Hello community,
here is the log from the commit of package perl-IO-Socket-SSL for
openSUSE:Factory checked in at 2017-10-26 18:39:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old)
and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL"
Thu Oct 26 18:39:45 2017 rev:75 rq:535945 version:2.052
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes
2017-09-25 13:49:09.165478348 +0200
+++
/work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes
2017-10-26 18:39:46.316864228 +0200
@@ -1,0 +2,14 @@
+Mon Oct 23 05:26:14 UTC 2017 - [email protected]
+
+- updated to 2.052
+ see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
+
+ 2.052 2017/10/22
+ - disable NPN support if LibreSSL>=2.6.1 is detected since they've replaced
the
+ functions with dummies instead of removing NPN completly or setting
+ OPENSSL_NO_NEXTPROTONEG
+ - t/01loadmodule.t shows more output helpful in debugging problems
+ - update fingerprints for extenal tests
+ - update documentation to make behavior of syswrite more clear
+
+-------------------------------------------------------------------
Old:
----
IO-Socket-SSL-2.051.tar.gz
New:
----
IO-Socket-SSL-2.052.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
--- /var/tmp/diff_new_pack.J0sTE9/_old 2017-10-26 18:39:46.988832876 +0200
+++ /var/tmp/diff_new_pack.J0sTE9/_new 2017-10-26 18:39:46.992832690 +0200
@@ -17,14 +17,14 @@
Name: perl-IO-Socket-SSL
-Version: 2.051
+Version: 2.052
Release: 0
%define cpan_name IO-Socket-SSL
Summary: Nearly transparent SSL encapsulation for IO::Socket::INET
License: Artistic-1.0 or GPL-1.0+
Group: Development/Libraries/Perl
Url: http://search.cpan.org/dist/IO-Socket-SSL/
-Source0:
http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
+Source0:
https://cpan.metacpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
Source1: cpanspec.yml
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
++++++ IO-Socket-SSL-2.051.tar.gz -> IO-Socket-SSL-2.052.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/Changes
new/IO-Socket-SSL-2.052/Changes
--- old/IO-Socket-SSL-2.051/Changes 2017-09-05 11:26:19.000000000 +0200
+++ new/IO-Socket-SSL-2.052/Changes 2017-10-22 10:42:18.000000000 +0200
@@ -1,3 +1,10 @@
+2.052 2017/10/22
+- disable NPN support if LibreSSL>=2.6.1 is detected since they've replaced the
+ functions with dummies instead of removing NPN completly or setting
+ OPENSSL_NO_NEXTPROTONEG
+- t/01loadmodule.t shows more output helpful in debugging problems
+- update fingerprints for extenal tests
+- update documentation to make behavior of syswrite more clear
2.051 2017/09/05
- syswrite: if SSL_write sets SSL_ERROR_SYSCALL but no $! (as seen with
OpenSSL 1.1.0 on Windows) set $! to EPIPE to propagate a useful error up
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/META.json
new/IO-Socket-SSL-2.052/META.json
--- old/IO-Socket-SSL-2.051/META.json 2017-09-05 11:27:36.000000000 +0200
+++ new/IO-Socket-SSL-2.052/META.json 2017-10-22 10:44:13.000000000 +0200
@@ -50,5 +50,5 @@
"url" : "https://github.com/noxxi/p5-io-socket-ssl";
}
},
- "version" : "2.051"
+ "version" : "2.052"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/META.yml
new/IO-Socket-SSL-2.052/META.yml
--- old/IO-Socket-SSL-2.051/META.yml 2017-09-05 11:27:36.000000000 +0200
+++ new/IO-Socket-SSL-2.052/META.yml 2017-10-22 10:44:13.000000000 +0200
@@ -25,4 +25,4 @@
homepage: https://github.com/noxxi/p5-io-socket-ssl
license: http://dev.perl.org/licenses/
repository: https://github.com/noxxi/p5-io-socket-ssl
-version: '2.051'
+version: '2.052'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/lib/IO/Socket/SSL.pm
new/IO-Socket-SSL-2.052/lib/IO/Socket/SSL.pm
--- old/IO-Socket-SSL-2.051/lib/IO/Socket/SSL.pm 2017-09-05
11:22:49.000000000 +0200
+++ new/IO-Socket-SSL-2.052/lib/IO/Socket/SSL.pm 2017-10-22
10:38:52.000000000 +0200
@@ -13,7 +13,7 @@
package IO::Socket::SSL;
-our $VERSION = '2.051';
+our $VERSION = '2.052';
use IO::Socket;
use Net::SSLeay 1.46;
@@ -70,7 +70,21 @@
BEGIN {
$can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000;
$can_server_sni = defined &Net::SSLeay::get_servername;
- $can_npn = defined &Net::SSLeay::P_next_proto_negotiated;
+ if ($can_npn = defined &Net::SSLeay::P_next_proto_negotiated and
+ Net::SSLeay::SSLeay_version(0) =~m{^LibreSSL\s+(\d+)\.(\d+)\.(\d+)}) {
+ # LibreSSL 2.6.1 disabled NPN by keeping the relevant functions
+ # available but remove the actual functionality from these functions. It
+ # does not set OPENSSL_NO_NEXTPROTONEG as OpenSSL does in case NPN is
+ # not supported, which means one need to rely on checking the LibreSSL
+ # version instead.
+ $can_npn =
+ $1 < 2 ? $can_npn : # version 1.x.y
+ $1 > 2 ? 0 : # version 3.x.y
+ $2 < 6 ? $can_npn : # version 2.5.y and lower
+ $2 > 6 ? 0 : # version 2.7.y and higher
+ $3 == 0 ? $can_npn : # version 2.6.0
+ 0; # version 2.6.1 and higher
+ }
$can_alpn = defined &Net::SSLeay::CTX_set_alpn_protos;
$can_ecdh = defined &Net::SSLeay::CTX_set_tmp_ecdh &&
# There is a regression with elliptic curves on 1.0.1d with 64bit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/lib/IO/Socket/SSL.pod
new/IO-Socket-SSL-2.052/lib/IO/Socket/SSL.pod
--- old/IO-Socket-SSL-2.051/lib/IO/Socket/SSL.pod 2017-04-27
20:43:14.000000000 +0200
+++ new/IO-Socket-SSL-2.052/lib/IO/Socket/SSL.pod 2017-09-05
11:35:57.000000000 +0200
@@ -1490,9 +1490,9 @@
L<IO::Socket> objects, e.g. it will write at most LEN bytes to the socket, but
there is no guarantee, that all LEN bytes are written. It will return the
number
of bytes written.
-syswrite will write all the data within a single SSL frame, which means, that
-no more than 16.384 bytes, which is the maximum size of an SSL frame, can be
-written at once.
+Because it basically just calls SSL_write from OpenSSL syswrite will write at
+most a single SSL frame. This means, that no more than 16.384 bytes, which is
+the maximum size of an SSL frame, will be written at once.
For non-blocking sockets SSL specific behavior applies.
Pease read the specific section in this documentation.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/t/01loadmodule.t
new/IO-Socket-SSL-2.052/t/01loadmodule.t
--- old/IO-Socket-SSL-2.051/t/01loadmodule.t 2017-04-27 20:43:14.000000000
+0200
+++ new/IO-Socket-SSL-2.052/t/01loadmodule.t 2017-10-22 10:38:29.000000000
+0200
@@ -7,7 +7,11 @@
ok( eval { require IO::Socket::SSL },"loaded");
-diag( sprintf( "openssl version=0x%0x",
Net::SSLeay::OPENSSL_VERSION_NUMBER()));
+diag( sprintf( "openssl version compiled=0x%0x linked=0x%0x -- %s",
+ Net::SSLeay::OPENSSL_VERSION_NUMBER(),
+ Net::SSLeay::SSLeay(),
+ Net::SSLeay::SSLeay_version(0)));
+
diag( sprintf( "Net::SSLeay version=%s", $Net::SSLeay::VERSION));
diag( sprintf( "parent %s version=%s", $_, $_->VERSION))
for (@IO::Socket::SSL::ISA);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/t/external/fingerprint.pl
new/IO-Socket-SSL-2.052/t/external/fingerprint.pl
--- old/IO-Socket-SSL-2.051/t/external/fingerprint.pl 2017-04-27
20:43:14.000000000 +0200
+++ new/IO-Socket-SSL-2.052/t/external/fingerprint.pl 2017-09-23
12:40:04.000000000 +0200
@@ -1,61 +1,134 @@
-[
- {
- # this should give us OCSP stapling
- host => 'www.chksum.de',
- port => 443,
- fingerprint => 'sha1$pub$1047d24a7e2da2e369b4748d2309bc10c4ee2af0',
- ocsp => { staple => 1 },
- },
- {
- # no OCSP stapling
- host => 'www.spiegel.de',
- port => 443,
- fingerprint => 'sha1$ad737048455485d8c817b7d0f7403553a7b9f65b',
- ocsp => { staple => 0 },
- subject_hash_ca => '578d5c04',
- },
- {
- # this is revoked
- host => 'revoked.grc.com',
- port => 443,
- fingerprint => 'sha1$310665f4c8e78db761c764e798dca66047341264',
- ocsp => { revoked => 1 },
- },
- {
- host => 'www.yahoo.com',
- port => 443,
- fingerprint => 'sha1$413072f803ce961210e9a45d10da14b0d2d48532',
- subject_hash_ca => '415660c1',
- },
- {
- host => 'www.comdirect.de',
- port => 443,
- fingerprint => 'sha1$98e2aceff740fb0557ab221d464237b141fdb5aa',
- subject_hash_ca => '415660c1',
- },
- {
- host => 'meine.deutsche-bank.de',
- port => 443,
- fingerprint => 'sha1$5df0a055a5db14830285f356c60fa262c0e04778',
- subject_hash_ca => '415660c1',
- },
- {
- host => 'www.twitter.com',
- port => 443,
- fingerprint => 'sha1$14a16b4213412064debbe08adcf36f417e5077d5',
- subject_hash_ca => '244b5494',
- },
- {
- host => 'www.facebook.com',
- port => 443,
- fingerprint => 'sha1$a04eafb348c26b15a8c1aa87a333caa3cdeec9c9',
- subject_hash_ca => '244b5494',
- },
- {
- host => 'www.live.com',
- port => 443,
- fingerprint => 'sha1$0e37dc9b320d2526e93e360a26c824b202d1f3af',
- subject_hash_ca => 'b204d74a',
- },
+# to update fingerprints in this file:
+# perl -e 'do q[t/external/fingerprint.pl]; update_fingerprints()'
-];
+use strict;
+use warnings;
+use IO::Socket::SSL;
+
+# --- BEGIN-FINGERPRINTS ----
+my $fingerprints= [
+ {
+ _ => 'this should give us OCSP stapling',
+ fingerprint => 'sha1$cc7084a0fb728b432fd78ae52da4a1980c81a6cf',
+ host => 'www.chksum.de',
+ ocsp => {
+ staple => 1
+ },
+ port => 443
+ },
+ {
+ _ => 'no OCSP stapling',
+ fingerprint => 'sha1$ad737048455485d8c817b7d0f7403553a7b9f65b',
+ host => 'www.spiegel.de',
+ ocsp => {
+ staple => 0
+ },
+ port => 443,
+ subject_hash_ca => '2c543cd1'
+ },
+ {
+ _ => 'this is revoked',
+ fingerprint => 'sha1$f9e8b1854e627c2f261b92b6de4a9bb0b139dcc3',
+ host => 'revoked.grc.com',
+ ocsp => {
+ revoked => 1
+ },
+ port => 443
+ },
+ {
+ fingerprint => 'sha1$dc0866cdf51594fd85ccf249d507164552828ad2',
+ host => 'www.yahoo.com',
+ port => 443,
+ subject_hash_ca => '244b5494'
+ },
+ {
+ fingerprint => 'sha1$cda53778d01ff728fe90fe0399b17586f1aef0bf',
+ host => 'www.comdirect.de',
+ port => 443,
+ subject_hash_ca => '02265526'
+ },
+ {
+ fingerprint => 'sha1$27d647fd859bf824d9f537a09aa98e4923fb6942',
+ host => 'meine.deutsche-bank.de',
+ port => 443,
+ subject_hash_ca => 'c01cdfa2'
+ },
+ {
+ fingerprint => 'sha1$682d7ff1b13e095bf5daaa632ece51f4df5bb155',
+ host => 'www.twitter.com',
+ port => 443,
+ subject_hash_ca => '244b5494'
+ },
+ {
+ fingerprint => 'sha1$936f912bafad216fa515256e572cdc35a1451aa5',
+ host => 'www.facebook.com',
+ port => 443,
+ subject_hash_ca => '244b5494'
+ },
+ {
+ fingerprint => 'sha1$3b9e5cc01313b6f86709646f1be4a057ed75bcc9',
+ host => 'www.live.com',
+ port => 443,
+ subject_hash_ca => '653b494a'
+ }
+]
+;
+# --- END-FINGERPRINTS ----
+
+
+sub update_fingerprints {
+ my $changed;
+ for my $fp (@$fingerprints) {
+ my $cl = IO::Socket::INET->new(
+ PeerHost => $fp->{host},
+ PeerPort => $fp->{port} || 443,
+ Timeout => 10,
+ );
+ my $root;
+ if (!$cl) {
+ warn "E $fp->{host}:$fp->{port} - TCP connect failed: $!\n";
+ } elsif (!IO::Socket::SSL->start_SSL($cl,
+ Timeout => 10,
+ SSL_ocsp_mode => 0,
+ SSL_verify_callback => sub {
+ my ($cert,$depth) = @_[4,5];
+ $root ||= $cert;
+ return 1;
+ }
+ )) {
+ warn "E $fp->{host}:$fp->{port} - SSL handshake failed:
$SSL_ERROR\n";
+ } else {
+ my $sha1 = $cl->get_fingerprint('sha1');
+ if ($sha1 eq $fp->{fingerprint}) {
+ warn "N $fp->{host}:$fp->{port} - fingerprint as expected\n";
+ } else {
+ warn "W $fp->{host}:$fp->{port} - fingerprint changed from
$fp->{fingerprint} to $sha1\n";
+ $fp->{fingerprint} = $sha1;
+ $changed++;
+ }
+ if ($root and $fp->{subject_hash_ca}) {
+ my $hash =
sprintf("%08x",Net::SSLeay::X509_subject_name_hash($root));
+ if ($fp->{subject_hash_ca} eq $hash) {
+ warn "N $fp->{host}:$fp->{port} - subject_hash_ca as
expected\n";
+ } else {
+ warn "N $fp->{host}:$fp->{port} - subject_hash_ca changed
from $fp->{subject_hash_ca} to $hash\n";
+ $fp->{subject_hash_ca} = $hash;
+ $changed++;
+ }
+ }
+ }
+ }
+ if ($changed) {
+ require Data::Dumper;
+ open(my $fh,'<',__FILE__) or die $!;
+ my $pl = do { local $/; <$fh> };
+ my $new = 'my $fingerprints=
'.Data::Dumper->new([$fingerprints])->Terse(1)->Quotekeys(0)->Sortkeys(1)->Dump().";\n";
+ $pl =~ s{^(# --- BEGIN-FINGERPRINTS ----\s*\n)(.*)^(# ---
END-FINGERPRINTS ----\s*\n)}{$1$new$3}ms
+ or die "did not find BEGIN and END markers in ".__FILE__;
+ open($fh,'>',__FILE__) or die $!;
+ print $fh $pl;
+ warn __FILE__." updated\n";
+ }
+}
+
+$fingerprints;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.051/t/external/usable_ca.t
new/IO-Socket-SSL-2.052/t/external/usable_ca.t
--- old/IO-Socket-SSL-2.051/t/external/usable_ca.t 2017-04-27
20:43:14.000000000 +0200
+++ new/IO-Socket-SSL-2.052/t/external/usable_ca.t 2017-09-23
14:41:00.000000000 +0200
@@ -135,7 +135,7 @@
} elsif ( $SSL_ERROR =~m{verify failed} ) {
fail("SSL upgrade $host with default CA and $cap: $SSL_ERROR");
} else {
- pass("SSL upgrade $host with no CA failed but not because of
verify problem: $SSL_ERROR");
+ pass("SSL upgrade $host with default CA and $cap failed but not
because of verify problem: $SSL_ERROR");
}
}
