commit perl-IO-Socket-SSL.3712 for openSUSE:13.2:Update

Mon, 27 Apr 2015 00:45:30 -0700 

Hello community,

here is the log from the commit of package perl-IO-Socket-SSL.3712 for 
openSUSE:13.2:Update checked in at 2015-04-27 09:44:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/perl-IO-Socket-SSL.3712 (Old)
 and      /work/SRC/openSUSE:13.2:Update/.perl-IO-Socket-SSL.3712.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "perl-IO-Socket-SSL.3712"

Changes:
--------
New Changes file:

--- /dev/null   2015-03-12 01:14:30.992027505 +0100
+++ 
/work/SRC/openSUSE:13.2:Update/.perl-IO-Socket-SSL.3712.new/perl-IO-Socket-SSL.changes
      2015-04-27 09:44:33.000000000 +0200
@@ -0,0 +1,769 @@
+-------------------------------------------------------------------
+Fri Apr 17 12:32:39 UTC 2015 - [email protected]
+
+- add DHE-RSA to the default client cipher list to support PFS with
+  older machines (bnc#924976)
+  * added perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch
+
+-------------------------------------------------------------------
+Fri Jul 25 09:32:05 UTC 2014 - [email protected]
+
+- updated to 1.997, huge Changes 
+
+-------------------------------------------------------------------
+Sat Mar 22 19:05:20 UTC 2014 - [email protected]
+
+- updated to 1.970
+ - fix rt#93987 by making sure sub default_ca does use a local $_ and not a
+   version of an outer scope which might be read-only.  Thanks to gshank
+ 1.969 2014/03/13
+ - fix set_defaults to match documentation regarding short names
+ - new function set_args_filter_hack to make it possible to override bad SSL
+   settings from other code at the last moment.
+ - determine default_ca on module load (and not on first use in each thread)
+ - don't try default hostname verification if verify_mode 0
+ - fix hostname verification when reusing context
+ 1.968 2014/03/13
+ - BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
+   for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file.
+   These defaults were depreceated since 1.951 (2013/7/3).
+ - Usable CA verification path on Windows etc:
+   Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
+   system/build dependended default verification path, because there was no
+   way to retrieve these default values and check if they contained usable
+   CA. Instead re-implement the same algorithm and export the results with
+   public function default_ca() and make it possible to overwrite it.
+   Also check for usable verification path during build.
+   If no usable path are detected require Mozilla::CA at build and try to
+   use it at runtime.
+
+-------------------------------------------------------------------
+Sun Feb  9 13:30:59 UTC 2014 - [email protected]
+
+- updated to 1.967
+ - verify the hostname inside a certificate by default with a superset of
+   common verification schemes instead of not verifying identity at all.
+   For now it will only complain if name verification failed, in the future
+   it will fail certificate verification, forcing you to set the expected
+   SSL_verifycn_name if you want to accept the certificate.
+ - new option SSL_fingerprint and new methods get_fingerprint and
+   get_fingerprint_bin. Together they can be used to selectively accept
+   specific certificates which would otherwise fail verification, like
+   self-signed, outdated or from unknown CAs.
+   This makes another reason to disable verification obsolete.
+ - Utils:
+   - default RSA key length 2048
+   - digest algorithm to sign certificate in CERT_create can be given,
+     defaults to SHA-256
+   - CERT_create can now issue non-CA selfsigned certificate
+   - CERT_create add some more useful constraints to certificate
+ - spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi
+ 1.966 2014/01/21
+ - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with
+   specifying !TLSv12, only !TLSv1_2 worked
+ - fixed leak of session objects in SessionCache, if another session 
+   replaced an existing session (introduced in 1.965)
+ 1.965 2014/01/16
+ - new key SSL_session_key to influence how sessions are inserted and looked
+   up in the clients session cache. This makes it possible to share sessions
+   over different ip:host (like required with some FTPS servers)
+ - t/core.t - handle case, were default loopback source is not 127.0.0.1, like
+   in FreeBSD jails
+ 1.964 2014/01/15
+ - Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets
+   the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc
+ - The new syntax for the protocols is TLSv1_1 instead of TLSv11.
+
+-------------------------------------------------------------------
+Fri Nov 29 11:05:49 UTC 2013 - [email protected]
+
+- updated to 1.962
+ - work around problems with older F5 BIG-IP by offering fewer ciphers on the
+   client side by default, so that the client hello stays below 255 byte
+ - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
+   are not self-signed (by giving issuer_*)
+
+-------------------------------------------------------------------
+Tue Nov 26 07:34:03 UTC 2013 - [email protected]
+
+- updated to 1.960
+ only documentation enhancements:
+ - clarify with text and example code, that within event loops not only
+   select/poll should be used, but also pending has to be called.
+ - better introduction into SSL, at least mention anonymous authentication as
+   something you don't want and should take care with the right cipher
+ - make it more clear, that user better does not change the cipher list, unless
+   he really know what he is doing
+ 1.959 2013/11/12
+ - bugfix test core.t windows only
+ 1.958 2013/11/11
+ - cleanup: remove workaround for old IO::Socket::INET6 but instead require at
+   least version 2.55 which is now 5 years old
+ - fix t/session.t #RT90240, thanks to  paul[AT]city-fan[DOT]org
+ 1.957 2013/11/11
+ - fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous
+   authorization. With the DH param given by default since 1.956 old versions 
of
+   openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
+   authorization) instead of AES256-SHA and thus the check for the peer
+   certificate failed (because ADH does not exchanges certificates).
+   Fixed by explicitly specifying HIGH:!aNULL as cipher
+   RT#90221, thanks to  paul[AT]city-fan[DOT]org
+ - cleaned up tests: 
+   - remove ssl_settings.req and 02settings.t, because all tests now create a
+     simple socket at 127.0.0.1 and thus global settings are no longer needed.
+   - some tests did not have use strict(!), fixed it.
+   - removed special handling for older Net::SSLeay versions, which are less 
than
+     our minimum requirement
+   - some syntax enhancements, removed some SSL_version and SSL_cipher_list
+     options where they were not really needed
+
+-------------------------------------------------------------------
+Fri Oct  4 09:11:21 UTC 2013 - [email protected]
+
+- updated to 1.954
+ - accept older versions of ExtUtils::MakeMaker and add meta information
+   like link to repository only for newer versions.
+
+-------------------------------------------------------------------
+Sat Jul 27 11:58:48 UTC 2013 - [email protected]
+
+- updated to 1.953
+ - fixes to IO::Socket::SSL::Utils, thanks to rurban[AT]x-ray[DOT]at,
+   RT#87052
+ - fix t/acceptSSL-timeout.t on Win32, RT#86862
+
+-------------------------------------------------------------------
+Wed Jul  3 08:20:14 UTC 2013 - [email protected]
+
+- new version 0.951
+  * better document builtin defaults for key,cert,CA and how they are 
depreceated
+  * use Net::SSLeay::SSL_CTX_set_default_verify_paths to use
+    openssl's builtin defaults for CA unless CA path/file was given
+  * MAJOR BEHAVIOR CHANGE:
+    ssl_verify_mode now defaults to verify_peer for client. Until
+    now it used verify_none, but loudly complained since 1.79 about
+    it. It will not complain any longer, but the connection might
+    probably fail. Please don't simply disable ssl verification, but
+    instead set SSL_ca_file etc so that verification succeeds!
+  * MAJOR BEHAVIOR CHANGE:
+    it will now complain if the builtin defaults of certs/my-ca.pem
+    or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert
+    and key are used, e.g. no certificates are specified explicitly.
+    In the future these insecure (relative path!) defaults will be
+    removed and the CA replaced with the system defaults.
+  * Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
+    installed instead of reporting missing dependency to Net::SSLeay.
+  * need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
+    years ago. Remove code to work around older releases.
+  * changed AUTHOR in Makefile.PL from array back to string, because the
+    array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
+  * Intercept: use sha1-fingerprint of original cert for id into cache unless 
+    otherwise given
+  * Fix pod error in IO::Socket::SSL::Utils RT#85733
+  * added IO::Socket::SSL::Utils for easier manipulation of certificates and 
keys
+  * moved SSL interception into IO::Socket::SSL::Intercept and simplified it 
+    using IO::Socket::SSL::Utils
+  * enhance meta information in Makefile.PL
+  * RT#85290, support more digest, especially SHA-2.
+    Thanks to ujvari[AT]microsec[DOT]hu
+  * added support for easy SSL interception (man in the middle) based
+    on ideas found in mojo*mitm proxy (which was written by Karel Miko)
+  * make 1.46 the minimal required version for Net::SSLeay, because it 
+    introduced lots of useful functions.
+  * if IO::Socket::IP is used it should be at least version 0.20, o
+  * Spelling corrections, thanks to dsteinbrunner
+- remove the dependency on IO::Socket::INET6 as it breaks the test suite
+
+-------------------------------------------------------------------
+Sat May 11 22:51:07 UTC 2013 - [email protected]
+
+- update to 1.88
+  + consider a value of '' the same as undef for SSL_ca_(path|file)
+  + complain if given SSL_(key|cert|ca)_(file|path) do not exist or
+    if they are not readable
+  + disabled client side SNI for openssl version < 1.0.0 
+  + added functions can_client_sni, can_server_sni, can_npn to check 
+    avaibility of SNI and NPN features. Added more documentation for 
+    SNI and NPN
+  + Server Name Indication (SNI) support on the server side 
+  + sub error sets $SSL_ERROR etc only if there really is an error,
+    otherwise it will keep the latest error. This causes
+    IO::Socket::SSL->new.. to report the correct problem, even if
+    the problem is deeper in the code (like in connect)
+  + deprecated set_ctx_defaults, new name ist set_defaults
+  + changed handling of default path for SSL_(ca|cert|key)* keys: either
+    if one of these keys is user defined don't add defaults for the
+    others, e.g.  don't mix user settings and defaults
+  + cleaner handling of module defaults vs. global settings vs. socket
++++ 572 more lines (skipped)
++++ between /dev/null
++++ and 
/work/SRC/openSUSE:13.2:Update/.perl-IO-Socket-SSL.3712.new/perl-IO-Socket-SSL.changes

New:
----
  IO-Socket-SSL-1.997.tar.gz
  perl-IO-Socket-SSL.changes
  perl-IO-Socket-SSL.spec
  perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
#
# spec file for package perl-IO-Socket-SSL
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


Name:           perl-IO-Socket-SSL
Version:        1.997
Release:        0
%define cpan_name IO-Socket-SSL
Summary:        Nearly transparent SSL encapsulation for IO::Socket::INET.
License:        Artistic-1.0 or GPL-1.0+
Group:          Development/Libraries/Perl
Url:            http://search.cpan.org/dist/IO-Socket-SSL/
Source:         
http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
Patch:          
perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch
BuildArch:      noarch
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildRequires:  perl
BuildRequires:  perl-macros
BuildRequires:  perl(Net::SSLeay) >= 1.46
Requires:       perl(Net::SSLeay) >= 1.46
%{perl_requires}

%description
IO::Socket::SSL makes using SSL/TLS much easier by wrapping the necessary
functionality into the familiar the IO::Socket manpage interface and
providing secure defaults whenever possible. This way existing applications
can be made SSL-aware without much effort, at least if you do blocking I/O
and don't use select or poll.

But, under the hood SSL is a complex beast. So there are lots of methods to
make it do what you need if the default behavior is not adequate. Because
it is easy to inadvertently introduce critical security bugs or just
getting hard to debug problems, I would recommend to study the following
documentation carefully.

The documentation consists of the following parts:

* * the /"Essential Information About SSL/TLS" manpage

* * the /"Basic SSL Client" manpage

* * the /"Basic SSL Server" manpage

* * the /"Common Usage Errors" manpage

* * the /"Common Problems with SSL" manpage

* * the /"Using Non-Blocking Sockets" manpage

* * the /"Advanced Usage" manpage

* * the /"Integration Into Own Modules" manpage

* * the /"Description Of Methods" manpage

Additional documentation can be found in

* * the IO::Socket::SSL::Intercept manpage - Doing Man-In-The-Middle with
  SSL

* * the IO::Socket::SSL::Utils manpage - Useful functions for certificates
  etc

%prep
%setup -q -n %{cpan_name}-%{version}
%patch -p1

%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
%{__make} %{?_smp_mflags}

%check
%{__make} test

%install
%perl_make_install
%perl_process_packlist
%perl_gen_filelist

%files -f %{name}.files
%defattr(-,root,root,755)
%doc BUGS Changes example README README.Win32 util

%changelog
++++++ perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch ++++++
Index: IO-Socket-SSL-1.997/lib/IO/Socket/SSL.pm
===================================================================
--- IO-Socket-SSL-1.997.orig/lib/IO/Socket/SSL.pm       2014-07-12 
19:12:40.000000000 +0200
+++ IO-Socket-SSL-1.997/lib/IO/Socket/SSL.pm    2015-04-18 11:42:43.479132579 
+0200
@@ -126,6 +126,9 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
            DHE-DSS-AES128-SHA
            DHE-DSS-AES256-SHA256
            DHE-DSS-AES256-SHA
+            DHE-RSA-AES128-SHA
+            DHE-RSA-AES256-SHA256
+            DHE-RSA-AES256-SHA
            AES128-SHA256
            AES128-SHA
            AES256-SHA256

Reply via email to