Hello community,
here is the log from the commit of package perl-IO-Socket-SSL for
openSUSE:Factory checked in at 2018-07-23 17:58:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old)
and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL"
Mon Jul 23 17:58:12 2018 rev:78 rq:624414 version:2.058
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes
2018-02-21 14:06:59.583865175 +0100
+++
/work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes
2018-07-23 17:58:15.629135678 +0200
@@ -1,0 +2,28 @@
+Fri Jul 20 05:30:14 UTC 2018 - [email protected]
+
+- updated to 2.058
+ see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
+
+ 2.058 2018/07/19
+ - fix t/session_ticket.t: it failed with OpenSSL 1.1.* since this version
+ expects the extKeyUsage of clientAuth in the client cert also to be allowed
+ by the CA if CA uses extKeyUsage
+
+-------------------------------------------------------------------
+Thu Jul 19 05:31:02 UTC 2018 - [email protected]
+
+- updated to 2.057
+ see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
+
+ 2.057 2018/07/18
+ - fix memory leak which occured with explicit stop_SSL in connection with
+ non-blocking sockets or timeout -
https://rt.cpan.org/Ticket/Display.html?id=125867
+ Thanks to Paul Evans for reporting
+ - fix redefine warnings in case Socket6 is installed but neither
IO::Socket::IP
+ nor IO::Socket::INET6 - https://rt.cpan.org/Ticket/Display.html?id=124963
+ - IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
number
+ or callback to create serial number based on the original certificate
+ - new function get_session_reused to check if a session got reused
+ - IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the
correct value
+
+-------------------------------------------------------------------
Old:
----
IO-Socket-SSL-2.056.tar.gz
New:
----
IO-Socket-SSL-2.058.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
--- /var/tmp/diff_new_pack.YCAvpF/_old 2018-07-23 17:58:16.173134999 +0200
+++ /var/tmp/diff_new_pack.YCAvpF/_new 2018-07-23 17:58:16.173134999 +0200
@@ -17,7 +17,7 @@
Name: perl-IO-Socket-SSL
-Version: 2.056
+Version: 2.058
Release: 0
%define cpan_name IO-Socket-SSL
Summary: Nearly transparent SSL encapsulation for IO::Socket::INET
++++++ IO-Socket-SSL-2.056.tar.gz -> IO-Socket-SSL-2.058.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/Changes
new/IO-Socket-SSL-2.058/Changes
--- old/IO-Socket-SSL-2.056/Changes 2018-02-19 07:31:57.000000000 +0100
+++ new/IO-Socket-SSL-2.058/Changes 2018-07-19 09:47:34.000000000 +0200
@@ -1,3 +1,17 @@
+2.058 2018/07/19
+- fix t/session_ticket.t: it failed with OpenSSL 1.1.* since this version
+ expects the extKeyUsage of clientAuth in the client cert also to be allowed
+ by the CA if CA uses extKeyUsage
+2.057 2018/07/18
+- fix memory leak which occured with explicit stop_SSL in connection with
+ non-blocking sockets or timeout -
https://rt.cpan.org/Ticket/Display.html?id=125867
+ Thanks to Paul Evans for reporting
+- fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP
+ nor IO::Socket::INET6 - https://rt.cpan.org/Ticket/Display.html?id=124963
+- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
number
+ or callback to create serial number based on the original certificate
+- new function get_session_reused to check if a session got reused
+- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
value
2.056 2018/02/19
- Intercept - fix creation of serial number: base it on binary digest instead
of
treating hex fingerprint as binary. Allow use of own serial numbers again.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/META.json
new/IO-Socket-SSL-2.058/META.json
--- old/IO-Socket-SSL-2.056/META.json 2018-02-19 07:34:36.000000000 +0100
+++ new/IO-Socket-SSL-2.058/META.json 2018-07-19 09:54:01.000000000 +0200
@@ -4,7 +4,7 @@
"Steffen Ullrich <[email protected]>, Peter Behroozi, Marko Asplund"
],
"dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 7.0401, CPAN::Meta::Converter
version 2.150001",
+ "generated_by" : "ExtUtils::MakeMaker version 7.1001, CPAN::Meta::Converter
version 2.150005",
"license" : [
"perl_5"
],
@@ -50,5 +50,6 @@
"url" : "https://github.com/noxxi/p5-io-socket-ssl";
}
},
- "version" : "2.056"
+ "version" : "2.058",
+ "x_serialization_backend" : "JSON::PP version 2.27300"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/META.yml
new/IO-Socket-SSL-2.058/META.yml
--- old/IO-Socket-SSL-2.056/META.yml 2018-02-19 07:34:36.000000000 +0100
+++ new/IO-Socket-SSL-2.058/META.yml 2018-07-19 09:54:01.000000000 +0200
@@ -7,7 +7,7 @@
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 7.0401, CPAN::Meta::Converter
version 2.150001'
+generated_by: 'ExtUtils::MakeMaker version 7.1001, CPAN::Meta::Converter
version 2.150005'
license: perl
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
@@ -25,4 +25,5 @@
homepage: https://github.com/noxxi/p5-io-socket-ssl
license: http://dev.perl.org/licenses/
repository: https://github.com/noxxi/p5-io-socket-ssl
-version: '2.056'
+version: '2.058'
+x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Intercept.pm
new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL/Intercept.pm
--- old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Intercept.pm 2018-02-19
07:27:32.000000000 +0100
+++ new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL/Intercept.pm 2018-03-19
17:30:23.000000000 +0100
@@ -109,8 +109,10 @@
issuer_cert => $self->{cacert},
issuer_key => $self->{cakey},
key => $self->{certkey},
- serial => defined($self->{serial}) ? ++$self->{serial} :
- (unpack('L',$hash->{x509_digest_sha256}))[0],
+ serial =>
+ ! defined($self->{serial}) ?
(unpack('L',$hash->{x509_digest_sha256}))[0] :
+ ref($self->{serial}) eq 'CODE' ?
$self->{serial}($old_cert,$hash) :
+ ++$self->{serial},
);
return ($clone,$key);
};
@@ -316,11 +318,13 @@
representation, or using a file in PEM format.
If not given it will create a new public key on each call of C<new>.
-=item serial INTEGER
+=item serial INTEGER|CODE
This optional argument gives the starting point for the serial numbers of the
newly created certificates. If not set the serial number will be created based
-on the digest of the original certificate.
+on the digest of the original certificate. If the value is code it will be
+called with C<< serial(original_cert,CERT_asHash(original_cert)) >> and should
+return the new serial number.
=item cache HASH | SUBROUTINE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Utils.pm
new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL/Utils.pm
--- old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL/Utils.pm 2018-02-19
07:26:39.000000000 +0100
+++ new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL/Utils.pm 2018-02-28
17:13:01.000000000 +0100
@@ -146,7 +146,7 @@
"x509_digest_$digest_name" => Net::SSLeay::X509_digest(
$cert,_digest($digest_name)),
"fingerprint_$digest_name" => Net::SSLeay::X509_get_fingerprint(
- $cert,_digest($digest_name)),
+ $cert,$digest_name),
);
my $subj = Net::SSLeay::X509_get_subject_name($cert);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pm
new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL.pm
--- old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pm 2018-02-19
07:27:24.000000000 +0100
+++ new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL.pm 2018-07-19
09:45:08.000000000 +0200
@@ -13,7 +13,7 @@
package IO::Socket::SSL;
-our $VERSION = '2.056';
+our $VERSION = '2.058';
use IO::Socket;
use Net::SSLeay 1.46;
@@ -335,19 +335,19 @@
return if $err;
return ($host,$port);
};
- 1;
+ 'Socket';
} || eval {
require Socket6;
Socket6::inet_pton( AF_INET6(),'::1') && AF_INET6() or die;
Socket6->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ );
# behavior different to Socket::getnameinfo - wrap
*_getnameinfo = sub { return Socket6::getnameinfo(@_); };
- 1;
- };
+ 'Socket6';
+ } || undef;
# try IO::Socket::IP or IO::Socket::INET6 for IPv6 support
$family_key = 'Domain'; # traditional
- if ( $ip6 ) {
+ if ($ip6) {
# if we have IO::Socket::IP >= 0.31 we will use this in preference
# because it can handle both IPv4 and IPv6
if ( eval {
@@ -367,17 +367,19 @@
constant->import( CAN_IPV6 => "IO::Socket::INET6" );
$IOCLASS = "IO::Socket::INET6";
} else {
- $ip6 = 0;
+ $ip6 = ''
}
}
# fall back to IO::Socket::INET for IPv4 only
- if ( ! $ip6 ) {
+ if (!$ip6) {
@ISA = qw(IO::Socket::INET);
$IOCLASS = "IO::Socket::INET";
constant->import(CAN_IPV6 => '');
- constant->import(NI_NUMERICHOST => 1);
- constant->import(NI_NUMERICSERV => 2);
+ if (!defined $ip6) {
+ constant->import(NI_NUMERICHOST => 1);
+ constant->import(NI_NUMERICSERV => 2);
+ }
}
#Make $DEBUG another name for $Net::SSLeay::trace
@@ -1427,11 +1429,12 @@
# destroy allocated objects for SSL and untie
# do not destroy CTX unless explicitly specified
Net::SSLeay::free($ssl);
- delete ${*$self}{_SSL_object};
if (my $cert = delete ${*$self}{'_SSL_certificate'}) {
Net::SSLeay::X509_free($cert);
}
+ delete ${*$self}{_SSL_object};
${*$self}{'_SSL_opened'} = 0;
+ delete $SSL_OBJECT{$ssl};
untie(*$self);
}
@@ -1903,6 +1906,11 @@
return Net::SSLeay::version($ssl);
}
+sub get_session_reused {
+ return Net::SSLeay::session_reused(
+ shift()->_get_ssl_object || return);
+}
+
if ($can_ocsp) {
no warnings 'once';
*ocsp_resolver = sub {
@@ -2007,11 +2015,12 @@
sub DESTROY {
my $self = shift or return;
- my $ssl = ${*$self}{_SSL_object} or return;
- delete $SSL_OBJECT{$ssl};
- if (!$use_threads or delete $CREATED_IN_THIS_THREAD{$ssl}) {
- $self->close(_SSL_in_DESTROY => 1, SSL_no_shutdown => 1)
- if ${*$self}{'_SSL_opened'};
+ if (my $ssl = ${*$self}{_SSL_object}) {
+ delete $SSL_OBJECT{$ssl};
+ if (!$use_threads or delete $CREATED_IN_THIS_THREAD{$ssl}) {
+ $self->close(_SSL_in_DESTROY => 1, SSL_no_shutdown => 1)
+ if ${*$self}{'_SSL_opened'};
+ }
}
delete @{*$self}{@all_my_keys};
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pod
new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL.pod
--- old/IO-Socket-SSL-2.056/lib/IO/Socket/SSL.pod 2018-02-14
21:12:03.000000000 +0100
+++ new/IO-Socket-SSL-2.058/lib/IO/Socket/SSL.pod 2018-03-19
17:30:23.000000000 +0100
@@ -1567,6 +1567,12 @@
Returns the integer representation of the SSL version of an established
connection.
+=item B<get_session_reused()>
+
+This returns true if the session got reused and false otherwise. Note that with
+a reused session no certificates are send within the handshake and no ciphers
+are offered and thus functions which rely on this might not work.
+
=item B<dump_peer_certificate()>
Returns a parsable string with select fields from the peer SSL certificate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.056/t/session_ticket.t
new/IO-Socket-SSL-2.058/t/session_ticket.t
--- old/IO-Socket-SSL-2.056/t/session_ticket.t 2018-01-23 19:38:07.000000000
+0100
+++ new/IO-Socket-SSL-2.058/t/session_ticket.t 2018-07-19 09:43:23.000000000
+0200
@@ -13,7 +13,19 @@
plan tests => 6;
# create some self signed certificate
-my ($cert,$key) = CERT_create(CA => 1, purpose => { ca => 1, server => 1 });
+my ($cert,$key) = CERT_create(CA => 1,
+ subject => { CN => 'ca' },
+);
+my ($client_cert,$client_key) = CERT_create(
+ issuer => [ $cert,$key],
+ subject => { CN => 'client' },
+ purpose => { client => 1 }
+);
+my ($server_cert,$server_key) = CERT_create(
+ issuer => [ $cert,$key],
+ subject => { CN => 'server' },
+ purpose => { server => 1 }
+);
# create two servers with the same session ticket callback
my (@server,@saddr);
@@ -41,6 +53,8 @@
my $clctx = IO::Socket::SSL::SSL_Context->new(
SSL_session_cache_size => 10,
+ SSL_cert => $client_cert,
+ SSL_key => $client_key,
SSL_ca => [ $cert ],
);
@@ -101,9 +115,12 @@
for(@server) {
$_->{sslctx} = IO::Socket::SSL::SSL_Context->new(
SSL_server => 1,
- SSL_cert => $cert,
- SSL_key => $key,
+ SSL_cert => $server_cert,
+ SSL_key => $server_key,
+ SSL_ca => [ $cert ],
+ SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
SSL_ticket_keycb => $get_ticket_key,
+ SSL_session_id_context => 'foobar',
) or die "failed to create SSL context: $SSL_ERROR";
}
