Hello community,
here is the log from the commit of package perl-IO-Socket-SSL for
openSUSE:Factory checked in at 2013-07-25 14:46:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old)
and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL"
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes
2012-03-01 17:24:27.000000000 +0100
+++
/work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes
2013-07-25 14:46:31.000000000 +0200
@@ -1,0 +2,101 @@
+Wed Jul 3 08:20:14 UTC 2013 - [email protected]
+
+- new version 0.951
+ * better document builtin defaults for key,cert,CA and how they are
depreceated
+ * use Net::SSLeay::SSL_CTX_set_default_verify_paths to use
+ openssl's builtin defaults for CA unless CA path/file was given
+ * MAJOR BEHAVIOR CHANGE:
+ ssl_verify_mode now defaults to verify_peer for client. Until
+ now it used verify_none, but loudly complained since 1.79 about
+ it. It will not complain any longer, but the connection might
+ probably fail. Please don't simply disable ssl verification, but
+ instead set SSL_ca_file etc so that verification succeeds!
+ * MAJOR BEHAVIOR CHANGE:
+ it will now complain if the builtin defaults of certs/my-ca.pem
+ or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert
+ and key are used, e.g. no certificates are specified explicitly.
+ In the future these insecure (relative path!) defaults will be
+ removed and the CA replaced with the system defaults.
+ * Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
+ installed instead of reporting missing dependency to Net::SSLeay.
+ * need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
+ years ago. Remove code to work around older releases.
+ * changed AUTHOR in Makefile.PL from array back to string, because the
+ array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
+ * Intercept: use sha1-fingerprint of original cert for id into cache unless
+ otherwise given
+ * Fix pod error in IO::Socket::SSL::Utils RT#85733
+ * added IO::Socket::SSL::Utils for easier manipulation of certificates and
keys
+ * moved SSL interception into IO::Socket::SSL::Intercept and simplified it
+ using IO::Socket::SSL::Utils
+ * enhance meta information in Makefile.PL
+ * RT#85290, support more digest, especially SHA-2.
+ Thanks to ujvari[AT]microsec[DOT]hu
+ * added support for easy SSL interception (man in the middle) based
+ on ideas found in mojo*mitm proxy (which was written by Karel Miko)
+ * make 1.46 the minimal required version for Net::SSLeay, because it
+ introduced lots of useful functions.
+ * if IO::Socket::IP is used it should be at least version 0.20, o
+ * Spelling corrections, thanks to dsteinbrunner
+- remove the dependency on IO::Socket::INET6 as it breaks the test suite
+
+-------------------------------------------------------------------
+Sat May 11 22:51:07 UTC 2013 - [email protected]
+
+- update to 1.88
+ + consider a value of '' the same as undef for SSL_ca_(path|file)
+ + complain if given SSL_(key|cert|ca)_(file|path) do not exist or
+ if they are not readable
+ + disabled client side SNI for openssl version < 1.0.0
+ + added functions can_client_sni, can_server_sni, can_npn to check
+ avaibility of SNI and NPN features. Added more documentation for
+ SNI and NPN
+ + Server Name Indication (SNI) support on the server side
+ + sub error sets $SSL_ERROR etc only if there really is an error,
+ otherwise it will keep the latest error. This causes
+ IO::Socket::SSL->new.. to report the correct problem, even if
+ the problem is deeper in the code (like in connect)
+ + deprecated set_ctx_defaults, new name ist set_defaults
+ + changed handling of default path for SSL_(ca|cert|key)* keys: either
+ if one of these keys is user defined don't add defaults for the
+ others, e.g. don't mix user settings and defaults
+ + cleaner handling of module defaults vs. global settings vs. socket
+ specific settings
+
+ + prepare transition to a more secure default for SSL_verify_mode.
+ The use of the current default SSL_VERIFY_NONE will cause a big warning
+ for clients, unless SSL_verify_mode was explicitly set inside the
+ application to this insecure value.
+ In the near future the default will be SSL_VERIFY_PEER, and thus
+ causing verification failures in unchanged applications.
+
+ + use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and
+ PeerPort from sockaddr in _update_peer, because this provides scope
+ + work around systems which don't defined AF_INET6
+ + update_peer for IPv6 also
+ + no longer depend on Socket.pm 1.95 for inet_pton, but use
+ Socket6.pm if no current Socket.pm is available
+ + made it possible to explicitly disable TLSv11 and TLSv12 in
+ SSL_version
+ + fixed documentation errors
+ + add support to IO::Socket::IP which support inet6 and inet4
+ + make it possible to disable protols using SSL_version, make
+ SSL_version default to 'SSLv23:!SSLv2'
+ + remove SSLv2 from default cipher list
+ + if no explicit cipher list is given it will now default to ALL:!LOW
+ instead of the openssl default, which usually includes weak ciphers
+ + new config key SSL_honor_cipher_order and documented how to use it
+ + make it thread safer
+ + added NPN (Next Protocol Negotiation) support
+ + call CTX_set_session_id_context so that servers session caching
+ works with client certificates too
+ + don't make blocking readline if socket was set nonblocking, but
+ return as soon no more data are available
+ + if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful
+ message when attempting to use it
+ + add automatic or explicit (via SSL_hostname) SNI support, needed
+ for multiple SSL hostnames with same IP. Currently only supported
+ for the client
+- enable tests
+
+-------------------------------------------------------------------
Old:
----
IO-Socket-SSL-1.55.tar.gz
New:
----
IO-Socket-SSL-1.951.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
--- /var/tmp/diff_new_pack.MxF05d/_old 2013-07-25 14:46:32.000000000 +0200
+++ /var/tmp/diff_new_pack.MxF05d/_new 2013-07-25 14:46:32.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package perl-IO-Socket-SSL
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,24 +16,25 @@
#
-
Name: perl-IO-Socket-SSL
-Version: 1.55
+Version: 1.951
Release: 0
-License: Artistic-1.0 or GPL-1.0+
%define cpan_name IO-Socket-SSL
Summary: Nearly transparent SSL encapsulation for IO::Socket::INET
-Url: http://search.cpan.org/dist/IO-Socket-SSL/
+License: Artistic-1.0 or GPL-1.0+
Group: Development/Libraries/Perl
-Source:
http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
+Url: http://search.cpan.org/dist/IO-Socket-SSL/
+Source:
http://www.cpan.org/modules/by-module/IO/%{cpan_name}-%{version}.tar.gz
BuildRequires: perl
# MANUAL BEGIN
-BuildRequires: perl(IO::Socket::INET6)
-BuildRequires: perl(Net::LibIDN)
-BuildRequires: perl(Net::SSLeay) >= 1.21
BuildRequires: perl-macros
-Requires: perl(Net::SSLeay) >= 1.21
-Recommends: perl(IO::Socket::INET6)
+# the testsuite does not work with INET6 yet. If INET6 is enabled,
+# at least netcfg has to be installed as well.
+#BuildRequires: perl(IO::Socket::INET6)
+BuildRequires: perl(Net::LibIDN)
+BuildRequires: perl(Net::SSLeay) >= 1.46
+Requires: perl(Net::SSLeay) >= 1.46
+#Recommends: perl(IO::Socket::INET6)
Recommends: perl(Net::LibIDN)
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@@ -72,6 +73,9 @@
%perl_process_packlist
%perl_gen_filelist
+%check
+make test
+
%clean
rm -rf %{buildroot}
++++++ IO-Socket-SSL-1.55.tar.gz -> IO-Socket-SSL-1.951.tar.gz ++++++
++++ 7739 lines of diff (skipped)
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
