to match those of ucspi-tcp6 1.11.6, so:
- Fixed problem for sslserver binding to local IPv4 addresses. Improved
selection of IP addresses given the user flags -4/-6 and none.
- Improved sslclient's binding given several hostnames available in DNS.
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
- Fixed iopause return value evaluation in remoteinfo.c.
- Removed return call evaluation of iopause in ssl_io.c and ssl_timeout.c
Not clear, whether this a resulting the polling.
- Adopted some fixes contributed by Alan S. (mtx):
DNS IP Name qualification; X.509 DNS name matching; certs are only
read on demand.
- Support of STARTTLS in sslclient is postponed to next minor version.
- Straightened error codes and exiting for sslserver/sslhandle instead of
dropping the session in case of errors.
- Added compatibility with fehQlibs-13.
- Fixed wrong behavior of sslserver/sslclient given a local or remote
IPv4 address. sslhandle is now an own program (man sslhandle.3).
- Code streamlined with ucspi-tcp6-1.11.0.
- Removed parenthesis from host in https@: [$host]:$port -> $host:port.
Tx, A.E.
- Fixed TLSv1* macro's names in ucspissl.h to match ssl_context.c.
- Clarified usage of 'SSL_CTX_set_ciphersuites()' in ssl_ciphers.c.
- Fixed potential stack corruption in sslclient/sslhandle/sslserver
while assigning hostname => 0.
- Improved OpenSSL + LibreSSL compatibility:
- LibreSSL 2.5 to 2.9 is working
- OpenSSL 1.0.2 to 1.1.1 is working
- Added SNI for sslclient.
- Fixes for sslhandle.
- Included new CIPHERLIST API for ssl_ciphers.
- Removed dependency on conf-tcpbin; modules are expected to be
in the path.
- Modules rts.base and rts.sslperl are working now.
- Fixed broken evaluation of CIDR and IPv6 addresses;
adjusted with ucspi-tcp6-1.10.5.
- Improved compatibility with LibreSSL and included description.
- Added dualstack handling for servers applying the
pseudo IP address ':0' on call (common now for all servers).
- Tailored TLS error handling for EAGAIN end error codes.
- Rewrote IPv4 CIDR address evaluation for rules.
- Complete refurbish based on fehQlibs.
- Native handling of IPv4/IPv6 address for sslclient.
- Added experimental 'ecdhparam' file.
- Removed experimental 'ecdhparam' handling -- OpenSSL does not support it.
- Finished TLS 1.3 integration (based on OpenSSL 1.1.1).
- Removed compiler flags for ECDH -- now required.
- fehQlibs-09 based.
- Added `correct` pid display in error log.
- Fixed cosmetic bug in sslserver displaying parent and not child pid in log.
Tx Bruce Guenter.
pkgsrc changes:
- Adjust path to OpenSSL certs
- Install the provided example DH params
- Look for /etc/dnsrewrite under PKG_SYSCONFBASE
- Create a user and group for privilege separation
- Install manpages and more documentation
- Included PID in sslserver + sslhandle abend logs in case of SSL failure.
- Removed references to 'gcc' and used 'cc' instead.
- New build with better error log for ssl abends.
Included ucspi-ssl-0.70_ucspitls-0.6.patch (STARTTLS support)
originally designed and provided by Scott Gifford (FEH).
Added Certchain support for sslserver and sslclient (FEH).
Integration and added man-pages (FEH).
Synced with ucspi-tcp6-0.95.
Fixed integration bug in ssl_very.c.
Included patches from Peter Conrad.
Bug fix in sslserver. Several small
corrections.
Fix for large X509 serial numbers on x86 (tx. Peter Conrad).
SAN DNSname has precedence over CN in subject.
Re-edited man pages and rts tests.
Added IPv6 support (tx. to Felix von Leitner and Brandon Turner).
UI: Changed sslserver client cert call from '-i/-I' to '-z/-Z'
for compatibility reasons.
Added '-4/-6' support for client scripts.
Added output environment variables TCP6* for sslserver.
sslperl, sslhandle, and sslprint are not IPv6 ready yet.
Added IPv6 capabilities to sslhandle, sslprint, sslperl.
Changed verification of X.509 certs.
Removed obsolete socket_4 calls in sslserver.
Streamlined code with ucspi-tcp6-1.00.
Supplied new certs with customized SAN.
Make rts working (at least some how).
Added support for personalized client certs.
New option '-m' in sslserver, complementing '-z'.
CCAFILE='-' disables client cert request.
Added verbose log output for SSL connection informations.
Fixed wrongly nested CONNECT error code for sslclient.c
producing wrong warning messages while connecting to
an IPv4 address.
Added call of '-ldl' in ssl.lib.
Mitigation of SSL connection hanging during
coincident change of daylight-saving settings.
Fixed bug in sslserver's dnsip lookup in case of paranoid settings
and additonal existance of IPv6 AAAA records for incoming IPv4 connection.
Serveral fixes from 'troy@' included to cope with compiler errors and
to solve a bug in function getbitasaddress in ip4_bit.c (= ucspi-tcp6-1.02).
Reordered conf-* variables in main dir to allow easier generation of
packages (i.e. RPM). Fixed script to identify different HW architecture
and OS. This version works in 32 bit mode on Raspian Linux / RasPi 7.
Added ECDH capabilites (tx to Frank Bergmann for the patches).
Added compatibility with LibreSSL.
Fixed missing negative return call treatment from 'poll' (tx Frank Bergmann).
Tentative 'emake' fix for Gentoo build.
Added OpenSSL 1.1 tweaks -- works under Debian (9) 'Stretch'.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
