Hello community, here is the log from the commit of package perl-IO-Socket-SSL for openSUSE:Factory checked in at 2020-02-22 19:02:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old) and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL" Sat Feb 22 19:02:55 2020 rev:85 rq:776201 version:2.067 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes 2019-06-01 09:43:59.615437075 +0200 +++ /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new.26092/perl-IO-Socket-SSL.changes 2020-02-22 19:03:11.429959112 +0100 @@ -1,0 +2,11 @@ +Tue Feb 18 15:28:53 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Add removal of the README.Win32 file in cpanspec.yml + +------------------------------------------------------------------- +Sat Feb 15 03:09:16 UTC 2020 - <[email protected]> + +- updated to 2.067 + see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes + +------------------------------------------------------------------- Old: ---- IO-Socket-SSL-2.066.tar.gz New: ---- IO-Socket-SSL-2.067.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-IO-Socket-SSL.spec ++++++ --- /var/tmp/diff_new_pack.ciGNKz/_old 2020-02-22 19:03:13.037962227 +0100 +++ /var/tmp/diff_new_pack.ciGNKz/_new 2020-02-22 19:03:13.049962249 +0100 @@ -1,7 +1,7 @@ # # spec file for package perl-IO-Socket-SSL # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,23 +16,24 @@ # -%define cpan_name IO-Socket-SSL Name: perl-IO-Socket-SSL -Version: 2.066 +Version: 2.067 Release: 0 +%define cpan_name IO-Socket-SSL Summary: Nearly transparent SSL encapsulation for IO::Socket::INET License: Artistic-1.0 OR GPL-1.0-or-later Group: Development/Libraries/Perl URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml +BuildArch: noarch +BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl BuildRequires: perl-macros #BuildRequires: perl(Mozilla::CA) BuildRequires: perl(Net::SSLeay) >= 1.46 #Requires: perl(Mozilla::CA) Requires: perl(Net::SSLeay) >= 1.46 -BuildArch: noarch %{perl_requires} %description @@ -76,18 +77,21 @@ %prep %setup -q -n %{cpan_name}-%{version} -find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644 +find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644 %build perl Makefile.PL INSTALLDIRS=vendor make %{?_smp_mflags} %check -make %{?_smp_mflags} test +make test %install %perl_make_install %perl_process_packlist +# MANUAL BEGIN +rm README.Win32 +# MANUAL END %perl_gen_filelist %files -f %{name}.files ++++++ IO-Socket-SSL-2.066.tar.gz -> IO-Socket-SSL-2.067.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.066/Changes new/IO-Socket-SSL-2.067/Changes --- old/IO-Socket-SSL-2.066/Changes 2019-03-06 07:53:29.000000000 +0100 +++ new/IO-Socket-SSL-2.067/Changes 2020-02-14 18:43:52.000000000 +0100 @@ -1,31 +1,51 @@ -2.066 +2.067 2020/02/14 +- fix memory leak on incomplete handshake + https://github.com/noxxi/p5-io-socket-ssl/issues/92 + Thanks to olegwtf +- add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers + This can decrease memory usage at the costs of more allocations + https://rt.cpan.org/Ticket/Display.html?id=129463 +- more detailed error messages when loading of certificate file failed + https://github.com/noxxi/p5-io-socket-ssl/issues/89 +- fix for ip_in_cn == 6 in verify_hostname scheme + https://rt.cpan.org/Ticket/Display.html?id=131384 +- deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1 +- fix warning when no ecdh support is available +- documentation update regarding use of select and TLS 1.3 +- various fixes in documentation + https://github.com/noxxi/p5-io-socket-ssl/issues/91 + https://github.com/noxxi/p5-io-socket-ssl/issues/90 + https://github.com/noxxi/p5-io-socket-ssl/issues/87 + https://github.com/noxxi/p5-io-socket-ssl/issues/81 +- stability fix t/core.t +2.066 2019/03/06 - fix test t/verify_partial_chain.t by using the newly exposed function can_partial_chain instead of guessing (wrongly) if the functionality is available -2.065 +2.065 2019/03/05 - make sure that Net::SSLeay::CTX_get0_param is defined before using X509_V_FLAG_PARTIAL_CHAIN. Net::SSLeay 1.85 defined only the second with LibreSSL 2.7.4 but not the first https://rt.cpan.org/Ticket/Display.html?id=128716 - prefer AES for server side cipher default since it is usually hardware-accelerated -2.064 +2.064 2019/03/04 - make algorithm for fingerprint optional, i.e. detect based on length of fingerprint - https://rt.cpan.org/Ticket/Display.html?id=127773 - fix t/sessions.t and improve stability of t/verify_hostname.t on windows - use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are set - update fingerprints for live tests -2.063 +2.063 2019/03/01 - support for both RSA and ECDSA certificate on same domain - update PublicSuffix - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but then linked against another API-incompatible version (ie. more than just the patchlevel differs). -2.062 +2.062 2019/02/24 - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and OpenSSL (1.1.0+). This makes leaf certificates or intermediate certificates in the trust store be usable as full trust anchors too. -2.061 +2.061 2019/02/23 - Support for TLS 1.3 session reuse. Needs Net::SSLeay 1.86+. Note that the previous (and undocumented) API for the session cache has been changed. @@ -50,7 +70,7 @@ expects the extKeyUsage of clientAuth in the client cert also to be allowed by the CA if CA uses extKeyUsage 2.057 2018/07/18 -- fix memory leak which occured with explicit stop_SSL in connection with +- fix memory leak which occurred with explicit stop_SSL in connection with non-blocking sockets or timeout - https://rt.cpan.org/Ticket/Display.html?id=125867 Thanks to Paul Evans for reporting - fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP @@ -68,7 +88,7 @@ - use SNI also if hostname was given all-uppercase - Utils::CERT_create - don't add authority key for issuer since Chrome does not like this -- Intercept: +- Intercept: - change behavior of code based cache to better support synchronizing within multiprocess/threaded setups - don't use counter for serial number but somehow base it on original @@ -159,7 +179,7 @@ - restrict session ticket callback to Net::SSLeay 1.79+ since version before contains bug. Add test for session reuse - extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....' -- fix t/external/ocsp.t to use different server (under my control) to check +- fix t/external/ocsp.t to use different server (under my control) to check OCSP stapling 2.037 2016/08/22 - fix session cache del_session: it freed the session but did not properly @@ -248,7 +268,7 @@ using a different wrapper depending on which module I use for IPv6. Thanks to bluhm for reporting. 2.018 2015/08/27 -- RT#106687 - startssl.t failed on darwin with old openssl since server +- RT#106687 - startssl.t failed on darwin with old openssl since server requested client certificate but offered also anon ciphers 2.017 2015/08/24 - checks for readability of files/dirs for certificates and CA no longer use @@ -260,19 +280,19 @@ - check for both EWOULDBLOCK and EAGAIN since these codes are different on some platforms. Thanks to Andy Grundman, RT#106573 - enforce default verification scheme if none was specified, i.e. no longer - just warn but accept. If really no verification is wanted a scheme of + just warn but accept. If really no verification is wanted a scheme of 'none' must be explicitly specified. - support different cipher suites per SNI hosts 2.016 2015/06/02 -- add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL +- add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL (since 1.02) and available with Net::SSLeay. RT#104759 (thanks GAAS) - work around hanging prompt() with older perl in Makefile.PL RT#104731 -- make t/memleak_bad_handshake.t work on cygwin and other systems having +- make t/memleak_bad_handshake.t work on cygwin and other systems having /proc/pid/statm, see RT#104659 - add better debugging based on patch from H.Merijn Brand 2.015 2015/05/13 - work around problem with IO::Socket::INET6 on windows, by explicitly using - Domain AF_INET in the tests. + Domain AF_INET in the tests. Fixes RT#104226 reported by CHORNY 2.014 2015/05/05 - Utils::CERT_create - work around problems with authorityInfoAccess, where @@ -284,7 +304,7 @@ errors like "configuration failed" or "certificate verify error" don't replace more specific "hostname verification failed" when reporting in sub errstr/$SSL_ERROR. see also RT#103423 -- enhanced documentation thanks to Chase Whitener +- enhanced documentation thanks to Chase Whitener https://github.com/noxxi/p5-io-socket-ssl/pull/26 2.012 2015/02/02 - fix t/ocsp.t in case no HTTP::Tiny is installed @@ -300,7 +320,7 @@ 2.010 2015/01/14 - new options SSL_client_ca_file and SSL_client_ca to let the server send the list of acceptable CAs for the client certificate. -- t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay. +- t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay. RT#101485, thanks to TEAM. 2.009 2015/01/12 - remove util/analyze.pl. This tool is now together with other SSL tools in @@ -451,7 +471,7 @@ - RT#95633 call EVP_PKEY_free not EVP_KEY_free in IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org - util/analyze.pl - with --show-chain check if chain with SNI is different - from chain w/o SNI. + from chain w/o SNI. 1.984 2014/05/10 - added OCSP support: - needs Net::SSLeay >=1.59 @@ -485,7 +505,7 @@ - disable elliptic curve support for openssl 1.0.1d on 64bit because of openssl rt#2975 1.979 2014/04/06 -- hostname checking: +- hostname checking: - configuration of 'leftmost' is renamed to 'full_label', but the old version is kept for compatibility reasons. - documentation of predefined schemes fixed to match reality @@ -577,7 +597,7 @@ 1.966 2014/01/21 - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with specifying !TLSv12, only !TLSv1_2 worked -- fixed leak of session objects in SessionCache, if another session +- fixed leak of session objects in SessionCache, if another session replaced an existing session (introduced in 1.965) 1.965 2014/01/16 - new key SSL_session_key to influence how sessions are inserted and looked @@ -597,7 +617,7 @@ - fix behavior of stop_SSL: for blocking sockets it now enough to call it once, for non-blocking it should be called again as long as EAGAIN and SSL_ERROR is set to SSL_WANT_(READ|WRITE). -- don't call blocking if start_SSL failed and downgraded socket has no +- don't call blocking if start_SSL failed and downgraded socket has no blocking method, thanks to tokuhirom - documentation enhancements: - special section for differences to IO::Socket @@ -632,7 +652,7 @@ certificate failed (because ADH does not exchanges certificates). Fixed by explicitly specifying HIGH:!aNULL as cipher RT#90221, thanks to paul[AT]city-fan[DOT]org -- cleaned up tests: +- cleaned up tests: - remove ssl_settings.req and 02settings.t, because all tests now create a simple socket at 127.0.0.1 and thus global settings are no longer needed. - some tests did not have use strict(!), fixed it. @@ -681,12 +701,12 @@ RT#87052 1.952 2013/7/11 - fix t/acceptSSL-timeout.t on Win32, RT#86862 -1.951 2013/7/3 +1.951 2013/7/3 - better document builtin defaults for key,cert,CA and how they are depreceated - use Net::SSLeay::CTX_set_default_verify_paths to use openssl's builtin defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins used) -1.950 2013/7/3 +1.950 2013/7/3 - MAJOR BEHAVIOR CHANGE: ssl_verify_mode now defaults to verify_peer for client. Until now it used verify_none, but loudly complained since 1.79 about it. @@ -708,12 +728,12 @@ - changed AUTHOR in Makefile.PL from array back to string, because the array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739) v1.92 2013.05.30 -- Intercept: use sha1-fingerprint of original cert for id into cache unless +- Intercept: use sha1-fingerprint of original cert for id into cache unless otherwise given - Fix pod error in IO::Socket::SSL::Utils RT#85733 v1.91 2013.05.30 - added IO::Socket::SSL::Utils for easier manipulation of certificates and keys -- moved SSL interception into IO::Socket::SSL::Intercept and simplified it +- moved SSL interception into IO::Socket::SSL::Intercept and simplified it using IO::Socket::SSL::Utils - enhance meta information in Makefile.PL v1.90 2013.05.27 @@ -721,7 +741,7 @@ Thanks to ujvari[AT]microsec[DOT]hu - added support for easy SSL interception (man in the middle) based on ideas found in mojo-mitm proxy (which was written by Karel Miko) -- make 1.46 the minimal required version for Net::SSLeay, because it +- make 1.46 the minimal required version for Net::SSLeay, because it introduced lots of useful functions. v1.89 2013.05.14 - if IO::Socket::IP is used it should be at least version 0.20, otherwise @@ -733,7 +753,7 @@ Thanks to alexander[AT]kuehn[AT]nagilum[DOT]de for reporting the problem. v1.87 2013.04.24 - RT#84829 - complain if given SSL_(key|cert|ca)_(file|path) do not exist or - if they are not readable. Thanks to perl[AT]minty[DOT]org + if they are not readable. Thanks to perl[AT]minty[DOT]org - fix use of SSL_key|SSL_file objects instead of files, broken with 1.83 v1.86 2013.04.17 - RT#84686 - don't complain about SSL_verify_mode is SSL_reuse_ctx, @@ -759,8 +779,8 @@ https://rt.cpan.org/Ticket/Display.html?id=82761 - reworked part of the documentation, like providing better examples. v1.82 2013.01.28 -- sub error sets $SSL_ERROR etc only if there really is an error, - otherwise it will keep the latest error. This causes +- sub error sets $SSL_ERROR etc only if there really is an error, + otherwise it will keep the latest error. This causes IO::Socket::SSL->new.. to report the correct problem, even if the problem is deeper in the code (like in connect) - correct spelling, rt#8270. Thanks to ETHER @@ -783,23 +803,23 @@ v1.79 2012.11.25 - prepare transition to a more secure default for SSL_verify_mode. The use of the current default SSL_VERIFY_NONE will cause a big warning - for clients, unless SSL_verify_mode was explicitly set inside the + for clients, unless SSL_verify_mode was explicitly set inside the application to this insecure value. - In the near future the default will be SSL_VERIFY_PEER, and thus + In the near future the default will be SSL_VERIFY_PEER, and thus causing verification failures in unchanged applications. v1.78 2012.11.25 -- use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and +- use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort from sockaddr in _update_peer, because this provides scope too. Thanks to bluhm[AT]genua[DOT]de. - work around systems which don't defined AF_INET6 https://rt.cpan.org/Ticket/Display.html?id=81216 Thanks to GAAS for reporting v1.77 2012.10.05 -- update_peer for IPv6 also, applied fix to +- update_peer for IPv6 also, applied fix to https://rt.cpan.org/Ticket/Display.html?id=79916 by tlhackque[AT]yahoo[DOT]com v1.76 2012.06.18 -- no longer depend on Socket.pm 1.95 for inet_pton, but use Socket6.pm if +- no longer depend on Socket.pm 1.95 for inet_pton, but use Socket6.pm if no current Socket.pm is available. Thanks to paul[AT]city-fan[DOT]org for pointing out the problem and providing first patch v1.75 2012.06.15 @@ -835,10 +855,10 @@ v1.67 2012.05.07 - https://rt.cpan.org/Ticket/Display.html?id=76929 thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting - - if no explicit cipher list is given it will now default to ALL:!LOW instead + - if no explicit cipher list is given it will now default to ALL:!LOW instead of the openssl default, which usually includes weak ciphers like DES. - new config key SSL_honor_cipher_order and documented how to use it to fight - BEAST attack. + BEAST attack. v1.66 2012.04.16 - make it thread safer, thanks to bug report from vega[DOT]james[AT]gmail [DOT]com, https://rt.cpan.org/Ticket/Display.html?id=76538 @@ -849,13 +869,13 @@ - clarify some behavior regarding hostname verification. Thanks to DOHERTY for reporting. v1.63 2012.04.06 -- applied patch of DOUGDUDE to ignore die from within eval to make tests +- applied patch of DOUGDUDE to ignore die from within eval to make tests more stable on Win32, https://rt.cpan.org/Ticket/Display.html?id=76147 v1.62 2012.03.28 - small fix to last version v1.61 2012.03.27 - call CTX_set_session_id_context so that servers session caching works with - client certificates too. + client certificates too. https://rt.cpan.org/Ticket/Display.html?id=76053 v1.60 2012.03.20 - don't make blocking readline if socket was set nonblocking, but return as @@ -865,8 +885,8 @@ as long as Net::SSLeay >= 1.43 is used https://rt.cpan.org/Ticket/Display.html?id=75749 v1.59 2012.03.08 -- if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful - message when attempting to use it. +- if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful + message when attempting to use it. - modify constant declarations so that 5.6.1 should work again v1.58 2012.02.26 - fix t/dhe.t again to enable the workaround only for newer openssl @@ -878,7 +898,7 @@ https://rt.cpan.org/Ticket/Display.html?id=75165 v1.56 2012.02.22 - add automatic or explicit (via SSL_hostname) SNI support, needed for - multiple SSL hostnames with same IP. Currently only supported for the + multiple SSL hostnames with same IP. Currently only supported for the client. v1.55 2012.02.20 - work around IO::Sockets work around for systems returning EISCONN etc @@ -888,7 +908,7 @@ Thanks for Manoj Kumar for reporting. v1.54 2012.01.11 - return 0 instead of undef in SSL_verify_callback to fix uninitialized - warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for + warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting the bug and MIKEM for the fix. https://rt.cpan.org/Ticket/Display.html?id=73629 v1.53 2011.12.11 @@ -904,7 +924,7 @@ v1.50 2011.12.06 Thanks to HMBRAND for reporting and Rainer Tammer tammer[AT]tammer[DOT]net for providing access to AIX system -v1.49 2011.10.28 +v1.49 2011.10.28 - another regression for readline fix, this time it failed to return lines at eof which don't end with newline. Extended t/readline.t to catch this case and the fix for 1.48 @@ -925,7 +945,7 @@ - fix readline to continue when getting interrupt waiting for more data. Thanks to kgc[AT]corp[DOT]sonic[DOT]net for reporting problem v1.44 2011.05.27 -- fix invalid call to inet_pton in verify_hostname_of_cert when +- fix invalid call to inet_pton in verify_hostname_of_cert when identity should be verified as ipv6 address, because it contains colon. v1.43_1 2011.05.12 @@ -939,7 +959,7 @@ - describe problem of fake memory leak because of big session cache and how to fix it, see https://rt.cpan.org/Ticket/Display.html?id=68073 v1.41 2011.05.09 -- fix issue in stop_SSL where it did not issue a shutdown of the +- fix issue in stop_SSL where it did not issue a shutdown of the SSL connection if it first received the shutdown from the other side. Thanks to fencingleo[AT]gmail[DOT]com for reporting - try to make t/nonblock.t more reliable, at least report the real @@ -961,22 +981,22 @@ reporting https://rt.cpan.org/Ticket/Display.html?id=64864 v1.37 2010.12.09 -- don't complain about invalid certificate locations if user explicitly +- don't complain about invalid certificate locations if user explicitly set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what he is doing and will work around the problems by itself. http://rt.cpan.org/Ticket/Display.html?id=63741 v1.36 2010.12.08 -- update documentation for SSL_verify_callback based on +- update documentation for SSL_verify_callback based on https://rt.cpan.org/Ticket/Display.html?id=63743 https://rt.cpan.org/Ticket/Display.html?id=63740 v1.35 2010.12.06 - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid it will no longer fall back to VERIFY_NONE but throw an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for - pointing out the problem, see also + pointing out the problem, see also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 v1.34 2010.11.01 -- scheme http for certificate verification changed to +- scheme http for certificate verification changed to wildcards_in_cn=1, because according to rfc2818 this is valid and also seen in the wild - if upgrading socket from inet to ssl fails due to handshake problems @@ -984,9 +1004,9 @@ See https://rt.cpan.org/Ticket/Display.html?id=61466 - deprecate kill_socket, just use close() v1.33 2010.03.17 -- attempt to make t/memleak_bad_handshake.t more stable, it fails +- attempt to make t/memleak_bad_handshake.t more stable, it fails for unknown reason on various systems -- fix hostname checking: an IP should only be checked against +- fix hostname checking: an IP should only be checked against subjectAltName GEN_IPADD, never against GEN_DNS or CN. Thanks to rusch[AT]genua[DOT]de for bug report v1.32 2010.02.22 @@ -994,7 +1014,7 @@ only complaining. Thanks to w[DOT]phillip[DOT]moore[AT]gmail[DOT]com for reporting. v1.31 2009.09.25 -- add and export constants for SSL_VERIFY_* +- add and export constants for SSL_VERIFY_* - set SSL_use_cert if cert is given and not SSL_server - support alternative CRL file with SSL_crl_file thanks to patch of w[DOT]phillip[DOT]moore[AT]gmail[DOT]com @@ -1028,8 +1048,8 @@ While there made it more aware of errors in Net::ssl_write_all (return undef not 0 in generic_write) v1.26 2009.07.03 -- SECURITY BUGFIX! - fix Bug in verify_hostname_of_cert where it matched only the prefix for +- SECURITY BUGFIX! + fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting @@ -1072,15 +1092,15 @@ thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting v1.17 2008.10.13 -- no code changes, publish v.16_3 as v.17 because it looks better +- no code changes, publish v.16_3 as v.17 because it looks better than v.16 - document win32 behavior regarding non-blocking and timeouts v1.16_3 2008.09.25 -- fix t/nonblock.t with workaround for problems with - IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do +- fix t/nonblock.t with workaround for problems with + IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do nonblocking connect and leaves socket blocked. -- make some tests less verbose by fixing diag in t/testlib.t +- make some tests less verbose by fixing diag in t/testlib.t (send output to STDOUT not STDERR and prefix with '#') v1.16_2 2008.09.24 @@ -1098,7 +1118,7 @@ v1.16 2008.09.19 - change code for SSL_check_crl to use X509_STORE_set_flags instead of - X509_STORE_CTX_set_flags based on bug report from + X509_STORE_CTX_set_flags based on bug report from <tjtoocool[AT]phreaker[DOT]net > - change opened() to report -1 if the IO::Handle is open, but the SSL connection failed, needed with HTTP::Daemon::SSL which will send @@ -1112,7 +1132,7 @@ v1.14 - added support for verification of hostname from certificate including subjectAltNames, support for IDN etc based on patch and - input from christopher[AT]odenbachs[DOT]de and + input from christopher[AT]odenbachs[DOT]de and achim[AT]grolmsnet[DOT]de. It is also possible to get more information from peer_certificate based on this patch. See documentation for peer_certificate and @@ -1131,10 +1151,10 @@ v1.13 - removed CLONE_SKIP which was added in 1.03 because this breaks windows forking. Handled threads/windows forking better by making - sure that CTX from Net::SSLeay gets not freed multiple times from + sure that CTX from Net::SSLeay gets not freed multiple times from different threads after cloning/forking - removed setting LocalPort to 0 in tests, instead leave it undef - if a random port should be allocated. This should fix build problems + if a random port should be allocated. This should fix build problems with 5.6.1. Thanks to <andrew[DOT]benham[AT]thus[DOT]net> v1.12 @@ -1189,7 +1209,7 @@ because it's internal to IO::Socket::SSL) v1.03 -- add CLONE_SKIP as proposed by +- add CLONE_SKIP as proposed by Jarrod Johnson jbjohnso at us dot ibm dot com v1.02 @@ -1207,7 +1227,7 @@ see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383106 v1.0 -- fix deprecated and practically undocumented function +- fix deprecated and practically undocumented function get_peer_certificate so that LWP Net::HTTPS works again - set arg 'Blocking' while calling SUPER::configure only if it was set by the caller to work around Problem in LWP @@ -1254,11 +1274,11 @@ in v0.991) v0.992 -- _set_rw_error does $!||=EAGAIN only if error is one of - SSL_WANT_READ|SSL_WANT_WRITE (patch from Mike Smith +- _set_rw_error does $!||=EAGAIN only if error is one of + SSL_WANT_READ|SSL_WANT_WRITE (patch from Mike Smith <mike at mailchannels dot com>) - Fix Makefile.PL to allow detection of failures in PREREQ_PM - (http://rt.cpan.org/Public/Bug/Display.html?id=20563, patch + (http://rt.cpan.org/Public/Bug/Display.html?id=20563, patch by alexchorny at gmail dot com) v0.991 @@ -1282,21 +1302,21 @@ . accept,accept_SSL,connect and connect_SSL don't block anymore if the socket is nonblocking. Instead $! will be set from the underlying IO::Socket::INET - connect or accept if it failed there (usually EAGAIN or + connect or accept if it failed there (usually EAGAIN or EINPROGRESS) or if the underlying openssl needs to read or write $! will be set to EAGAIN and $SSL_ERROR will be set to SSL_WANT_READ or SSL_WANT_WRITE - . syswrite returns undef and sets $!,$SSL_ERROR if it fails + . syswrite returns undef and sets $!,$SSL_ERROR if it fails to write instead of returning 0. - Bugfixes (http://rt.cpan.org/Public/Bug/Display.html?id=Bugid) . Bug 18439: fileno 0 should be valid . Bug 15001: sysread interprets buffer "0" as "" - peer_certificate returns X509 struct string if no field - for extraction was specified + for extraction was specified - get_peer_certificate returns the certificate instead of the IO::Socket::SSL object - + v0.97 - Writes now correctly return errors. (Problem noted by Dominique Quatravaux <dom at idealx.com>). @@ -1370,7 +1390,7 @@ - Added note about random number generators for Solaris users (Problem found by Christian Gilmore <cag at us.ibm.com>). - Added support for WeakRef and Scalar::Util to allow - IO::Socket::SSL objects to auto-destroy themselves when + IO::Socket::SSL objects to auto-destroy themselves when they go out of scope. - Added croak()ing for unimplemented send() and recv() methods so they are not accidentally used to transmit unencrypted diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.066/META.json new/IO-Socket-SSL-2.067/META.json --- old/IO-Socket-SSL-2.066/META.json 2019-03-06 07:55:17.000000000 +0100 +++ new/IO-Socket-SSL-2.067/META.json 2020-02-14 18:44:12.000000000 +0100 @@ -52,6 +52,6 @@ "url" : "https://github.com/noxxi/p5-io-socket-ssl"; } }, - "version" : "2.066", + "version" : "2.067", "x_serialization_backend" : "JSON::PP version 2.27400_02" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.066/META.yml new/IO-Socket-SSL-2.067/META.yml --- old/IO-Socket-SSL-2.066/META.yml 2019-03-06 07:55:17.000000000 +0100 +++ new/IO-Socket-SSL-2.067/META.yml 2020-02-14 18:44:12.000000000 +0100 @@ -27,5 +27,5 @@ homepage: https://github.com/noxxi/p5-io-socket-ssl license: http://dev.perl.org/licenses/ repository: https://github.com/noxxi/p5-io-socket-ssl -version: '2.066' +version: '2.067' x_serialization_backend: 'CPAN::Meta::YAML version 0.018' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.066/lib/IO/Socket/SSL.pm new/IO-Socket-SSL-2.067/lib/IO/Socket/SSL.pm --- old/IO-Socket-SSL-2.066/lib/IO/Socket/SSL.pm 2019-03-06 07:51:09.000000000 +0100 +++ new/IO-Socket-SSL-2.067/lib/IO/Socket/SSL.pm 2020-02-14 18:44:02.000000000 +0100 @@ -13,7 +13,7 @@ package IO::Socket::SSL; -our $VERSION = '2.066'; +our $VERSION = '2.067'; use IO::Socket; use Net::SSLeay 1.46; @@ -73,6 +73,8 @@ my $session_upref; # SSL_SESSION_up_ref is implemented my %sess_cb; # SSL_CTX_sess_set_(new|remove)_cb my $check_partial_chain; # use X509_V_FLAG_PARTIAL_CHAIN if available +my $auto_retry; # (clear|set)_mode SSL_MODE_AUTO_RETRY with OpenSSL 1.1.1+ with non-blocking +my $ssl_mode_release_buffers = 0; # SSL_MODE_RELEASE_BUFFERS if available my $openssl_version; my $netssleay_version; @@ -108,7 +110,7 @@ $can_ocsp_staple = $can_ocsp && defined &Net::SSLeay::set_tlsext_status_type; $can_tckt_keycb = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb - && $netssleay_version >= 1.80; + && $netssleay_version >= 1.80; $can_pha = defined &Net::SSLeay::CTX_set_post_handshake_auth; if (defined &Net::SSLeay::SESSION_up_ref) { @@ -132,6 +134,34 @@ Net::SSLeay::X509_VERIFY_PARAM_set_flags($param, $c); }; } + + if (!defined &Net::SSLeay::clear_mode) { + # assume SSL_CTRL_CLEAR_MODE being 78 since it was always this way + *Net::SSLeay::clear_mode = sub { + my ($ctx,$opt) = @_; + Net::SSLeay::ctrl($ctx,78,$opt,0); + }; + } + + if ($openssl_version >= 0x10101000) { + # openssl 1.1.1 enabled SSL_MODE_AUTO_RETRY by default, which is bad for + # non-blocking sockets + my $mode_auto_retry = + # was always 0x00000004 + eval { Net::SSLeay::MODE_AUTO_RETRY() } || 0x00000004; + $auto_retry = sub { + my ($ssl,$on) = @_; + if ($on) { + Net::SSLeay::set_mode($ssl, $mode_auto_retry); + } else { + Net::SSLeay::clear_mode($ssl, $mode_auto_retry); + } + } + } + if ($openssl_version >= 0x10000000) { + # ssl/ssl.h:#define SSL_MODE_RELEASE_BUFFERS 0x00000010L + $ssl_mode_release_buffers = 0x00000010; + } } my $algo2digest = do { @@ -198,7 +228,7 @@ SSL_cipher_list => join(" ", - # SSLabs report for Chrome 48/OSX. + # SSLabs report for Chrome 48/OSX. # This also includes the fewer ciphers Firefox uses. 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', @@ -256,7 +286,7 @@ # library_init returns false if the library was already initialized. # This way we can find out if the library needs to be re-initialized # inside code compiled with perlcc - Net::SSLeay::library_init() or return; + Net::SSLeay::library_init() or return; Net::SSLeay::load_error_strings(); Net::SSLeay::OpenSSL_add_all_digests(); @@ -323,7 +353,7 @@ # every time we setup a connection my %SSL_OP_NO; for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 - TLSv1_3 TLSv13:TLSv1_3 )) { + TLSv1_3 TLSv13:TLSv1_3 )) { my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_); my $sub = "Net::SSLeay::OP_NO_$op"; local $SIG{__DIE__}; @@ -385,8 +415,8 @@ Socket::inet_pton( AF_INET6(),'::1') && AF_INET6() or die; Socket->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ ); # behavior different to Socket6::getnameinfo - wrap - *_getnameinfo = sub { - my ($err,$host,$port) = Socket::getnameinfo(@_) or return; + *_getnameinfo = sub { + my ($err,$host,$port) = Socket::getnameinfo(@_) or return; return if $err; return ($host,$port); }; @@ -405,8 +435,8 @@ if ($ip6) { # if we have IO::Socket::IP >= 0.31 we will use this in preference # because it can handle both IPv4 and IPv6 - if ( eval { - require IO::Socket::IP; + if ( eval { + require IO::Socket::IP; IO::Socket::IP->VERSION(0.31) }) { @ISA = qw(IO::Socket::IP); @@ -854,6 +884,7 @@ } else { # timeout does not apply because invalid or socket non-blocking $timeout = undef; + $auto_retry && $auto_retry->($ssl,$self->blocking); } my $start = defined($timeout) && time(); @@ -1066,6 +1097,7 @@ } else { # timeout does not apply because invalid or socket non-blocking $timeout = undef; + $auto_retry && $auto_retry->($ssl,$socket->blocking); } my $start = defined($timeout) && time(); @@ -1139,6 +1171,14 @@ ####### I/O subroutines ######################## +if ($auto_retry) { + *blocking = sub { + my $self = shift; + { @_ && $auto_retry->($self->_get_ssl_object || last, @_); } + return $self->SUPER::blocking(@_); + }; +} + sub _generic_read { my ($self, $read_func, undef, $length, $offset) = @_; my $ssl = ${*$self}{_SSL_object} || return; @@ -1421,7 +1461,9 @@ $stop_args->{SSL_no_shutdown} = 1 if ! ${*$self}{_SSL_opened}; if (my $ssl = ${*$self}{'_SSL_object'}) { - if ( ! $stop_args->{SSL_no_shutdown} ) { + if (delete ${*$self}{'_SSL_opening'}) { + # just destroy the object further below + } elsif ( ! $stop_args->{SSL_no_shutdown} ) { my $status = Net::SSLeay::get_shutdown($ssl); my $timeout = @@ -1821,7 +1863,7 @@ $ipn = inet_pton(AF_INET6,$identity) or return; # invalid name } elsif ( my @ip = $identity =~m{^(\d+)(?:\.(\d+)\.(\d+)\.(\d+)|[\d\.]*)$} ) { # check for invalid IP/hostname - return if 4 != @ip or 4 != grep { defined($_) && $_<256 } @ip; + return if 4 != @ip or 4 != grep { defined($_) && $_<256 } @ip; $ipn = pack("CCCC",@ip); } else { # assume hostname, check for umlauts etc @@ -1896,7 +1938,7 @@ if ( $identity eq $commonName ) { return 1 if $scheme->{ip_in_cn} == 4 ? length($ipn) == 4 : - $scheme->{ip_in_cn} == 6 ? length($ipn) == 8 : + $scheme->{ip_in_cn} == 6 ? length($ipn) == 16 : 1; } } @@ -1925,7 +1967,7 @@ sub get_fingerprint_bin { my ($self,$algo,$cert,$key_only) = @_; $cert ||= $self->peer_certificate; - return $key_only + return $key_only ? Net::SSLeay::X509_pubkey_digest($cert, $algo2digest->($algo || 'sha256')) : Net::SSLeay::X509_digest($cert, $algo2digest->($algo || 'sha256')); } @@ -2059,6 +2101,14 @@ return; } +sub _errstack { + my @err; + while (my $err = Net::SSLeay::ERR_get_error()) { + push @err, Net::SSLeay::ERR_error_string($err); + } + return @err; +} + sub can_client_sni { return $can_client_sni } sub can_server_sni { return $can_server_sni } sub can_multi_cert { return $can_multi_cert } @@ -2076,8 +2126,7 @@ if (my $ssl = ${*$self}{_SSL_object}) { delete $SSL_OBJECT{$ssl}; if (!$use_threads or delete $CREATED_IN_THIS_THREAD{$ssl}) { - $self->close(_SSL_in_DESTROY => 1, SSL_no_shutdown => 1) - if ${*$self}{'_SSL_opened'}; + $self->close(_SSL_in_DESTROY => 1, SSL_no_shutdown => 1); } } delete @{*$self}{@all_my_keys}; @@ -2244,6 +2293,7 @@ my %CTX_CREATED_IN_THIS_THREAD; *DEBUG = *IO::Socket::SSL::DEBUG; +*_errstack = \&IO::Socket::SSL::_errstack; use constant SSL_MODE_ENABLE_PARTIAL_WRITE => 1; use constant SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER => 2; @@ -2253,7 +2303,7 @@ my $DEFAULT_SSL_OP = &Net::SSLeay::OP_ALL | &Net::SSLeay::OP_SINGLE_DH_USE - | ($can_ecdh && &Net::SSLeay::OP_SINGLE_ECDH_USE); + | ($can_ecdh ? &Net::SSLeay::OP_SINGLE_ECDH_USE : 0); # Note that the final object will actually be a reference to the scalar # (C-style pointer) returned by Net::SSLeay::CTX_*_new() so that @@ -2265,7 +2315,7 @@ my $is_server = $arg_hash->{SSL_server}; my %defaults = $is_server - ? (%DEFAULT_SSL_SERVER_ARGS, %$GLOBAL_SSL_ARGS, %$GLOBAL_SSL_SERVER_ARGS) + ? (%DEFAULT_SSL_SERVER_ARGS, %$GLOBAL_SSL_ARGS, %$GLOBAL_SSL_SERVER_ARGS) : (%DEFAULT_SSL_CLIENT_ARGS, %$GLOBAL_SSL_ARGS, %$GLOBAL_SSL_CLIENT_ARGS); if ( $defaults{SSL_reuse_ctx} ) { # ignore default context if there are args to override it @@ -2481,8 +2531,8 @@ # client session caching will fail # if user does not provide explicit id just use the stringification # of the context - if($arg_hash->{SSL_server} and my $id = - $arg_hash->{SSL_session_id_context} || + if($arg_hash->{SSL_server} and my $id = + $arg_hash->{SSL_session_id_context} || ( $arg_hash->{SSL_verify_mode} & 0x01 ) && "$ctx" ) { Net::SSLeay::CTX_set_session_id_context($ctx,$id,length($id)); } @@ -2492,7 +2542,10 @@ # SSL_MODE_ENABLE_PARTIAL_WRITE can be necessary for non-blocking because we # cannot guarantee, that the location of the buffer stays constant Net::SSLeay::CTX_set_mode( $ctx, - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_ENABLE_PARTIAL_WRITE | + ($arg_hash->{SSL_mode_release_buffers} ? $ssl_mode_release_buffers : 0) + ); if ( my $proto_list = $arg_hash->{SSL_npn_protocols} ) { return IO::Socket::SSL->_internal_error("NPN not supported in Net::SSLeay",9) @@ -2618,11 +2671,16 @@ $havecert = 'OBJ'; } elsif ( my $f = $arg_hash->{SSL_cert_file} ) { # try to load chain from PEM or certificate from ASN1 + my @err; if (Net::SSLeay::CTX_use_certificate_chain_file($ctx,$f)) { $havecert = 'PEM'; - } elsif (Net::SSLeay::CTX_use_certificate_file($ctx,$f,FILETYPE_ASN1)) { + } elsif (do { + push @err, [ PEM => _errstack() ]; + Net::SSLeay::CTX_use_certificate_file($ctx,$f,FILETYPE_ASN1) + }) { $havecert = 'DER'; } else { + push @err, [ DER => _errstack() ]; # try to load certificate, key and chain from PKCS12 file my ($key,$cert,@chain) = Net::SSLeay::P_PKCS12_load_file($f,1); if (!$cert and $arg_hash->{SSL_passwd_cb} @@ -2651,8 +2709,15 @@ # don't free @chain, because CTX_add_extra_chain_cert # did not duplicate the certificates } - $havecert or return IO::Socket::SSL->error( - "Failed to load certificate from file (no PEM, DER or PKCS12)"); + if (!$havecert) { + push @err, [ PKCS12 => _errstack() ]; + my $err = "Failed to load certificate from file $f:"; + for(@err) { + my ($type,@e) = @$_; + $err .= " [format:$type] @e **" if @e; + } + return IO::Socket::SSL->error($err); + } } if (!$havecert || $havekey) { @@ -2674,8 +2739,8 @@ "Failed to load key from file (no PEM or DER)"); } - Net::SSLeay::CTX_set_post_handshake_auth($ctx,1) - if (!$is_server && $can_pha && $havecert && $havekey); + Net::SSLeay::CTX_set_post_handshake_auth($ctx,1) + if (!$is_server && $can_pha && $havecert && $havekey); } if ($arg_hash->{SSL_server}) { @@ -2696,7 +2761,7 @@ # binary, e.g. DH* for( values %ctx ) { - Net::SSLeay::CTX_set_tmp_dh( $_,$dh ) || return + Net::SSLeay::CTX_set_tmp_dh( $_,$dh ) || return IO::Socket::SSL->error( "Failed to set DH from SSL_dh" ); } } @@ -2761,7 +2826,7 @@ length($digest) == 40 ? 'sha1' : length($digest) == 64 ? 'sha256' : return IO::Socket::SSL->_internal_error( - "cannot detect hash algorithem from fingerprint '$_'",9); + "cannot detect hash algorithm from fingerprint '$_'",9); $algo = lc($algo); push @accept_fp,[ $algo, $pubkey || '', pack('H*',$digest) ] } @@ -2904,8 +2969,8 @@ if ( my $cl = $arg_hash->{SSL_cipher_list} ) { for (keys %ctx) { - Net::SSLeay::CTX_set_cipher_list($ctx{$_}, ref($cl) - ? $cl->{$_} || $cl->{''} || $DEFAULT_SSL_ARGS{SSL_cipher_list} || next + Net::SSLeay::CTX_set_cipher_list($ctx{$_}, ref($cl) + ? $cl->{$_} || $cl->{''} || $DEFAULT_SSL_ARGS{SSL_cipher_list} || next : $cl ) || return IO::Socket::SSL->error("Failed to set SSL cipher list"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.066/lib/IO/Socket/SSL.pod new/IO-Socket-SSL-2.067/lib/IO/Socket/SSL.pod --- old/IO-Socket-SSL-2.066/lib/IO/Socket/SSL.pod 2019-03-04 11:47:27.000000000 +0100 +++ new/IO-Socket-SSL-2.067/lib/IO/Socket/SSL.pod 2020-02-14 15:33:05.000000000 +0100 @@ -426,6 +426,21 @@ from only a single SSL frame you can guarantee that there are no pending data. +Additionally, contrary to plain sockets the data delivered on the socket are +not necessarily application payload. +It might be a TLS handshake, it might just be the beginning of a TLS record or +it might be TLS session tickets which are send after the TLS handshake in TLS +1.3. +In such situations select will return that data are available for read since it +only looks at the plain socket. +A sysread on the IO::Socket::SSL socket will not return any data though since it +is an abstraction which only returns application data. +This causes the sysread to hang in case the socket was blocking or to return +an error with EAGAIN on non-blocking sockets. +Applications using select or similar should therefore set the socket to +non-blocking and also expect that the sysread might temporarily fail with +EAGAIN. + See also L</"Using Non-Blocking Sockets">. =item * @@ -440,7 +455,7 @@ Especially the hidden writes might result in a connection reset if the underlying TCP socket is already closed by the peer. Unless signal PIPE is -explicitly handled by the application this will ususally result in the +explicitly handled by the application this will usually result in the application crashing. It is thus recommended to explicitly IGNORE signal PIPE so that the errors get propagated as EPIPE instead of causing a crash of the application. @@ -928,7 +943,7 @@ To get the fingerprint of an established connection you can use C<get_fingerprint>. -It is also possible to skip C<algo$>, i.e. only specifiy the fingerprint. In +It is also possible to skip C<algo$>, i.e. only specify the fingerprint. In this case the likely algorithms will be automatically detected based on the length of the digest string. @@ -1050,7 +1065,7 @@ If this option is set the cipher list for the connection will be set to the given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. Look into the OpenSSL -documentation (L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>) +documentation (L<https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-STRINGS>) for more details. Unless you fail to contact your peer because of no shared ciphers it is @@ -1078,7 +1093,7 @@ about DH parameters. To support non-elliptic Diffie-Hellman key exchange a suitable file needs to -be given here or the SSL_dh should be used with a appropriate value. +be given here or the SSL_dh should be used with an appropriate value. See dhparam command in openssl for more information. If neither C<SSL_dh_file> nor C<SSL_dh> are set a builtin DH parameter with a @@ -1480,6 +1495,13 @@ my $srv = IO::Socket::SSL->new(..., SSL_ticket_keycb => $keycb); +=item SSL_mode_release_buffers 1|0 + +This enables or disables the SSL_MODE_RELEASE_BUFFERS option on the SSL object. +With this option the read buffer will be released after each SSL_read but will +need to be reallocated for each new SSL_read. If memory usage is a concern this +might save lots of memory in the mean time though, about 34k per idle SSL +connection according to the documentation in SSL_CTX_set_mode(3ssl). =back diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.066/t/core.t new/IO-Socket-SSL-2.067/t/core.t --- old/IO-Socket-SSL-2.066/t/core.t 2018-01-23 19:38:07.000000000 +0100 +++ new/IO-Socket-SSL-2.067/t/core.t 2020-02-14 15:23:13.000000000 +0100 @@ -22,18 +22,6 @@ $numtests+=5 if $CAN_NONBLOCK; $numtests+=3 if $CAN_PEEK; -my $expected_peer = do { - my $us = IO::Socket::INET->new( LocalAddr => '127.0.0.1', Proto => 'udp' ); - my $uc = IO::Socket::INET->new( - PeerAddr => $us->sockhost, - PeerPort => $us->sockport, - Proto => 'udp' - ) or do { - plan skip_all => "Skipped: cannot determine default peer IP"; - }; - $uc->sockhost, -}; - plan tests => $numtests; # We need to detect the best TLS version supported by the server since we can @@ -50,8 +38,9 @@ die "no TLS support" if ! $tls_version; my $error_trapped = 0; +my $localip = '127.0.0.1'; my $server = IO::Socket::SSL->new( - LocalAddr => '127.0.0.1', + LocalAddr => $localip, LocalPort => 0, Listen => 2, Timeout => 30, @@ -75,18 +64,22 @@ ok( fileno( $server), "Server Fileno Check"); -my $saddr = $server->sockhost.':'.$server->sockport; +my $saddr = $localip.':'.$server->sockport; unless (fork) { close $server; - my $client = IO::Socket::INET->new($saddr); + my $client = IO::Socket::INET->new( + PeerAddr => $saddr, + LocalAddr => $localip, + ); print $client "Test\n"; is( <$client>, "This server is SSL only", "Client non-SSL connection"); close $client; $client = IO::Socket::SSL->new( PeerAddr => $saddr, + LocalAddr => $localip, Domain => AF_INET, SSL_verify_mode => 0x01, SSL_ca_file => "certs/test-ca.pem", @@ -172,7 +165,10 @@ $client->close(SSL_no_shutdown => 1); - my $client_2 = IO::Socket::INET->new($saddr); + my $client_2 = IO::Socket::INET->new( + PeerAddr => $saddr, + LocalAddr => $localip + ); ok( $client_2, "Second Client Initialization"); $client_2 = IO::Socket::SSL->new_from_fd($client_2->fileno, '+<>', @@ -186,6 +182,7 @@ if ($CAN_NONBLOCK) { my $client_3 = IO::Socket::SSL->new( PeerAddr => $saddr, + LocalAddr => $localip, Domain => AF_INET, SSL_verify_mode => 0x01, SSL_ca_file => "certs/test-ca.pem", @@ -201,6 +198,7 @@ my $client_4 = IO::Socket::SSL->new( PeerAddr => $saddr, + LocalAddr => $localip, Domain => AF_INET, SSL_reuse_ctx => $client_3, Blocking => 0 @@ -270,7 +268,7 @@ fail("client creation failed"); exit; }; -is( inet_ntoa((unpack_sockaddr_in($peer))[1]), $expected_peer, "Peer address check"); +is( inet_ntoa((unpack_sockaddr_in($peer))[1]), $localip, "Peer address check"); if ($CAN_NONBLOCK) { $client->blocking(0); ++++++ cpanspec.yml ++++++ --- /var/tmp/diff_new_pack.ciGNKz/_old 2020-02-22 19:03:13.193962528 +0100 +++ /var/tmp/diff_new_pack.ciGNKz/_new 2020-02-22 19:03:13.193962528 +0100 @@ -1,2 +1,4 @@ patches: ignore_requires: Mozilla::CA +post_build: |- + rm README.Win32
