Hello community,
here is the log from the commit of package perl-LWP-Protocol-https for
openSUSE:Factory checked in at 2015-04-25 16:46:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-LWP-Protocol-https (Old)
and /work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-LWP-Protocol-https"
Changes:
--------
---
/work/SRC/openSUSE:Factory/perl-LWP-Protocol-https/perl-LWP-Protocol-https.changes
2014-05-17 06:43:04.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new/perl-LWP-Protocol-https.changes
2015-04-25 16:46:53.000000000 +0200
@@ -1,0 +2,36 @@
+Thu Apr 23 06:00:03 UTC 2015 - [email protected]
+
+- updated to 6.06
+ see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes
+
+ 2014-04-18 LWP-Protocol-https 6.06
+
+ Mike Schilli (3):
+ Merge pull request #12 from drieux/subjectAltName
+ Merge pull request #9 from chorny/master
+ Updated libwww requirement to 6.06 to fix failing t/proxy.t test cases.
+
+ Gisle Aas (2):
+ Getopt::Long isn't actually used
+ Merge pull request #7 from noxxi/master
+
+ Alexandr Ciornii (1):
+ better diagnostics in case of failures in apache.t
+
+ Karen Etheridge (1):
+ Merge pull request #8 from cpansprout/patch-1
+
+ Steffen Ullrich (1):
+ correct behavior for https_proxy, this goes together with change to
+ libwww-perl cb80c2ddb7, new method _upgrade_sock in
LWP::Protocol::https
+
+ cpansprout (1):
+ Typo fix: envirionment =~ s/io/o/
+
+ drieux (1):
+ support for subjectAltName
+
+
+
_______________________________________________________________________________
+
+-------------------------------------------------------------------
Old:
----
LWP-Protocol-https-6.04.tar.gz
New:
----
LWP-Protocol-https-6.06.tar.gz
cpanspec.yml
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-LWP-Protocol-https.spec ++++++
--- /var/tmp/diff_new_pack.10t4IE/_old 2015-04-25 16:46:53.000000000 +0200
+++ /var/tmp/diff_new_pack.10t4IE/_new 2015-04-25 16:46:53.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package perl-LWP-Protocol-https
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,15 +17,15 @@
Name: perl-LWP-Protocol-https
-Version: 6.04
+Version: 6.06
Release: 0
%define cpan_name LWP-Protocol-https
Summary: Provide https support for LWP::UserAgent
License: Artistic-1.0 or GPL-1.0+
Group: Development/Libraries/Perl
Url: http://search.cpan.org/dist/LWP-Protocol-https/
-Source:
http://www.cpan.org/authors/id/G/GA/GAAS/%{cpan_name}-%{version}.tar.gz
-# patch for using system certificates
+Source0:
http://www.cpan.org/authors/id/M/MS/MSCHILLI/%{cpan_name}-%{version}.tar.gz
+Source1: cpanspec.yml
Patch0: %{cpan_name}-6.04-systemca.diff
Patch1: CVE-2014-3230.patch
BuildArch: noarch
@@ -33,14 +33,14 @@
BuildRequires: perl
BuildRequires: perl-macros
BuildRequires: perl(IO::Socket::SSL) >= 1.54
-BuildRequires: perl(LWP::UserAgent) >= 6.04
+BuildRequires: perl(LWP::UserAgent) >= 6.06
#BuildRequires: perl(Mozilla::CA) >= 20110101
BuildRequires: perl(Net::HTTPS) >= 6
-#BuildRequires: perl(LWP::Protocol::http)
Requires: perl(IO::Socket::SSL) >= 1.54
-Requires: perl(LWP::UserAgent) >= 6.04
+Requires: perl(LWP::UserAgent) >= 6.06
#Requires: perl(Mozilla::CA) >= 20110101
Requires: perl(Net::HTTPS) >= 6
+BuildRequires: ca-certificates
%{perl_requires}
%description
++++++ CVE-2014-3230.patch ++++++
--- /var/tmp/diff_new_pack.10t4IE/_old 2015-04-25 16:46:53.000000000 +0200
+++ /var/tmp/diff_new_pack.10t4IE/_new 2015-04-25 16:46:53.000000000 +0200
@@ -8,11 +8,11 @@
lib/LWP/Protocol/https.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-Index: LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
+Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
===================================================================
---- LWP-Protocol-https-6.04.orig/lib/LWP/Protocol/https.pm 2014-05-15
11:46:54.319643759 +0200
-+++ LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm 2014-05-15
11:46:55.856660773 +0200
-@@ -20,7 +20,11 @@ sub _extra_sock_opts
+--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm
++++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
+@@ -21,7 +21,11 @@ sub _extra_sock_opts
$ssl_opts{SSL_verifycn_scheme} = 'www';
}
else {
@@ -23,5 +23,18 @@
+ $ssl_opts{SSL_verifycn_scheme} = 'none';
+ }
}
- $self->{ssl_opts} = \%ssl_opts;
- return (%ssl_opts, $self->SUPER::_extra_sock_opts);
+ my $suse_allows_mozilla_ca = 0;
+ if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) {
+Index: LWP-Protocol-https-6.06/t/https_proxy.t
+===================================================================
+--- LWP-Protocol-https-6.06.orig/t/https_proxy.t
++++ LWP-Protocol-https-6.06/t/https_proxy.t
+@@ -66,7 +66,7 @@ my %ua;
+ $ua{noproxy} = LWP::UserAgent->new(
+ keep_alive => 10, # size of connection cache
+ # server does not know the expected name and returns generic certificate
+- ssl_opts => { verify_hostname => 0 }
++ ssl_opts => { verify_hostname => 0, SSL_ca_file => $cafile, }
+ );
+
+ $ua{proxy} = LWP::UserAgent->new(
++++++ LWP-Protocol-https-6.04-systemca.diff ++++++
--- /var/tmp/diff_new_pack.10t4IE/_old 2015-04-25 16:46:53.000000000 +0200
+++ /var/tmp/diff_new_pack.10t4IE/_new 2015-04-25 16:46:53.000000000 +0200
@@ -11,37 +11,37 @@
lib/LWP/Protocol/https.pm | 23 -----------------------
3 files changed, 1 insertion(+), 32 deletions(-)
-diff --git a/Makefile.PL b/Makefile.PL
-index 805eac8..3c66fb7 100644
---- a/Makefile.PL
-+++ b/Makefile.PL
+Index: LWP-Protocol-https-6.06/Makefile.PL
+===================================================================
+--- LWP-Protocol-https-6.06.orig/Makefile.PL
++++ LWP-Protocol-https-6.06/Makefile.PL
@@ -15,7 +15,6 @@ WriteMakefile(
- 'LWP::UserAgent' => '6.04',
+ 'LWP::UserAgent' => '6.06',
'Net::HTTPS' => 6,
'IO::Socket::SSL' => "1.54",
- 'Mozilla::CA' => "20110101",
},
META_MERGE => {
resources => {
-diff --git a/README b/README
-index 8e67078..7c4b5e2 100644
---- a/README
-+++ b/README
-@@ -13,13 +13,6 @@ DESCRIPTION
+Index: LWP-Protocol-https-6.06/README
+===================================================================
+--- LWP-Protocol-https-6.06.orig/README
++++ LWP-Protocol-https-6.06/README
+@@ -17,13 +17,6 @@ DESCRIPTION
you don't use it directly. Once the module is installed LWP is able to
access sites using HTTP over SSL/TLS.
-- If hostname verification is requested by LWP::UserAgent's `ssl_opts',
-- and neither `SSL_ca_file' nor `SSL_ca_path' is set, then `SSL_ca_file'
+- If hostname verification is requested by LWP::UserAgent's "ssl_opts",
+- and neither "SSL_ca_file" nor "SSL_ca_path" is set, then "SSL_ca_file"
- is implied to be the one provided by Mozilla::CA. If the Mozilla::CA
- module isn't available SSL requests will fail. Either install this
-- module, set up an alternative `SSL_ca_file' or disable hostname
+- module, set up an alternative "SSL_ca_file" or disable hostname
- verification.
-
This module used to be bundled with the libwww-perl, but it was
unbundled in v6.02 in order to be able to declare its dependencies
properly for the CPAN tool-chain. Applications that need https support
-@@ -27,7 +20,7 @@ DESCRIPTION
+@@ -31,7 +24,7 @@ DESCRIPTION
longer need to know what underlying modules to install.
SEE ALSO
@@ -50,40 +50,17 @@
COPYRIGHT
Copyright 1997-2011 Gisle Aas.
-diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
-index f7230e2..e210049 100644
---- a/lib/LWP/Protocol/https.pm
-+++ b/lib/LWP/Protocol/https.pm
-@@ -22,29 +22,6 @@ sub _extra_sock_opts
+Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
+===================================================================
+--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm
++++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
+@@ -23,7 +23,8 @@ sub _extra_sock_opts
else {
$ssl_opts{SSL_verify_mode} = 0;
}
- if ($ssl_opts{SSL_verify_mode}) {
-- unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path})
{
-- eval {
-- require Mozilla::CA;
-- };
-- if ($@) {
-- if ($@ =! /^Can't locate Mozilla\/CA\.pm/) {
-- $@ = <<'EOT';
--Can't verify SSL peers without knowing which Certificate Authorities to trust
--
--This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
--envirionment variable or by installing the Mozilla::CA module.
--
--To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
--envirionment variable to 0. If you do this you can't be sure that you
--communicate with the expected peer.
--EOT
-- }
-- die $@;
-- }
-- $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
-- }
-- }
- $self->{ssl_opts} = \%ssl_opts;
- return (%ssl_opts, $self->SUPER::_extra_sock_opts);
- }
---
-1.8.1.4
-
++ my $suse_allows_mozilla_ca = 0;
++ if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) {
+ unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path})
{
+ eval {
+ require Mozilla::CA;
++++++ LWP-Protocol-https-6.04.tar.gz -> LWP-Protocol-https-6.06.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/Changes
new/LWP-Protocol-https-6.06/Changes
--- old/LWP-Protocol-https-6.04/Changes 2013-04-29 23:19:02.000000000 +0200
+++ new/LWP-Protocol-https-6.06/Changes 2014-04-18 18:38:48.000000000 +0200
@@ -1,4 +1,33 @@
_______________________________________________________________________________
+2014-04-18 LWP-Protocol-https 6.06
+
+Mike Schilli (3):
+ Merge pull request #12 from drieux/subjectAltName
+ Merge pull request #9 from chorny/master
+ Updated libwww requirement to 6.06 to fix failing t/proxy.t test cases.
+
+Gisle Aas (2):
+ Getopt::Long isn't actually used
+ Merge pull request #7 from noxxi/master
+
+Alexandr Ciornii (1):
+ better diagnostics in case of failures in apache.t
+
+Karen Etheridge (1):
+ Merge pull request #8 from cpansprout/patch-1
+
+Steffen Ullrich (1):
+ correct behavior for https_proxy, this goes together with change to
+ libwww-perl cb80c2ddb7, new method _upgrade_sock in LWP::Protocol::https
+
+cpansprout (1):
+ Typo fix: envirionment =~ s/io/o/
+
+drieux (1):
+ support for subjectAltName
+
+
+_______________________________________________________________________________
2013-04-29 LWP-Protocol-https 6.04
Fix IO::Socket::SSL warnings when not verifying hostname.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/MANIFEST
new/LWP-Protocol-https-6.06/MANIFEST
--- old/LWP-Protocol-https-6.04/MANIFEST 2013-04-29 23:23:13.000000000
+0200
+++ new/LWP-Protocol-https-6.06/MANIFEST 2014-04-18 19:00:39.000000000
+0200
@@ -4,5 +4,5 @@
README
lib/LWP/Protocol/https.pm Access with HTTP/1.1 protocol over SSL
t/apache.t
-META.yml Module YAML meta-data (added by
MakeMaker)
-META.json Module JSON meta-data (added by
MakeMaker)
+t/https_proxy.t
+META.yml Module meta-data (added by MakeMaker)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/META.json
new/LWP-Protocol-https-6.06/META.json
--- old/LWP-Protocol-https-6.04/META.json 2013-04-29 23:23:13.000000000
+0200
+++ new/LWP-Protocol-https-6.06/META.json 1970-01-01 01:00:00.000000000
+0100
@@ -1,51 +0,0 @@
-{
- "abstract" : "Provide https support for LWP::UserAgent",
- "author" : [
- "Gisle Aas <[email protected]>"
- ],
- "dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 6.6501, CPAN::Meta::Converter
version 2.120921",
- "license" : [
- "perl_5"
- ],
- "meta-spec" : {
- "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec";,
- "version" : "2"
- },
- "name" : "LWP-Protocol-https",
- "no_index" : {
- "directory" : [
- "t",
- "inc"
- ]
- },
- "prereqs" : {
- "build" : {
- "requires" : {
- "ExtUtils::MakeMaker" : "0"
- }
- },
- "configure" : {
- "requires" : {
- "ExtUtils::MakeMaker" : "0"
- }
- },
- "runtime" : {
- "requires" : {
- "IO::Socket::SSL" : "1.54",
- "LWP::UserAgent" : "6.04",
- "Mozilla::CA" : "20110101",
- "Net::HTTPS" : "6",
- "perl" : "5.008001"
- }
- }
- },
- "release_status" : "stable",
- "resources" : {
- "repository" : {
- "url" : "http://github.com/libwww-perl/lwp-protocol-https";
- },
- "x_MailingList" : "mailto:[email protected]";
- },
- "version" : "6.04"
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/META.yml
new/LWP-Protocol-https-6.06/META.yml
--- old/LWP-Protocol-https-6.04/META.yml 2013-04-29 23:23:13.000000000
+0200
+++ new/LWP-Protocol-https-6.06/META.yml 2014-04-18 19:00:39.000000000
+0200
@@ -1,29 +1,29 @@
----
-abstract: 'Provide https support for LWP::UserAgent'
+--- #YAML:1.0
+name: LWP-Protocol-https
+version: 6.06
+abstract: Provide https support for LWP::UserAgent
author:
- - 'Gisle Aas <[email protected]>'
-build_requires:
- ExtUtils::MakeMaker: 0
+ - Gisle Aas <[email protected]>
+license: perl
+distribution_type: module
configure_requires:
- ExtUtils::MakeMaker: 0
-dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 6.6501, CPAN::Meta::Converter
version 2.120921'
-license: perl
-meta-spec:
- url: http://module-build.sourceforge.net/META-spec-v1.4.html
- version: 1.4
-name: LWP-Protocol-https
-no_index:
- directory:
- - t
- - inc
+ ExtUtils::MakeMaker: 0
+build_requires:
+ ExtUtils::MakeMaker: 0
requires:
- IO::Socket::SSL: 1.54
- LWP::UserAgent: 6.04
- Mozilla::CA: 20110101
- Net::HTTPS: 6
- perl: 5.008001
+ IO::Socket::SSL: 1.54
+ LWP::UserAgent: 6.06
+ Mozilla::CA: 20110101
+ Net::HTTPS: 6
+ perl: 5.008001
resources:
- repository: http://github.com/libwww-perl/lwp-protocol-https
- x_MailingList: mailto:[email protected]
-version: 6.04
+ MailingList: mailto:[email protected]
+ repository: http://github.com/libwww-perl/lwp-protocol-https
+no_index:
+ directory:
+ - t
+ - inc
+generated_by: ExtUtils::MakeMaker version 6.56
+meta-spec:
+ url: http://module-build.sourceforge.net/META-spec-v1.4.html
+ version: 1.4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/Makefile.PL
new/LWP-Protocol-https-6.06/Makefile.PL
--- old/LWP-Protocol-https-6.04/Makefile.PL 2013-03-19 22:06:50.000000000
+0100
+++ new/LWP-Protocol-https-6.06/Makefile.PL 2014-04-18 18:27:06.000000000
+0200
@@ -3,7 +3,6 @@
require 5.008001;
use strict;
use ExtUtils::MakeMaker;
-use Getopt::Long qw(GetOptions);
WriteMakefile(
NAME => 'LWP::Protocol::https',
@@ -13,7 +12,7 @@
LICENSE => "perl",
MIN_PERL_VERSION => 5.008001,
PREREQ_PM => {
- 'LWP::UserAgent' => '6.04',
+ 'LWP::UserAgent' => '6.06',
'Net::HTTPS' => 6,
'IO::Socket::SSL' => "1.54",
'Mozilla::CA' => "20110101",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/README
new/LWP-Protocol-https-6.06/README
--- old/LWP-Protocol-https-6.04/README 2013-03-19 22:06:50.000000000 +0100
+++ new/LWP-Protocol-https-6.06/README 2014-04-18 18:33:44.000000000 +0200
@@ -1,3 +1,7 @@
+######################################################################
+ LWP::Protocol::https 6.06
+######################################################################
+
NAME
LWP::Protocol::https - Provide https support for LWP::UserAgent
@@ -8,16 +12,16 @@
$res = $ua->get("https://www.example.com";);
DESCRIPTION
- The LWP::Protocol::https module provide support for using https schemed
+ The LWP::Protocol::https module provides support for using https schemed
URLs with LWP. This module is a plug-in to the LWP protocol handling, so
you don't use it directly. Once the module is installed LWP is able to
access sites using HTTP over SSL/TLS.
- If hostname verification is requested by LWP::UserAgent's `ssl_opts',
- and neither `SSL_ca_file' nor `SSL_ca_path' is set, then `SSL_ca_file'
+ If hostname verification is requested by LWP::UserAgent's "ssl_opts",
+ and neither "SSL_ca_file" nor "SSL_ca_path" is set, then "SSL_ca_file"
is implied to be the one provided by Mozilla::CA. If the Mozilla::CA
module isn't available SSL requests will fail. Either install this
- module, set up an alternative `SSL_ca_file' or disable hostname
+ module, set up an alternative "SSL_ca_file" or disable hostname
verification.
This module used to be bundled with the libwww-perl, but it was
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
new/LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm
--- old/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm 2013-04-29
23:16:18.000000000 +0200
+++ new/LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm 2014-04-18
18:33:26.000000000 +0200
@@ -1,10 +1,11 @@
package LWP::Protocol::https;
use strict;
-our $VERSION = "6.04";
+our $VERSION = "6.06";
require LWP::Protocol::http;
our @ISA = qw(LWP::Protocol::http);
+require Net::HTTPS;
sub socket_type
{
@@ -33,10 +34,10 @@
Can't verify SSL peers without knowing which Certificate Authorities to trust
This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
-envirionment variable or by installing the Mozilla::CA module.
+environment variable or by installing the Mozilla::CA module.
To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
-envirionment variable to 0. If you do this you can't be sure that you
+environment variable to 0. If you do this you can't be sure that you
communicate with the expected peer.
EOT
}
@@ -49,17 +50,78 @@
return (%ssl_opts, $self->SUPER::_extra_sock_opts);
}
+#------------------------------------------------------------
+# _cn_match($common_name, $san_name)
+# common_name: an IA5String
+# san_name: subjectAltName
+# initially we were only concerned with the dNSName
+# and the 'left-most' only wildcard as noted in
+# https://tools.ietf.org/html/rfc6125#section-6.4.3
+# this method does not match any wildcarding in the
+# domain name as listed in section-6.4.3.3
+#
+sub _cn_match {
+ my( $me, $common_name, $san_name ) = @_;
+
+ # /CN has a '*.' prefix
+ # MUST be an FQDN -- fishing?
+ return 0 if( $common_name =~ /^\*\./ );
+
+ my $re = q{}; # empty string
+
+ # turn a leading "*." into a regex
+ if( $san_name =~ /^\*\./ ) {
+ $san_name =~ s/\*//;
+ $re = "[^.]+";
+ }
+
+ # quotemeta the rest and match anchored
+ if( $common_name =~ /^$re\Q$san_name\E$/ ) {
+ return 1;
+ }
+ return 0;
+}
+
+#-------------------------------------------------------
+# _in_san( cn, cert )
+# 'cn' of the form /CN=host_to_check ( "Common Name" form )
+# 'cert' any object that implements a peer_certificate('subjectAltNames')
method
+# which will return an array of ( type-id, value ) pairings per
+# http://tools.ietf.org/html/rfc5280#section-4.2.1.6
+# if there is no subjectAltNames there is nothing more to do.
+# currently we have a _cn_match() that will allow for simple compare.
+sub _in_san
+{
+ my($me, $cn, $cert) = @_;
+
+ # we can return early if there are no SAN options.
+ my @sans = $cert->peer_certificate('subjectAltNames');
+ return unless scalar @sans;
+
+ (my $common_name = $cn) =~ s/.*=//; # strip off the prefix.
+
+ # get the ( type-id, value ) pairwise
+ # currently only the basic CN to san_name check
+ while( my ( $type_id, $value ) = splice( @sans, 0, 2 ) ) {
+ return 'ok' if $me->_cn_match($common_name,$value);
+ }
+ return;
+}
+
sub _check_sock
{
my($self, $req, $sock) = @_;
my $check = $req->header("If-SSL-Cert-Subject");
if (defined $check) {
- my $cert = $sock->get_peer_certificate ||
- die "Missing SSL certificate";
- my $subject = $cert->subject_name;
- die "Bad SSL certificate subject: '$subject' !~ /$check/"
- unless $subject =~ /$check/;
- $req->remove_header("If-SSL-Cert-Subject"); # don't pass it on
+ my $cert = $sock->get_peer_certificate ||
+ die "Missing SSL certificate";
+ my $subject = $cert->subject_name;
+ unless ( $subject =~ /$check/ ) {
+ my $ok = $self->_in_san( $check, $cert);
+ die "Bad SSL certificate subject: '$subject' !~ /$check/"
+ unless $ok;
+ }
+ $req->remove_header("If-SSL-Cert-Subject"); # don't pass it on
}
}
@@ -83,10 +145,24 @@
$res->header("Client-SSL-Socket-Class" => $Net::HTTPS::SSL_SOCKET_CLASS);
}
+# upgrade plain socket to SSL, used for CONNECT tunnel when proxying https
+# will only work if the underlying socket class of Net::HTTPS is
+# IO::Socket::SSL, but code will only be called in this case
+if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) {
+ *_upgrade_sock = sub {
+ my ($self,$sock,$url) = @_;
+ $sock = LWP::Protocol::https::Socket->start_SSL( $sock,
+ SSL_verifycn_name => $url->host,
+ $self->_extra_sock_opts,
+ );
+ $@ = LWP::Protocol::https::Socket->errstr if ! $sock;
+ return $sock;
+ }
+}
+
#-----------------------------------------------------------
package LWP::Protocol::https::Socket;
-require Net::HTTPS;
our @ISA = qw(Net::HTTPS LWP::Protocol::http::SocketMethods);
1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/t/apache.t
new/LWP-Protocol-https-6.06/t/apache.t
--- old/LWP-Protocol-https-6.04/t/apache.t 2013-04-29 23:15:29.000000000
+0200
+++ new/LWP-Protocol-https-6.06/t/apache.t 2014-04-18 18:21:26.000000000
+0200
@@ -8,11 +8,13 @@
my $ua = LWP::UserAgent->new();
plan skip_all => "Not online" unless $ua->is_online;
-plan tests => 4;
+plan tests => 5;
my $res = $ua->simple_request(HTTP::Request->new(GET =>
"https://www.apache.org";));
ok($res->is_success);
+my $h = $res->header( 'X-Died' );
+is($h, undef, "no X-Died header");
like($res->content, qr/Apache Software Foundation/);
# test for RT #81948
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/LWP-Protocol-https-6.04/t/https_proxy.t
new/LWP-Protocol-https-6.06/t/https_proxy.t
--- old/LWP-Protocol-https-6.04/t/https_proxy.t 1970-01-01 01:00:00.000000000
+0100
+++ new/LWP-Protocol-https-6.06/t/https_proxy.t 2014-04-18 18:21:26.000000000
+0200
@@ -0,0 +1,308 @@
+#!/usr/bin/perl
+
+# to run test with Net::SSL as backend set environment
+# PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL
+
+use strict;
+use warnings;
+use Test::More;
+use File::Temp 'tempfile';
+use IO::Socket::INET;
+use IO::Select;
+use Socket 'MSG_PEEK';
+use LWP::UserAgent;
+use LWP::Protocol::https;
+
+plan skip_all => "fork not implemented on this platform" if
+ grep { $^O =~m{$_} } qw( MacOS VOS vmesa riscos amigaos );
+
+eval { require IO::Socket::SSL }
+ and $IO::Socket::SSL::VERSION >= 1.953
+ and eval { require IO::Socket::SSL::Utils }
+ or plan skip_all => "no recent version of IO::Socket::SSL::Utils";
+IO::Socket::SSL::Utils->import;
+
+# create CA -------------------------------------------------------------
+my ($cacert,$cakey) = CERT_create( CA => 1 );
+my $cafile = do {
+ my ($fh,$fname) = tempfile( CLEANUP => 1 );
+ print $fh PEM_cert2string($cacert);
+ $fname
+};
+
+# create two web servers ------------------------------------------------
+my (@server,@saddr);
+for my $i (0,1) {
+ my $server = IO::Socket::INET->new(
+ LocalAddr => '127.0.0.1',
+ LocalPort => 0, # let system pick port
+ Listen => 10
+ ) or die "failed to create INET listener";
+ my $saddr = $server->sockhost.':'.$server->sockport;
+ $server[$i] = $server;
+ $saddr[$i] = $saddr;
+}
+
+my @childs;
+END { kill 9,@childs if @childs };
+defined( my $pid = fork()) or die "fork failed: $!";
+
+# child process runs _server and exits
+if ( ! $pid ) {
+ @childs = ();
+ exit( _server());
+}
+
+# parent continues with closed server sockets
+push @childs,$pid;
+@server = ();
+
+# check which SSL implementation Net::HTTPS uses
+# Net::SSL behaves different than the default IO::Socket::SSL
+my $netssl = $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL';
+
+# do some tests ----------------------------------------------------------
+my %ua;
+$ua{noproxy} = LWP::UserAgent->new(
+ keep_alive => 10, # size of connection cache
+ # server does not know the expected name and returns generic certificate
+ ssl_opts => { verify_hostname => 0 }
+);
+
+$ua{proxy} = LWP::UserAgent->new(
+ keep_alive => 10, # size of connection cache
+ ssl_opts => {
+ # Net::SSL cannot verify hostnames :(
+ verify_hostname => $netssl ? 0: 1,
+ SSL_ca_file => $cafile
+ }
+);
+$ua{proxy_nokeepalive} = LWP::UserAgent->new(
+ keep_alive => 0,
+ ssl_opts => {
+ # Net::SSL cannot verify hostnames :(
+ verify_hostname => $netssl ? 0: 1,
+ SSL_ca_file => $cafile
+ }
+);
+$ENV{http_proxy} = $ENV{https_proxy} = "http://foo:bar\@$saddr[0]";;
+$ua{proxy}->env_proxy;
+$ua{proxy_nokeepalive}->env_proxy;
+if ($netssl) {
+ # Net::SSL cannot get user/pass from proxy url
+ $ENV{HTTPS_PROXY_USERNAME} = 'foo';
+ $ENV{HTTPS_PROXY_PASSWORD} = 'bar';
+}
+
+my @tests = (
+ # the expected ids are connid.reqid[tunnel_auth][req_auth]@sslhost
+ # because we run different sets of test depending on the SSL class
+ # used by Net::HTTPS we replace connid with a letter and later
+ # match it to a number
+
+ # keep-alive for non-proxy http
+ # requests to same target use same connection, even if intermixed
+ [ 'noproxy', "http://$saddr[0]/foo";,'A.1@nossl' ],
+ [ 'noproxy', "http://$saddr[0]/bar";,'A.2@nossl' ], # reuse conn#1
+ [ 'noproxy', "http://$saddr[1]/foo";,'B.1@nossl' ],
+ [ 'noproxy', "http://$saddr[1]/bar";,'B.2@nossl' ], # reuse conn#2
+ [ 'noproxy', "http://$saddr[0]/tor";,'A.3@nossl' ], # reuse conn#1 again
+ [ 'noproxy', "http://$saddr[1]/tor";,'B.3@nossl' ], # reuse conn#2 again
+ # keep-alive for proxy http
+ # use the same proxy connection for all even if the target host differs
+ [ 'proxy', "http://foo/foo";,'C.1.auth@nossl' ],
+ [ 'proxy', "http://foo/bar";,'C.2.auth@nossl' ],
+ [ 'proxy', "http://bar/foo";,'C.3.auth@nossl' ],
+ [ 'proxy', "http://bar/bar";,'C.4.auth@nossl' ],
+ [ 'proxy', "http://foo/tor";,'C.5.auth@nossl' ],
+ [ 'proxy', "http://bar/tor";,'C.6.auth@nossl' ],
+ # keep-alive for non-proxy https
+ # requests to same target use same connection, even if intermixed
+ [ 'noproxy', "https://$saddr[0]/foo";,'[email protected]' ],
+ [ 'noproxy', "https://$saddr[0]/bar";,'[email protected]' ],
+ [ 'noproxy', "https://$saddr[1]/foo";,'[email protected]' ],
+ [ 'noproxy', "https://$saddr[1]/bar";,'[email protected]' ],
+ [ 'noproxy', "https://$saddr[0]/tor";,'[email protected]' ],
+ [ 'noproxy', "https://$saddr[1]/tor";,'[email protected]' ],
+ # keep-alive for proxy https
+ ! $netssl ? (
+ # note that we reuse proxy conn#C in first request. Although the last id
+ # from this conn was C.6 the new one is C.8, because request C.7 was the
+ # socket upgrade via CONNECT request
+ [ 'proxy', "https://foo/foo";,'C.8.Tauth@foo' ],
+ [ 'proxy', "https://foo/bar";,'C.9.Tauth@foo' ],
+ # if the target of the tunnel is different we need another connection
+ # note that it starts with F.2, because F.1 is the CONNECT request which
+ # established the tunnel
+ [ 'proxy', "https://bar/foo";,'F.2.Tauth@bar' ],
+ [ 'proxy', "https://bar/bar";,'F.3.Tauth@bar' ],
+ [ 'proxy', "https://foo/tor";,'C.10.Tauth@foo' ],
+ [ 'proxy', "https://bar/tor";,'F.4.Tauth@bar' ],
+ ):(
+ # Net::SSL will cannot reuse socket for CONNECT, but once inside tunnel
+ # keep-alive is possible
+ [ 'proxy', "https://foo/foo";,'G.2.Tauth@foo' ],
+ [ 'proxy', "https://foo/bar";,'G.3.Tauth@foo' ],
+ [ 'proxy', "https://bar/foo";,'F.2.Tauth@bar' ],
+ [ 'proxy', "https://bar/bar";,'F.3.Tauth@bar' ],
+ [ 'proxy', "https://foo/tor";,'G.4.Tauth@foo' ],
+ [ 'proxy', "https://bar/tor";,'F.4.Tauth@bar' ],
+ ),
+ # non-keep alive for proxy https
+ [ 'proxy_nokeepalive', "https://foo/foo";,'H.2.Tauth@foo' ],
+ [ 'proxy_nokeepalive', "https://foo/bar";,'I.2.Tauth@foo' ],
+ [ 'proxy_nokeepalive', "https://bar/foo";,'J.2.Tauth@bar' ],
+ [ 'proxy_nokeepalive', "https://bar/bar";,'K.2.Tauth@bar' ],
+);
+plan tests => 2*@tests;
+
+my (%conn2id,%id2conn);
+for my $test (@tests) {
+ my ($uatype,$url,$expect_id) = @$test;
+ my $ua = $ua{$uatype} or die "no such ua: $uatype";
+
+ # Net::SSL uses only the environment to decide about proxy, so we need the
+ # proxy/non-proxy environment for each request
+ if ( $netssl && $url =~m{^https://} ) {
+ $ENV{https_proxy} = $uatype =~m{^proxy} ? "http://$saddr[0]":"";
+ }
+
+ my $response = $ua->get($url) or die "no response";
+ if ( $response->is_success
+ and ( my $body = $response->content()) =~m{^ID: *(\d+)\.(\S+)}m ) {
+ my $id = [ $1,$2 ];
+ my $xid = [ $expect_id =~m{(\w+)\.(\S+)} ];
+ if ( my $x = $id2conn{$id->[0]} ) {
+ $id->[0] = $x;
+ } elsif ( ! $conn2id{$xid->[0]} ) {
+ $conn2id{ $xid->[0] } = $id->[0];
+ $id2conn{ $id->[0] } = $xid->[0];
+ $id->[0] = $xid->[0];
+ }
+ is("$id->[0].$id->[1]",$expect_id,"$uatype $url -> $expect_id")
+ or diag($response->as_string);
+ # inside proxy tunnel and for non-proxy there should be only absolute
+ # URI in request w/o scheme
+ my $expect_rqurl = $url;
+ $expect_rqurl =~s{^\w+://[^/]+}{}
+ if $uatype eq 'noproxy' or $url =~m{^https://};
+ my ($rqurl) = $body =~m{^GET (\S+) HTTP/}m;
+ is($rqurl,$expect_rqurl,"URL in request -> $expect_rqurl");
+ } else {
+ die "unexpected response: ".$response->as_string
+ }
+}
+
+# ------------------------------------------------------------------------
+# simple web server with keep alive and SSL, which can also simulate proxy
+# ------------------------------------------------------------------------
+sub _server {
+ my $connid = 0;
+ my %certs; # generated certificates
+
+ ACCEPT:
+ my ($server) = IO::Select->new(@server)->can_read();
+ my $cl = $server->accept or goto ACCEPT;
+
+ # peek into socket to determine if this is direct SSL or not
+ # minimal request is "GET / HTTP/1.1\n\n"
+ my $buf = '';
+ while (length($buf)<15) {
+ my $lbuf;
+ if ( ! IO::Select->new($cl)->can_read(30)
+ or ! defined recv($cl,$lbuf,20,MSG_PEEK)) {
+ warn "not enough data for request ($buf): $!";
+ goto ACCEPT;
+ }
+ $buf .= $lbuf;
+ }
+ my $ssl_host = '';
+ if ( $buf !~m{\A[A-Z]{3,} } ) {
+ # does not look like HTTP, assume direct SSL
+ $ssl_host = "direct.ssl.access";
+ }
+
+ $connid++;
+
+ defined( my $pid = fork()) or die "failed to fork: $!";
+ if ( $pid ) {
+ push @childs,$pid;
+ goto ACCEPT; # wait for next connection
+ }
+
+ # child handles requests
+ @server = ();
+ my $reqid = 0;
+ my $tunnel_auth = '';
+
+ SSL_UPGRADE:
+ if ( $ssl_host ) {
+ my ($cert,$key) = @{
+ $certs{$ssl_host} ||= do {
+ diag("creating cert for $ssl_host");
+ my ($c,$k) = CERT_create(
+ subject => { commonName => $ssl_host },
+ issuer_cert => $cacert,
+ issuer_key => $cakey,
+ # just reuse cakey as key for certificate
+ key => $cakey,
+ );
+ [ $c,$k ];
+ };
+ };
+
+ IO::Socket::SSL->start_SSL( $cl,
+ SSL_server => 1,
+ SSL_cert => $cert,
+ SSL_key => $key,
+ ) or do {
+ diag("SSL handshake failed: ".IO::Socket::SSL->errstr);
+ exit(1);
+ };
+ }
+
+ REQUEST:
+ # read header
+ my $req = '';
+ while (<$cl>) {
+ $_ eq "\r\n" and last;
+ $req .= $_;
+ }
+ $reqid++;
+ my $req_auth = $req =~m{^Proxy-Authorization:}mi ? '.auth':'';
+
+ if ( $req =~m{\ACONNECT ([^\s:]+)} ) {
+ if ( $ssl_host ) {
+ diag("CONNECT inside SSL tunnel");
+ exit(1);
+ }
+ $ssl_host = $1;
+ $tunnel_auth = $req_auth ? '.Tauth':'';
+ #diag($req);
+
+ # simulate proxy and establish SSL tunnel
+ print $cl "HTTP/1.0 200 ok\r\n\r\n";
+ goto SSL_UPGRADE;
+ }
+
+ if ( $req =~m{^Content-length: *(\d+)}mi ) {
+ read($cl,my $buf,$1) or die "eof while reading request body";
+ }
+ my $keep_alive =
+ $req =~m{^(?:Proxy-)?Connection: *(?:(keep-alive)|close)}mi ? $1 :
+ $req =~m{\A.*HTTP/1\.1} ? 1 :
+ 0;
+
+ # just echo request back, including connid and reqid
+ my $body = "ID: $connid.$reqid$tunnel_auth$req_auth\@"
+ . ( $ssl_host || 'nossl' )."\n"
+ . "---------\n$req";
+ print $cl "HTTP/1.1 200 ok\r\nContent-type: text/plain\r\n"
+ . "Connection: ".( $keep_alive ? 'keep-alive':'close' )."\r\n"
+ . "Content-length: ".length($body)."\r\n"
+ . "\r\n"
+ . $body;
+
+ goto REQUEST if $keep_alive;
+ exit(0); # done handling requests
+}
++++++ cpanspec.yml ++++++
---
#description_paragraphs: 3
#no_testing: broken upstream
#sources:
# - source1
# - source2
patches:
# patch for using system certificates
"%{cpan_name}-6.04-systemca.diff": -p1
# see https://github.com/libwww-perl/lwp-protocol-https/pull/14
CVE-2014-3230.patch: -p1
#preamble: |-
# BuildRequires: gcc-c++
#post_prep: |-
# hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s, *,,g'`
# sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL
#post_install: |-
# sed on %{name}.files
#license: SUSE-NonFree
#skip_noarch: 1
#custom_build: -
#./Build build flags=%{?_smp_mflags} --myflag
ignore_requires: Mozilla::CA
