Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package perl-IO-Socket-SSL for openSUSE:Factory checked in at 2022-08-07 18:33:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old) and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new.1521 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL" Sun Aug 7 18:33:48 2022 rev:92 rq:993431 version:2.074 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes 2022-01-14 23:12:59.994622479 +0100 +++ /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new.1521/perl-IO-Socket-SSL.changes 2022-08-07 18:33:53.569146404 +0200 @@ -1,0 +2,6 @@ +Thu Jun 9 16:41:18 UTC 2022 - David Anes <[email protected]> + +- (bsc#1200295) follow system "PROFILE=SYSTEM" openSSL ciphers + * Add perl-IO-Socket-SSL-use-system-default-cipher-list.patch + +------------------------------------------------------------------- New: ---- perl-IO-Socket-SSL-use-system-default-cipher-list.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-IO-Socket-SSL.spec ++++++ --- /var/tmp/diff_new_pack.RWvRzo/_old 2022-08-07 18:33:54.077147881 +0200 +++ /var/tmp/diff_new_pack.RWvRzo/_new 2022-08-07 18:33:54.085147904 +0200 @@ -25,6 +25,9 @@ URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml +# (bsc#1200295) perl-IO-Socket-SSL doesn't follow system "PROFILE=SYSTEM" openSSL ciphers +# UPSTREAM PATCH: https://git.centos.org/rpms/perl-IO-Socket-SSL/blob/e0b0ae04f5cdb41b1f29cb7d76c23abba7ac35e9/f/SOURCES/IO-Socket-SSL-2.066-use-system-default-cipher-list.patch +Patch0: perl-IO-Socket-SSL-use-system-default-cipher-list.patch BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros @@ -74,7 +77,7 @@ * * IO::Socket::SSL::Utils - Useful functions for certificates etc %prep -%autosetup -n %{cpan_name}-%{version} +%autosetup -n %{cpan_name}-%{version} -p1 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644 %build ++++++ cpanspec.yml ++++++ --- /var/tmp/diff_new_pack.RWvRzo/_old 2022-08-07 18:33:54.137148055 +0200 +++ /var/tmp/diff_new_pack.RWvRzo/_new 2022-08-07 18:33:54.141148066 +0200 @@ -1,4 +1,5 @@ patches: + perl-IO-Socket-SSL-use-system-default-cipher-list.patch: -p1 ignore_requires: Mozilla::CA prep: |- rm README.Win32 ++++++ perl-IO-Socket-SSL-use-system-default-cipher-list.patch ++++++ Index: IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pm =================================================================== --- IO-Socket-SSL-2.074.orig/lib/IO/Socket/SSL.pm +++ IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pm @@ -205,8 +205,10 @@ my %DEFAULT_SSL_ARGS = ( SSL_npn_protocols => undef, # meaning depends whether on server or client side SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] - # rely on system default but be sure to disable some definitely bad ones - SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP', + # Use system-wide default cipher list to support use of system-wide + # crypto policy (#1076390, #1127577, CPAN RT#97816) + # https://fedoraproject.org/wiki/Changes/CryptoPolicy + SSL_cipher_list => 'PROFILE=SYSTEM', ); my %DEFAULT_SSL_CLIENT_ARGS = ( Index: IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pod =================================================================== --- IO-Socket-SSL-2.074.orig/lib/IO/Socket/SSL.pod +++ IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pod @@ -1070,9 +1070,8 @@ ciphers for TLS 1.2 and lower. See the O for more details. Unless you fail to contact your peer because of no shared ciphers it is -recommended to leave this option at the default setting, which uses the system -default but disables some insecure ciphers which might still be enabled on older -systems. +recommended to leave this option at the default setting, which honors the +system-wide PROFILE=SYSTEM cipher list. In case different cipher lists are needed for different SNI hosts a hash can be given with the host as key and the cipher suite as value, similar to
