Hello community,
here is the log from the commit of package perl-IO-Socket-SSL for
openSUSE:Factory checked in at 2018-02-21 14:06:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old)
and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL"
Wed Feb 21 14:06:56 2018 rev:77 rq:578432 version:2.056
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes
2018-02-15 13:19:29.409080158 +0100
+++
/work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes
2018-02-21 14:06:59.583865175 +0100
@@ -1,0 +2,31 @@
+Tue Feb 20 06:26:27 UTC 2018 - [email protected]
+
+- updated to 2.056
+ see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
+
+ 2.056 2018/02/19
+ - Intercept - fix creation of serial number: base it on binary digest
instead of
+ treating hex fingerprint as binary. Allow use of own serial numbers again.
+ - t/io-socket-ip.t - skip test if no IPv6 support on system RT#124464
+ - update PublicSuffix
+
+-------------------------------------------------------------------
+Fri Feb 16 06:32:08 UTC 2018 - [email protected]
+
+- updated to 2.055
+ see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
+
+ 2.055 2018/02/15
+ - use SNI also if hostname was given all-uppercase
+ - Utils::CERT_create - don't add authority key for issuer since Chrome does
+ not like this
+ - Intercept:
+ - change behavior of code based cache to better support synchronizing
+ within multiprocess/threaded setups
+ - don't use counter for serial number but somehow base it on original
+ certificate in order to avoid conflicts with reuse of serial numbers
+ after restart
+ - RT#124431 - better support platforms w/o IPv6
+ - RT#124306 - spelling fixes in documentation
+
+-------------------------------------------------------------------
Old:
----
IO-Socket-SSL-2.054.tar.gz
New:
----
IO-Socket-SSL-2.056.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
--- /var/tmp/diff_new_pack.pAHbWI/_old 2018-02-21 14:07:00.547830488 +0100
+++ /var/tmp/diff_new_pack.pAHbWI/_new 2018-02-21 14:07:00.547830488 +0100
@@ -17,11 +17,11 @@
Name: perl-IO-Socket-SSL
-Version: 2.054
+Version: 2.056
Release: 0
%define cpan_name IO-Socket-SSL
Summary: Nearly transparent SSL encapsulation for IO::Socket::INET
-License: Artistic-1.0 or GPL-1.0+
+License: Artistic-1.0 OR GPL-1.0-or-later
Group: Development/Libraries/Perl
Url: http://search.cpan.org/dist/IO-Socket-SSL/
Source0:
https://cpan.metacpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
++++++ IO-Socket-SSL-2.054.tar.gz -> IO-Socket-SSL-2.056.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/Changes
new/IO-Socket-SSL-2.056/Changes
--- old/IO-Socket-SSL-2.054/Changes 2018-01-22 06:09:45.000000000 +0100
+++ new/IO-Socket-SSL-2.056/Changes 2018-02-19 07:31:57.000000000 +0100
@@ -1,3 +1,20 @@
+2.056 2018/02/19
+- Intercept - fix creation of serial number: base it on binary digest instead
of
+ treating hex fingerprint as binary. Allow use of own serial numbers again.
+- t/io-socket-ip.t - skip test if no IPv6 support on system RT#124464
+- update PublicSuffix
+2.055 2018/02/15
+- use SNI also if hostname was given all-uppercase
+- Utils::CERT_create - don't add authority key for issuer since Chrome does
+ not like this
+- Intercept:
+ - change behavior of code based cache to better support synchronizing
+ within multiprocess/threaded setups
+ - don't use counter for serial number but somehow base it on original
+ certificate in order to avoid conflicts with reuse of serial numbers
+ after restart
+- RT#124431 - better support platforms w/o IPv6
+- RT#124306 - spelling fixes in documentation
2.054 2018/01/22
- added missing test certificates to MANIFEST
2.053 2018/01/21
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/MANIFEST
new/IO-Socket-SSL-2.056/MANIFEST
--- old/IO-Socket-SSL-2.054/MANIFEST 2018-01-22 06:10:56.000000000 +0100
+++ new/IO-Socket-SSL-2.056/MANIFEST 2018-02-19 07:34:36.000000000 +0100
@@ -3,14 +3,12 @@
certs/client-key.enc
certs/client-key.pem
certs/create-certs.pl
-certs/my-ca.pem
certs/proxyca.pem
certs/server-cert.der
certs/server-cert.pem
certs/server-key.der
certs/server-key.enc
certs/server-key.pem
-certs/server-rsa384-dh.pem
certs/server-wildcard.pem
certs/server.p12
certs/server2-cert.pem
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/META.json
new/IO-Socket-SSL-2.056/META.json
--- old/IO-Socket-SSL-2.054/META.json 2018-01-22 06:10:56.000000000 +0100
+++ new/IO-Socket-SSL-2.056/META.json 2018-02-19 07:34:36.000000000 +0100
@@ -50,5 +50,5 @@
"url" : "https://github.com/noxxi/p5-io-socket-ssl";
}
},
- "version" : "2.054"
+ "version" : "2.056"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/META.yml
new/IO-Socket-SSL-2.056/META.yml
--- old/IO-Socket-SSL-2.054/META.yml 2018-01-22 06:10:56.000000000 +0100
+++ new/IO-Socket-SSL-2.056/META.yml 2018-02-19 07:34:36.000000000 +0100
@@ -25,4 +25,4 @@
homepage: https://github.com/noxxi/p5-io-socket-ssl
license: http://dev.perl.org/licenses/
repository: https://github.com/noxxi/p5-io-socket-ssl
-version: '2.054'
+version: '2.056'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL/Intercept.pm
new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Intercept.pm
--- old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL/Intercept.pm 2017-04-27
20:43:14.000000000 +0200
+++ new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Intercept.pm 2018-02-19
07:27:32.000000000 +0100
@@ -6,7 +6,8 @@
use IO::Socket::SSL::Utils;
use Net::SSLeay;
-our $VERSION = '2.014';
+our $VERSION = '2.056';
+
sub new {
my ($class,%args) = @_;
@@ -37,13 +38,34 @@
}
my $cache = delete $args{cache} || {};
+ if (ref($cache) eq 'CODE') {
+ # check cache type
+ my $type = $cache->('type');
+ if (!$type) {
+ # old cache interface - change into new interface
+ # get: $cache->(fp)
+ # set: $cache->(fp,cert,key)
+ my $oc = $cache;
+ $cache = sub {
+ my ($fp,$create_cb) = @_;
+ my @ck = $oc->($fp);
+ $oc->($fp, @ck = &$create_cb) if !@ck;
+ return @ck;
+ };
+ } elsif ($type == 1) {
+ # current interface:
+ # get/set: $cache->(fp,cb_create)
+ } else {
+ die "invalid type of cache: $type";
+ }
+ }
my $self = bless {
cacert => $cacert,
cakey => $cakey,
certkey => $certkey,
- serial => delete $args{serial} || 1,
cache => $cache,
+ serial => delete $args{serial},
};
return $self;
}
@@ -67,57 +89,42 @@
sub clone_cert {
my ($self,$old_cert,$clone_key) = @_;
- $clone_key ||=
substr(unpack("H*",Net::SSLeay::X509_get_fingerprint($old_cert,'sha1')),0,16);
- if ( my ($clone,$key) = _get_cached($self,$clone_key)) {
- return ($clone,$key);
- }
-
- # create new certificate based on original
- # copy most but not all extensions
my $hash = CERT_asHash($old_cert);
- if (my $ext = $hash->{ext}) {
- @$ext = grep {
- defined($_->{sn}) && $_->{sn} !~m{^(?:
- authorityInfoAccess |
- subjectKeyIdentifier |
- authorityKeyIdentifier |
- certificatePolicies |
- crlDistributionPoints
- )$}x
- } @$ext;
- }
- my ($clone,$key) = CERT_create(
- %$hash,
- serial => $self->{serial}++,
- issuer_cert => $self->{cacert},
- issuer_key => $self->{cakey},
- key => $self->{certkey},
- );
-
- # put into cache
- _set_cached($self,$clone_key,$clone,$key);
-
- return ($clone,$key);
-}
+ my $create_cb = sub {
+ # if not in cache create new certificate based on original
+ # copy most but not all extensions
+ if (my $ext = $hash->{ext}) {
+ @$ext = grep {
+ defined($_->{sn}) && $_->{sn} !~m{^(?:
+ authorityInfoAccess |
+ subjectKeyIdentifier |
+ authorityKeyIdentifier |
+ certificatePolicies |
+ crlDistributionPoints
+ )$}x
+ } @$ext;
+ }
+ my ($clone,$key) = CERT_create(
+ %$hash,
+ issuer_cert => $self->{cacert},
+ issuer_key => $self->{cakey},
+ key => $self->{certkey},
+ serial => defined($self->{serial}) ? ++$self->{serial} :
+ (unpack('L',$hash->{x509_digest_sha256}))[0],
+ );
+ return ($clone,$key);
+ };
-sub _get_cached {
- my ($self,$clone_key) = @_;
+ $clone_key ||= substr(unpack("H*", $hash->{x509_digest_sha256}),0,32);
my $c = $self->{cache};
- return $c->($clone_key) if ref($c) eq 'CODE';
- my $e = $c->{$clone_key} or return;
- $e->{atime} = time();
- return ($e->{cert},$e->{key} || $self->{certkey});
-}
+ return $c->($clone_key,$create_cb) if ref($c) eq 'CODE';
-sub _set_cached {
- my ($self,$clone_key,$cert,$key) = @_;
- my $c = $self->{cache};
- return $c->($clone_key,$cert,$key) if ref($c) eq 'CODE';
- $c->{$clone_key} = {
- cert => $cert,
- $self->{certkey} && $self->{certkey} == $key ? () : ( key => $key ),
- atime => time()
+ my $e = $c->{$clone_key} ||= do {
+ my ($cert,$key) = &$create_cb;
+ { cert => $cert, key => $key };
};
+ $e->{atime} = time();
+ return ($e->{cert},$e->{key});
}
@@ -312,7 +319,8 @@
=item serial INTEGER
This optional argument gives the starting point for the serial numbers of the
-newly created certificates. Default to 1.
+newly created certificates. If not set the serial number will be created based
+on the digest of the original certificate.
=item cache HASH | SUBROUTINE
@@ -328,9 +336,13 @@
The key for the hash is an C<ident> either given to C<clone_cert> or generated
from the original certificate.
-If the argument is a subroutine it will be called as C<< $cache->(ident) >>
-to get an existing (cert,key) and with C<< $cache->(ident,cert,key) >> to cache
-the newly created certificate.
+If the argument is a subroutine it will be called as C<< $cache->(ident,sub)
>>.
+This call should return either an existing (cached) C<< (cert,key) >> or
+call C<sub> without arguments to create a new C<< (cert,key) >>, store it
+and return it.
+If called with C<< $cache->('type') >> the function should just return 1 to
+signal that it supports the current type of cache. If it reutrns nothing
+instead the older cache interface is assumed for compatibility reasons.
=back
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL/PublicSuffix.pm
new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/PublicSuffix.pm
--- old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL/PublicSuffix.pm 2018-01-21
11:20:50.000000000 +0100
+++ new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/PublicSuffix.pm 2018-02-19
07:28:05.000000000 +0100
@@ -3885,8 +3885,17 @@
yamanakako.yamanashi.jp
yamanashi.yamanashi.jp
-// ke :
http://www.kenic.or.ke/index.php?option=com_content&task=view&id=117&Itemid=145
-*.ke
+// ke : http://www.kenic.or.ke/index.php/en/ke-domains/ke-domains
+ke
+ac.ke
+co.ke
+go.ke
+info.ke
+me.ke
+mobi.ke
+ne.ke
+or.ke
+sc.ke
// kg : http://www.domain.kg/dmn_n.html
kg
@@ -11230,6 +11239,7 @@
// Cloud66 : https://www.cloud66.com/
// Submitted by Khash Sajadi <[email protected]>
c66.me
+cloud66.ws
// CloudAccess.net : https://www.cloudaccess.net/
// Submitted by Pawel Panek <[email protected]>
@@ -11905,10 +11915,6 @@
freebox-os.fr
freeboxos.fr
-// Fusion Intranet : https://www.fusion-intranet.com
-// Submitted by Matthias Burtscher <[email protected]>
-myfusion.cloud
-
// Futureweb OG : http://www.futureweb.at
// Submitted by Andreas Schnederle-Wagner <[email protected]>
*.futurecms.at
@@ -12129,6 +12135,11 @@
lcube-server.de
svn-repos.de
+// linkyard ldt: https://www.linkyard.ch/
+// Submitted by Mario Siegenthaler <[email protected]>
+linkyard.cloud
+linkyard-cloud.ch
+
// LiquidNet Ltd : http://www.liquidnetlimited.com/
// Submitted by Victor Velchev <[email protected]>
we.bs
@@ -12479,6 +12490,10 @@
logoip.de
logoip.com
+// schokokeks.org GbR : https://schokokeks.org/
+// Submitted by Hanno Böck <[email protected]>
+schokokeks.net
+
// Scry Security : http://www.scrysec.com
// Submitted by Shante Adam <[email protected]>
scrysec.com
@@ -12659,6 +12674,10 @@
// Submitted by Ed Moore <[email protected]>
lib.de.us
+// VeryPositive SIA : http://very.lv
+// Submitted by Danko Aleksejevs <[email protected]>
+2038.io
+
// Viprinet Europe GmbH : http://www.viprinet.com
// Submitted by Simon Kissel <[email protected]>
router.management
@@ -12687,6 +12706,10 @@
demon.nl
xs4all.space
+// YesCourse Pty Ltd : https://yescourse.com
+// Submitted by Atul Bhouraskar <[email protected]>
+official.academy
+
// Yola : https://www.yola.com/
// Submitted by Stefano Rivera <[email protected]>
yolasite.com
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL/Utils.pm
new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Utils.pm
--- old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL/Utils.pm 2018-01-14
21:01:09.000000000 +0100
+++ new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Utils.pm 2018-02-19
07:26:39.000000000 +0100
@@ -284,7 +284,6 @@
my @ext = (
&Net::SSLeay::NID_subject_key_identifier => 'hash',
&Net::SSLeay::NID_authority_key_identifier => 'keyid',
- &Net::SSLeay::NID_authority_key_identifier => 'issuer',
);
if ( my $altsubj = delete $args{subjectAltNames} ) {
push @ext,
@@ -379,7 +378,7 @@
push @ext,&Net::SSLeay::NID_basic_constraints,
=> join(",",'critical', sort keys %basic_constraints);
} else {
- push @ext, &Net::SSLeay::NID_basic_constraints => 'CA:FALSE';
+ push @ext, &Net::SSLeay::NID_basic_constraints => 'critical,CA:FALSE';
}
push @ext,&Net::SSLeay::NID_key_usage
=> join(",",'critical', sort keys %key_usage) if %key_usage;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pm
new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pm
--- old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pm 2018-01-22
06:09:09.000000000 +0100
+++ new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pm 2018-02-19
07:27:24.000000000 +0100
@@ -13,7 +13,7 @@
package IO::Socket::SSL;
-our $VERSION = '2.054';
+our $VERSION = '2.056';
use IO::Socket;
use Net::SSLeay 1.46;
@@ -327,22 +327,22 @@
my $ip6 = eval {
require Socket;
Socket->VERSION(1.95);
- my $ok = Socket::inet_pton( AF_INET6(),'::1') && AF_INET6();
- $ok && Socket->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ );
+ Socket::inet_pton( AF_INET6(),'::1') && AF_INET6() or die;
+ Socket->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ );
# behavior different to Socket6::getnameinfo - wrap
*_getnameinfo = sub {
my ($err,$host,$port) = Socket::getnameinfo(@_) or return;
return if $err;
return ($host,$port);
};
- $ok;
+ 1;
} || eval {
require Socket6;
- my $ok = Socket6::inet_pton( AF_INET6(),'::1') && AF_INET6();
- $ok && Socket6->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ );
+ Socket6::inet_pton( AF_INET6(),'::1') && AF_INET6() or die;
+ Socket6->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ );
# behavior different to Socket::getnameinfo - wrap
*_getnameinfo = sub { return Socket6::getnameinfo(@_); };
- $ok;
+ 1;
};
# try IO::Socket::IP or IO::Socket::INET6 for IPv6 support
@@ -375,7 +375,9 @@
if ( ! $ip6 ) {
@ISA = qw(IO::Socket::INET);
$IOCLASS = "IO::Socket::INET";
- constant->import( CAN_IPV6 => '' );
+ constant->import(CAN_IPV6 => '');
+ constant->import(NI_NUMERICHOST => 1);
+ constant->import(NI_NUMERICSERV => 2);
}
#Make $DEBUG another name for $Net::SSLeay::trace
@@ -723,7 +725,7 @@
# implicitly given
$host =~s{:[a-zA-Z0-9_\-]+$}{};
# should be hostname, not IPv4/6
- $host = undef if $host !~m{[a-z_]} or $host =~m{:};
+ $host = undef if $host !~m{[a-z_]}i or $host =~m{:};
}
# define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
# define TLSEXT_NAMETYPE_host_name 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod
new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pod
--- old/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod 2018-01-20
11:56:29.000000000 +0100
+++ new/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pod 2018-02-14
21:12:03.000000000 +0100
@@ -681,7 +681,7 @@
kqueue or similar technologies to get notified if data are available.
Relying only on these calls is not sufficient in all cases since unread data
might be internally buffered in the SSL stack. To detect such buffering
-B<pending()> need to be used. Alternativly the buffering can be avoided by
using
+B<pending()> need to be used. Alternatively the buffering can be avoided by
using
B<sysread> with the maximum size of an SSL frame. See L</"Common Usage Errors">
for details.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.054/t/io-socket-ip.t
new/IO-Socket-SSL-2.056/t/io-socket-ip.t
--- old/IO-Socket-SSL-2.054/t/io-socket-ip.t 2017-04-27 20:43:14.000000000
+0200
+++ new/IO-Socket-SSL-2.056/t/io-socket-ip.t 2018-02-19 07:24:38.000000000
+0100
@@ -21,6 +21,8 @@
IO::Socket::IP->VERSION(0.31)
}) {
print "1..0 # Skipped: usable IO::Socket::IP is not available\n";
+ } elsif (! defined &IO::Socket::SSL::_getnameinfo) {
+ print "1..0 # Skipped: no IPv6 support despite IO::Socket::IP\n";
} else {
print "1..1\nnot ok # automatic use of IO::Socket::IP\n";
}
