted per request from Satoshi Yagi.
PERL5_MODULE_TYPE= Module::Install::Bundled
in the hope it fixes PR 50254.
While here, remove API depends line that's lower than what's in
openssl/bl3.mk.
{perl>=5.16.6,p5-ExtUtils-ParseXS>=3.15}:../../devel/p5-ExtUtils-ParseXS
since pkgsrc enforces the newest perl version anyway, so they
should always pick perl, but sometimes (pkg_add) don't due to the
design of the {,} syntax.
No effective change for the above reason.
Ok joerg
1.70 2015-06-26
Patch from Alexander Bluhm: The new OpenSSL 1.0.2 X509_check_* functions are not available in
current LibreSSL. So disable them in SSLeay.xs.
Fixed a problem with building against OSX homebrew's openssl. Patch from
Shoichi Kaji.
Removed a test in t/local/33_x509_create_cert.t which fails due to
changes in 1.0.1n and later
1.69 2015-06-04
Testing with OpenSSL 1.0.2, 1.0.2a. OK.
Completed LibreSSL compatibility with the kind assistance of Alexander
Bluhm.
Improved compatibility with OpenSSL 1.0.2a as suggested by Petr Pisar.
Added the X509_check_* functions introduced in OpenSSL 1.0.2, contributed
by Carsten Gaebler.
Added support for X509_V_FLAG_TRUSTED_FIRST constant, patch from Gisle Aas.
Patch allows get_keyblock_size to work correctly with
OpenSSL 1.0.1 and later versions. Contributed by Heikki Vatiainen.
1.68 2015-01-24
Fixed a problem on OSX when macports openssl 1.x is installed: headers from
macport were found but older OSX openssl libraries were linked, resulting
in "Symbol not found: _EVP_MD_do_all_sorted".
Added notes about runtime error "no OPENSSL_Applink", when calling
Net::SSLeay::P_PKCS12_load_file.
1.67 2015-01-17
Improvements to inc/Module/Install/PRIVATE/Net/SSLeay.pm to handle the
case whe there are muliple OPENSSLs installed. Patch from HBRAND
Fixed a documentation error in get_peer_cert_chain, reported by tejas.
Fixed a problem with building on Windows that prevented correct OpenSSL
directory detection with version 1.0.1j as delivered with Shining Light OpenSSL.
Fixed a problem with building on Windows that prevented finding MT or MD
versions of SSL libraries.
Updated doc in README.Win32 to build with Microsoft Visual Studio 2010 Express.
Added Windows crypt32 library to Windows linking as some compilers/platforms seem to
require it and it is innocuous otherwise. For Steve Hay.
Fixed a failure in t/external/20_cert_chain.t where some platforms do not
have HTTPS in /etc/services. Reported and patched by Gisle Aas.
Recent 1.0.2 betas have dropped the SSLv3_method function.
This patch leaves out the function on newer versions, much the same as
the SSLv2 deprecation is handled. Patch from Tom Molesworth.
Fix the ALPN test, which was incorrectly failing on OpenSSL due to the
LibreSSL check (earlier versions bailed out before that line).Patch from
Tom Molesworth.
1.66 2014-08-21
Fixed compile problem with perl prior to 5.8.8, similar to
RT#76267. Reported by Graham Knop.
Fixed a problem with Socket::IPPROTO_TCP on early perls.
After discussions with the community and the original author Sampo
Kellomaki, the license conditions have been changed to "Perl Artisitic
License 2.0".
1.65 2014-07-14
Added note to doc to make it clear that X509_get_subjectAltNames returns a
packed binary IP address for type 7 - GEN_IPADD.
Improvements to SSL_OCSP_response_verify to compile under non c99
compilers. Requested by MERIJNB.
Port to Android, contributed by Brian Fraser. Includes Android specific
version of RSA_generate_key.
Added LibreSSL support, patch provided by Alexander Bluhm. Thanks!
Patch that fixes the support for SSL_set_info_callback and adds
SSL_CTX_set_info_callback and SSL_set_state. Support for these functions is
necessary to either detect renegotiation or to enforce
renegotiation. Contributed by Steffen Ullrich. Thanks!
Fixed a problem with SSL_set_state not available on some early OpenSSLs,
patched by Steffen Ullrich. Thanks!
Removed arbitrary size limits from calls to tcp_read_all in tcpcat() and
http_cat().
Removed unnecessary Debian_SPANTS.txt from MANIFEST. Again.
1.64 2014-06-11
Fixes for test ocsp.t. Test now does not fail if HTTP::Tiny is not
installed.
Fixed repository in META.yml.
Fixed a problem with SSL_get_peer_cert_chain: if the SSL handshake
results in an anonymous authentication, like ADH-DES-CBC3-SHA,
get_peer_cert_chain will not return an empty list, but instead return the
SSL object. Reported and fixed by Steffen
Ullrich. Thanks.
Fixed a problem where patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3009244da47b989c4cc59ba02cf81a4e9d8f8431
caused a failed test in t/local/33_x509_create_cert.t.
* Fixed error in version number in META.yml
* Improvements to OCSP support: It turns out that some CA (like
Verisign) sign the OCSP response with the CA we have in the trust
store and don't attach this certifcate in the response. But OpenSSL
by itself only considers the certificates included in the response
and SSL_OCSP_response_verify added the certificates in the chain
too. Now, we also add the trusted CA from the store which signed
the lowest chain certificate, at least if we could not verify the
OCSP response without doing it. Patch from Steffen Ullrich. Thanks.
* Fixed some compiler warnings.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
1.61 2014-05-12
Changes calloc to Newx and free to Safefree, otherwise there might be
problems because calloc is done from a different memory pool than free (depends
on the build options for perl, but seen on Windows). Patch from Steffen
Ullrich. Thanks.
1.60 2014-05-10
Fixed a typo in an error message. Patch from gregor herrmann. Thanks.
Fixed a problem with building with openssl that does not support
OCSP. Also fixed some newly introduced warnings
if compiled with -Wall. Patch from Steffen Ullrich. Thanks.
fix build-failure on most Debian architectures:
SSLeay.xs: In function 'XS_Net__SSLeay_OCSP_response_results':
SSLeay.xs:5602:3: error: format not a string literal and no format
arguments. Patch from gregor herrmann.
1.59 2014-05-10
Fixed local/30_error.t, so that tests do not fail if diagnostics are
enabled.
Fixed error messages about undefined strings used with length or
split. Reported and patched by Peter Heuchert.
Improvements to configuration of OPTIMIZE flags, to prevent overriding
of perls expected optimization flags. Caution: HPUX aCC optimize options are special.
SSL_peek() now returns openssl error code as second item when called in
array context, same as SSL_read. Patch from Andreas Mohr.
Fixed some warnings.
Added support for tlsv1.1 tlsv1.2 via $Net::SSLeay::ssl_version. Patch
from Andreas Mohr.
Improve examples in 'Using other perl modules based on
Net::SSLeay'. Patched by Andreas Mohr.
Added support for OCSP. Patched by Steffen Ullrich. Thanks!
Added missing t/external/ocsp.t
security/p5-Net-SSLeay from 1.55nb1 to 1.58.
Upstream changes:
1.58 2014-01-15
Always use size_t for strlen() return value, requested by Alexander Bluhm.
t/external/20_cert_chain.t was missing from dist.
Version number in META.yml was incorrect
Improvements to test t/external/20_cert_chain.t to provoke following bug:
Fixed crash due to SSL_get_peer_cert_chain incorrectly free'ing the chain
after use.
Fixed a problem when compiling against openssl where OPENSSL_NO_EC is set.
1.57 2014-01-09
Fixed remaining problems with test suite: pod coverage and kwalitee tests
are only enabled with RELEASE_TESTING=1
1.56 2014-01-08
Fixed a typo in documentation of BEAST Attack, patched by gregor
herrmann.
Added LICENSE file copied form OpenSSL distribution to prevent complaints
from various versions of kwalitee.
Adjusted license: in META.yml to be 'openssl'
Adds support for the basic operations necessary to support ECDH for PFS,
e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh.
Improvements to t/handle/external/50_external.t to handle the case when a
test connection was not possible. Patched by Alexandr Ciornii.
Added support for ALPN TLS extension. Patch from Lubomir Rintel. Tested
with openssl-1.0.2-stable-SNAP-20131205.
Fix an use-after-free error. Patch from Lubomir Rintel.
Fixed a problem with Invalid comparison on OBJ_cmp result in
t/local/36_verify.t. Contributed by paul.
Added support for get_peer_cert_chain(). Patch by Markus Benning.
Fixed a bug that cold cause stack faults: mixed up PUTBACK with SPAGAIN
in ssleay_RSA_generate_key_cb_invoke()
a final PUTBACK is needed here. A second issue is also fixed:
cb->data defaults to &PL_sv_undef but throught the code you do not check
against &PL_sv_undef, just NULL.
To avoid passing the 3rd optional arg at all, do not create it. This fixes all the
cb->data checks and wrong refcounts on &PL_sv_undef. Patched by Reini Urban.
Deleted support for SSL_get_tlsa_record_byname: it is not included in
OpenSSL git master.
1.55 2013-06-08
Added support for TLSV1_1 and TLSV1_2 methods with SSL_CTX_tlsv1_1_new(),
SSL_CTX_tlsv1_2_new(), TLSv1_1_method() and TLSv1_2_method(), where
available in the underlying openssl.
Added CRL support functions X509_CRL_get_ext(), X509_CRL_get_ext_by_NID(),
X509_CRL_get_ext_count(). Patch from Franck Youssef.
Fixed a problem which could cause content with a value of '0' to not be
correctly encoded by do_httpx3 and friends. Reported by Victor Efimov via
RT.
Added support for SSL_get_tlsa_record_byname() required for DANE support in
openssl-1.0.2 and later. SSL_get_tlsa_record_byname() was added to
OpenSSL with the financial assistance of .SE.
Testing with openssl-1.0.2-stable-SNAP-20130521.
Added X509_NAME_new and X509_NAME_hash, patched by Franck Youssef.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
Changes from previous:
----------------------
1.54 2013-03-23
t/data/testcert_cdp.crt.pem_dump and t/data/testcert_cdp.crt.pem were
missing from MANIFEST.
Added MANIFEST to svn
Improvement to test 07_sslecho.t so that if set_cert_and_key fails we
can tell why.
1.53 2013-03-22
Added support for SSL_export_keying_material where present (ie in OpenSSL
1.0.1 and later).
Changed t/handle/external/50_external.t to use www.airspayce.com instead of
perldition.org, who no longer have an https server.
Patch to fix a crash: P_X509_get_crl_distribution_points on an
X509 certificate with values in the CDP extension which do not have an
ia5 string will cause a segmentation fault when accessed. Patch from
Robert Duncan.
Change in t/local/32_x509_get_cert_info.t to not use
Net::SSLeay::ASN1_INTEGER_get, since it works differntly on 32 and 64 bit platforms.
Updated author and distribution location details to airspayce.com
1.52 2013-01-09
Rebuild package with gnu format tar, to prevent problems with unpacking
on other systems such as old Solaris,
1.51 2012-12-14
Fixed a problem where SSL_set_SSL_CTX is not available with
OpenSSL < 0.9.8f. Reported by Paul.
1.50 2012-12-13
Fixed a problem where t/handle/external/50_external.t would crash if any
of the test sites were not contactable.
Now builds on VMS. Patch kindly supplied by Craig A. Berry.
Fixed a few compiler warnings in SSLeay.xs. Most of them
are just signed/unsigned pointer mismatches but there is one that actually
fixes returning what would be an arbitrary value off the stack from
get_my_thread_id if it happened to be called in a non-threaded build.
Patch kindly supplied by Craig A. Berry.
Added README.VMS, contributed by Craig A. Berry.
Added SSL_set_tlsext_host_name, SSL_get_servername,
SSL_get_servername_type, SSL_CTX_set_tlsext_servername_callback for
server side Server Name Indication (SNI) support. Patched by kmx.
Further mods for VMS building supplied by Craig A. Berry.
Fixed a problem with C++ comments preventing builds on AIX and
HPUX. Patched by Gisle Aas.
perdition.org not available for tests, changed to www.airspayce.com
Added SSL_FIPS_mode_set
Improvements to test suite so it succeeds with and without FIPS mode
enabled. Patch supplied by Petr Pisar.
Added documentation, warning not to pass UTF-8 data in the content
argument to post_https. Reported by Jason Terry.