Hello community,
here is the log from the commit of package perl-IO-Socket-SSL for
openSUSE:Factory checked in at 2013-11-29 16:25:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old)
and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL"
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes
2013-11-26 19:25:42.000000000 +0100
+++
/work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes
2013-11-29 16:25:10.000000000 +0100
@@ -1,0 +2,9 @@
+Fri Nov 29 11:05:49 UTC 2013 - [email protected]
+
+- updated to 1.962
+ - work around problems with older F5 BIG-IP by offering fewer ciphers on the
+ client side by default, so that the client hello stays below 255 byte
+ - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
+ are not self-signed (by giving issuer_*)
+
+-------------------------------------------------------------------
Old:
----
IO-Socket-SSL-1.960.tar.gz
New:
----
IO-Socket-SSL-1.962.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
--- /var/tmp/diff_new_pack.lxZZfs/_old 2013-11-29 16:25:10.000000000 +0100
+++ /var/tmp/diff_new_pack.lxZZfs/_new 2013-11-29 16:25:10.000000000 +0100
@@ -17,7 +17,7 @@
Name: perl-IO-Socket-SSL
-Version: 1.960
+Version: 1.962
Release: 0
%define cpan_name IO-Socket-SSL
Summary: Nearly transparent SSL encapsulation for IO::Socket::INET.
++++++ IO-Socket-SSL-1.960.tar.gz -> IO-Socket-SSL-1.962.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-1.960/Changes
new/IO-Socket-SSL-1.962/Changes
--- old/IO-Socket-SSL-1.960/Changes 2013-11-13 00:46:00.000000000 +0100
+++ new/IO-Socket-SSL-1.962/Changes 2013-11-27 22:08:38.000000000 +0100
@@ -1,3 +1,9 @@
+1.962 2013/11/27
+- work around problems with older F5 BIG-IP by offering fewer ciphers on the
+ client side by default, so that the client hello stays below 255 byte
+1.961 2013/11/26
+- IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
+ are not self-signed (by giving issuer_*)
1.960 2013/11/12
only documentation enhancements:
- clarify with text and example code, that within event loops not only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-1.960/MANIFEST
new/IO-Socket-SSL-1.962/MANIFEST
--- old/IO-Socket-SSL-1.960/MANIFEST 2013-11-13 01:09:39.000000000 +0100
+++ new/IO-Socket-SSL-1.962/MANIFEST 2013-11-27 22:19:13.000000000 +0100
@@ -51,4 +51,5 @@
t/mitm.t
t/ecdhe.t
util/export_certs.pl
-META.yml Module meta-data (added by MakeMaker)
+META.yml Module YAML meta-data (added by
MakeMaker)
+META.json Module JSON meta-data (added by
MakeMaker)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-1.960/META.json
new/IO-Socket-SSL-1.962/META.json
--- old/IO-Socket-SSL-1.960/META.json 1970-01-01 01:00:00.000000000 +0100
+++ new/IO-Socket-SSL-1.962/META.json 2013-11-27 22:19:13.000000000 +0100
@@ -0,0 +1,54 @@
+{
+ "abstract" : "Nearly transparent SSL encapsulation for IO::Socket::INET.",
+ "author" : [
+ "Steffen Ullrich <sullr.org>, Peter Behroozi, Marko Asplund"
+ ],
+ "dynamic_config" : 1,
+ "generated_by" : "ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter
version 2.120921",
+ "license" : [
+ "perl_5"
+ ],
+ "meta-spec" : {
+ "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec";,
+ "version" : "2"
+ },
+ "name" : "IO-Socket-SSL",
+ "no_index" : {
+ "directory" : [
+ "t",
+ "inc"
+ ]
+ },
+ "prereqs" : {
+ "build" : {
+ "requires" : {
+ "ExtUtils::MakeMaker" : "0"
+ }
+ },
+ "configure" : {
+ "requires" : {
+ "ExtUtils::MakeMaker" : "0"
+ }
+ },
+ "runtime" : {
+ "requires" : {
+ "Net::SSLeay" : "1.46",
+ "Scalar::Util" : "0"
+ }
+ }
+ },
+ "release_status" : "stable",
+ "resources" : {
+ "bugtracker" : {
+ "web" : "https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL";
+ },
+ "homepage" : "https://github.com/noxxi/p5-io-socket-ssl";,
+ "license" : [
+ "http://dev.perl.org/licenses/";
+ ],
+ "repository" : {
+ "url" : "https://github.com/noxxi/p5-io-socket-ssl";
+ }
+ },
+ "version" : "1.962"
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-1.960/META.yml
new/IO-Socket-SSL-1.962/META.yml
--- old/IO-Socket-SSL-1.960/META.yml 2013-11-13 01:09:39.000000000 +0100
+++ new/IO-Socket-SSL-1.962/META.yml 2013-11-27 22:19:13.000000000 +0100
@@ -1,28 +1,28 @@
---- #YAML:1.0
-name: IO-Socket-SSL
-version: 1.960
-abstract: Nearly transparent SSL encapsulation for IO::Socket::INET.
+---
+abstract: 'Nearly transparent SSL encapsulation for IO::Socket::INET.'
author:
- - Steffen Ullrich <sullr.org>, Peter Behroozi, Marko Asplund
-license: perl
-distribution_type: module
-configure_requires:
- ExtUtils::MakeMaker: 0
+ - 'Steffen Ullrich <sullr.org>, Peter Behroozi, Marko Asplund'
build_requires:
- ExtUtils::MakeMaker: 0
+ ExtUtils::MakeMaker: 0
+configure_requires:
+ ExtUtils::MakeMaker: 0
+dynamic_config: 1
+generated_by: 'ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version
2.120921'
+license: perl
+meta-spec:
+ url: http://module-build.sourceforge.net/META-spec-v1.4.html
+ version: 1.4
+name: IO-Socket-SSL
+no_index:
+ directory:
+ - t
+ - inc
requires:
- Net::SSLeay: 1.46
- Scalar::Util: 0
+ Net::SSLeay: 1.46
+ Scalar::Util: 0
resources:
- bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL
- homepage: https://github.com/noxxi/p5-io-socket-ssl
- license: http://dev.perl.org/licenses/
- repository: https://github.com/noxxi/p5-io-socket-ssl
-no_index:
- directory:
- - t
- - inc
-generated_by: ExtUtils::MakeMaker version 6.57_05
-meta-spec:
- url: http://module-build.sourceforge.net/META-spec-v1.4.html
- version: 1.4
+ bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL
+ homepage: https://github.com/noxxi/p5-io-socket-ssl
+ license: http://dev.perl.org/licenses/
+ repository: https://github.com/noxxi/p5-io-socket-ssl
+version: 1.962
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-1.960/lib/IO/Socket/SSL/Utils.pm
new/IO-Socket-SSL-1.962/lib/IO/Socket/SSL/Utils.pm
--- old/IO-Socket-SSL-1.960/lib/IO/Socket/SSL/Utils.pm 2013-11-11
09:27:11.000000000 +0100
+++ new/IO-Socket-SSL-1.962/lib/IO/Socket/SSL/Utils.pm 2013-11-26
15:35:31.000000000 +0100
@@ -7,7 +7,7 @@
use Time::Local;
use Exporter 'import';
-our $VERSION = '0.01';
+our $VERSION = '0.02';
our @EXPORT = qw(
PEM_file2cert PEM_string2cert PEM_cert2file PEM_cert2string
PEM_file2key PEM_string2key PEM_key2file PEM_key2string
@@ -208,32 +208,28 @@
my $key = delete $args{key} || KEY_create_rsa();
Net::SSLeay::X509_set_pubkey($cert,$key);
+ my $issuer_cert = delete $args{issuer_cert};
+ my $issuer_key = delete $args{issuer_key};
if ( delete $args{CA} ) {
- Net::SSLeay::X509_set_issuer_name($cert,
- Net::SSLeay::X509_get_subject_name($cert));
- Net::SSLeay::P_X509_add_extensions($cert,$cert,
- @ext,
- &Net::SSLeay::NID_basic_constraints => 'CA:TRUE',
- ) or die "failed to set extensions";
- Net::SSLeay::X509_sign($cert,$key,$sha1_digest);
+ $issuer_cert ||= $cert;
+ $issuer_key ||= $key;
+ push @ext, &Net::SSLeay::NID_basic_constraints => 'CA:TRUE',
} else {
- my $issuer_cert = delete $args{issuer_cert}
- || croak "no issuer_cert given";
- my $issuer_key = delete $args{issuer_key}
- || croak "no issuer_key given";
- Net::SSLeay::P_X509_add_extensions($cert, $issuer_cert,
- @ext,
+ $issuer_cert || croak "no issuer_cert given";
+ $issuer_key || croak "no issuer_key given";
+ push @ext,
&Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment',
&Net::SSLeay::NID_basic_constraints => 'CA:FALSE',
&Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth',
- &Net::SSLeay::NID_netscape_cert_type => 'server',
- );
- Net::SSLeay::X509_set_issuer_name($cert,
- Net::SSLeay::X509_get_subject_name($issuer_cert));
- Net::SSLeay::X509_sign($cert,$issuer_key,$sha1_digest);
+ &Net::SSLeay::NID_netscape_cert_type => 'server';
}
+ Net::SSLeay::P_X509_add_extensions($cert, $issuer_cert, @ext);
+ Net::SSLeay::X509_set_issuer_name($cert,
+ Net::SSLeay::X509_get_subject_name($issuer_cert));
+ Net::SSLeay::X509_sign($cert,$issuer_key,$sha1_digest);
+
return ($cert,$key);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-1.960/lib/IO/Socket/SSL.pm
new/IO-Socket-SSL-1.962/lib/IO/Socket/SSL.pm
--- old/IO-Socket-SSL-1.960/lib/IO/Socket/SSL.pm 2013-11-13
01:09:31.000000000 +0100
+++ new/IO-Socket-SSL-1.962/lib/IO/Socket/SSL.pm 2013-11-27
22:06:58.000000000 +0100
@@ -20,7 +20,7 @@
use Carp;
use strict;
-our $VERSION = '1.960';
+our $VERSION = '1.962';
use constant SSL_VERIFY_NONE => Net::SSLeay::VERIFY_NONE();
use constant SSL_VERIFY_PEER => Net::SSLeay::VERIFY_PEER();
@@ -58,7 +58,44 @@
my %DEFAULT_SSL_CLIENT_ARGS = (
%DEFAULT_SSL_ARGS,
- SSL_verify_mode => SSL_VERIFY_PEER
+ SSL_verify_mode => SSL_VERIFY_PEER,
+
+ # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
+ # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
+ # http://guest:[email protected]/Ticket/Display.html?id=2771
+ # Debian works around this by disabling TLSv12 on the client side
+ # Chrome and IE11 use TLSv12 but use only a few ciphers, so that packet
+ # stays small enough
+ # The following list is taken from IE11, except that we don't do RC4-MD5,
+ # RC4-SHA is already bad enough. Also, we have a different sort order
+ # compared to IE11, because we put ciphers supporting forward secrecy on
top
+
+ SSL_cipher_list => join(" ",
+ qw(
+ ECDHE-ECDSA-AES128-GCM-SHA256
+ ECDHE-ECDSA-AES128-SHA256
+ ECDHE-ECDSA-AES256-GCM-SHA384
+ ECDHE-ECDSA-AES256-SHA384
+ ECDHE-ECDSA-AES128-SHA
+ ECDHE-ECDSA-AES256-SHA
+ ECDHE-RSA-AES128-SHA256
+ ECDHE-RSA-AES128-SHA
+ ECDHE-RSA-AES256-SHA
+ DHE-DSS-AES128-SHA256
+ DHE-DSS-AES128-SHA
+ DHE-DSS-AES256-SHA256
+ DHE-DSS-AES256-SHA
+ AES128-SHA256
+ AES128-SHA
+ AES256-SHA256
+ AES256-SHA
+ EDH-DSS-DES-CBC3-SHA
+ DES-CBC3-SHA
+ RC4-SHA
+ ),
+ # just to make sure, that we don't accidentely add bad ciphers above
+ "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
+ )
);
my %DEFAULT_SSL_SERVER_ARGS = (
@@ -2489,11 +2526,18 @@
=item B<sysread( BUF, LEN, [ OFFSET ] )>
This function behaves from the outside the same as B<sysread> in other
-L<IO::Socket> objects. But in reality it reads not only LEN bytes from the
-underlying socket, but at least one SSL frame. It then returns up to LEN bytes
-it decrypted from the SSL frames. The rest of the decrypted bytes is buffered
-inside the SSL object and will be returned on further calls. So the next
sysread
-might not even read from the underlying socket but just return buffered data.
+L<IO::Socket> objects, e.g. it returns at most LEN bytes of data.
+But in reality it reads not only LEN bytes from the underlying socket, but at
+a single SSL frame. It then returns up to LEN bytes it decrypted from this SSL
+frame. If the frame contained more data than requested it will return only LEN
+data, buffer the rest and return it on futher read calls.
+This means, that it might be possible to read data, even if the underlying
+socket is not readable, so using poll or select might not be sufficient.
+
+sysread will only return data from a single SSL frame, e.g. either the pending
+data from the already buffered frame or it will read a frame from the
underlying
+socket and return the decrypted data. It will not return data spanning several
+SSL frames in a single call.
Also, calls to sysread might fail, because it must first finish an SSL
handshake.
@@ -2505,8 +2549,15 @@
=item B<syswrite( BUF, [ LEN, [ OFFSET ]] )>
This functions behaves from the outside the same as B<syswrite> in other
-L<IO::Socket> objects. But SSL specific behavior applies if used with
-non-blocking sockets. Pease read the specific section in this documentation.
+L<IO::Socket> objects, e.g. it will write at most LEN bytes to the socket, but
+there is no guarantee, that all LEN bytes are written. It will return the
number
+of bytes written.
+syswrite will write all the data within a single SSL frame, which means, that
+no more than 16.384 bytes, which is the maximum size of an SSL frame, can be
+written at once.
+
+For non-blocking sockets SSL specific behavior applies.
+Pease read the specific section in this documentation.
=item B<peek( BUF, LEN, [ OFFSET ])>
@@ -2828,6 +2879,9 @@
you must check, if there are still data in the current SSL frame by calling
C<pending> and if there are no data pending you might check the underlying
socket with select or poll.
+Another way might be if you try to sysread at least 16k all the time. 16k is
the
+maximum size of an SSL frame and because sysread returns data from only a
single
+SSL frame you guarantee this way, that there are no pending data.
Please see the example on top of this documentation on how to use SSL within a
select loop.
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
