This is an automated email from the git hooks/post-receive script. carnil pushed a change to branch master in repository libio-socket-ssl-perl.
from 825e44a Prepare changelog for release to experimental adds 3ac64c0 git-svn-id: file:///home/steffen/SVN/p5-io-socket-ssl@1 4cec71fa-2046-0410-ae00-8a945e15d811 adds c84bb82 - new certificates in certs/ which are more current - Makefile.PL: try to find usable IDN library and warn if nothing is found. Check SSLeay version and warn if not sufficient for certificate checking - SSL.pm: add certificate checking with various policies *** NOT testet, work in Progress**** adds b9f3a10 update wildcard cert new test verify_hostname to test verify_hostname() small fixes on certificate verification adds 0f2feb8 version 1.13_2 - IDN stuff added to certs/wildcard.pem and to t/verify_hostname.t - dokument changes to peer_certificate and new method verify_hostname adds 219996d - update Changes - add forgotten server-wildcard.pem to MANIFEST - bump to 1.13_3 adds 38460d0 - automatic verification of hostnames with SSL_verifycn_scheme and SSL_verifycn_name - global setting of default context options like SSL_verifycn_scheme, SSL_verify_mode with set_ctx_defaults - version 1.13_4 adds e48d529 small fix in import adds 008439c - clarified and enhanced debugging supppport based on bugreport http://rt.cpan.org/Ticket/Display.html?id=32960 - put information into README regarding the supported and recommanded version of Net::SSLeay - bump version to 1.14, even if Net::SSLeay 1.33 is not released yet adds 4e7fd69 hopefully fix t/auto_verify_hostname by changing behavior on SSL error _SSL_opened is now -1 on failure, no longer 1 adds 131945b change code for SSL_check_crl to use X509_STORE_set_flags instead of X509_STORE_CTX_set_flags based on bug report from <tjtoocool[AT]phreaker[DOT]net > adds 07d4f47 - change opened() to report -1 if the IO::Handle is open, but the SSL connection failed, needed with HTTP::Daemon::SSL which will send an error mssage over the unencrypted socket - document opened() - bump version to 1.16 adds 28772de - adds 67b3a74 - better IPv6 support, enabled by default if IO::Socket::INET6 is available adds 9714dc4 - adds 1963777 v.16_2 2008.09.24 - work around Bug in IO::Socket::INET6 on BSD systems http://rt.cpan.org/Ticket/Display.html?id=39550 by setting Domain based on PeerAddr Thanks to srezic for report and support adds 6db9914 +v.16_3 2008.09.25 +- fix t/nonblock.t with workaround for problems with + IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do + nonblocking connect and leaves socket blocked. +- make some tests less verbose by fixing diag in t/testlib.t + (send output to STDOUT not STDERR and prefix with '#') adds 63f0751 - make version 1.17, no code changes - document Win32 problems with non-blocking, timeouts and test suite adds 274244a 1.18 - fixed typo in argument: wildcars_in_cn -> wildcards_in_cn adds 9b4df5a - adds 2bb07b1 - adds 00953d8 - adds c3b6a2f +v1.21 2009.01.22 +- auto verification of name in certificate created circular reference between + SSL and CTX object with the verify_callback, which caused the objects to be + destroyed only at program end. Fix it be no longer access $self from inside + the callback. adds 794e034 v1.22 2009.01.24 - Net::SSLeay stores verify callbacks inside hash and never clears them, so set verify callback to NULL in destroy of context adds 624c8cb delete META.yml from rep and MANIFEST, let it be created from Makefile.PL adds b34f9b8 new test certificates, old expired adds 672e84e checkin myca adds 683a91c - if neither SSL_ca_file nor SSL_ca_path are known don't check cert but warn adds 5a062eb warnings fix adds 80a08a0 - renew certs adds 97793f5 1.25 Fix t/nonblock.t for OS X 10.5 - https://rt.cpan.org/Ticket/Display.html?id=47240 adds a44d892 security fix for verify_hostname_of_cert, Version 1.26 adds 8169413 t/verify_hostname.t fixed number of tests adds ff91ddd v1.27 regex fixes and resolve Bug#48131 which only happened with perl -w: - changed possible local/utf-8 depended \w in some regex against more explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service names can't have '-' inside - fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131 where eli[AT]dvns[DOT]com reported warnings when perl -w was used. While there made it more aware of errors in Net::ssl_write_all (return undef not 0 in gene [...] adds b30ca0b v1.28, v1.29 memleak fix adds 13a474e 1.30 - fix t/memleak_bad_handshake.t adds e6a15fe 1.30_1 - make sure that idn_to_ascii is not called with identity containing \0 adds a0afa60 1.30_3: make t/memleak_bad_handshake.t more stable adds b05d358 1.31 - SSL_crl_file, SSL_VERIFY constants... adds 88d7a01 version 1.32 and 1.33 adds e57891c removed svn-commit.tmp which should never have been checked in adds 9c61977 1.34: wildcards_in_cn for http, start_SSL does not close socket on failure adds fdc5997 1.35 - no fallback to verify_none if ca_* is not valid, instead throw error adds 055e730 update SSL_verify_callback documentation adds fa30f8a let user explicitly set SSL_ca_{path,file} to undef adds b2f400e 1.38 - fixed setting for wildcards_in_cn from 1 to anywhere for http adds ea8c6f5 1.38_1 - make fileno on closed socket return undef adds 34f23d1 fixed docu for http cn wildcard behavior adds bbea27f version upgrade adds a6f14fa small fix in example/async_https_server adds 2fc0505 added t/startssl-failed.t adds 99f45ad more fixes to async_https_server adds a5f3196 1.40 - IDN support from URI. https://rt.cpan.org/Ticket/Display.html?id=67676 adds f8a45f1 v1.40_1 2011.05.09 - fix issue in stop_SSL where it did not issue a shutdown of the SSL connection if it first received the shutdown from the other side. Thanks to fencingleo[AT]gmail[DOT]com for reporting adds 6b119af make 1.40_1 ->1.41, better error handling in t/nonblock.t adds b19a332 1.42: add SSL_create_ctx_callback option adds 719d77a 1.43 - fix t/nonblock.t adds e4fc1c9 stability improvements t/inet6.t adds 5412bbf 1.43_1 - try to make t/nonblock.t more stable adds 3a0f745 1.44 - fix invalid call to inet_pton in verify_hostname_of_cert adds 35f52fa 1.45 rewrite readline for better signal handling adds 66e6dc5 forgot to git add test for 1.45 adds 5a12676 1.46 - disable t/signal-readline.t for windows adds efd2bab 1.47 - fix for readline introduced in 1.45 adds c2e8168 1.47 fix os check in t/signal-readline.t adds ff967a4 1.48 Merge branch 'master' of github.com:noxxi/p5-io-socket-ssl adds 3c37524 1.49 - yet another readline regression. Add more tests to t/readline.t adds 64f5672 1.50 workaround t/nonblock.t for AIX adds 3c93d86 1.52 fix syntax error in t/memleak_bad_handshake.t adds 2be90e4 1.53 - fix child leak in memleak_bad_handshake.t when failing test adds fc93f68 1.54 - solved rt#73629 (unitialized warning) adds 6d7a53e 1.55 work around IO::Sockets work around for ystems returning EISCONN etc on connect retry adds 4f83a3c 1.56 added SNI support for client adds 266ecce 1.57 - fix t/dhe.t for openssl 1.0.1beta adds ef87a2b 1.58 - disable workaround in t/dhe.t for older openssl versions adds cb6982a 1.60 - doc update + fix readline for nonblocking socket adds d61da37 1.59 - useful error message on attempt to use unsupported SSLv2 adds 728004f Merge branch 'master' of github.com:noxxi/p5-io-socket-ssl adds f633127 1.61 rt#76053 automatically use CTX_set_session_id_context adds 200bc6a 1.62 small fix to 1.61 adds b5e793e 1.63 fix rt#76147 making Win32 tests more stable adds 419f418 1.64 clarify verifycn_* behavior adds 17f5fb7 1.65 NPN support adds 6d468a5 1.66 resolve bug with threads adds d69ded9 1.67 - more secure defaults, new key SSL_honor_cipher_order to mitigate BEAST adds f86e95b 1.68 - remove sslv2 from default cipher list adds c32a7ec 1.69 - reenabled workaround in t/dhe.t adds abc3821 1.70 - make disabling protocols via SSL_version possible, default SSLv23:!SSLv2 adds cf4608a 1.71: 1.70 done right adds 035be8a 1.72 set DEFAULT_CIPHER_LIST to ALL:!LOW not HIGH:!LOW adds 00483ba 1.73 fixes to t/dhe.t to support more openssl versions adds ddd0ae7 1.74 - accept SSLv2/3 again at interpret it as SSLv23 adds 819770a 1.74_1 - integrate IO::Socket::IP (rt#75218) adds 1ff9a8a 1.74_2 fix documentation of SSL_version, rt#77690 adds 222735a 1.75 - make it possible to disable TLS version 1.1 and 1.2 adds 6d6ad4b 1.76 - no longer depend on recent Socket.pm adds b708b85 1.77 - rt#79916 - update_peer for IPv6 adds b9867b5 work around systems were AF_INET6 is not defined https://rt.cpan.org/Ticket/Display.html?id=81216 adds 7a60697 fix format - change everything to sts=4 sw=4 ts=8, prev. formatting was mostly tab 8 with some tab 4 adds 0f44ccd moved SSL.pm to lib/IO/Socket/SSL.pm adds 5cbf946 use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort from sockaddr in _update_peer, keeping scope adds e388825 1.79 - start migration to more secure default of SSL_verify_mode by issuing big warning, if current insecure default gets used adds 74d8363 1.80 - fixed tests so that don't hang anymore on windows rt#81493 adds 6aad6ba 1.81 - cleanups.. - depreceated set_ctx_defaults, new name ist set_defaults (but old name still available) - changed handling of default path for SSL_(ca|cert|key)* keys: either if one of these keys is user defined don't add defaults for the others, e.g. don't mix user settings and defaults - cleaner handling of module defaults vs. global settings vs. socket specific settings. Global and socket specific settings are both provided by the user, while module [...] adds 16b65e5 correct spelling of deprecated https://rt.cpan.org/Ticket/Display.html?id=82790 adds 9078b66 add link to github to Makefile.PL adds aa9fd54 1.82 better error preserving adds 30acc99 - server side SNI - do not call DEBUG() unless debugging is on to speed up module adds 1a1c1ea much better documentation adds 799468f release as 1.83 adds b4e960d add more debugging for SNI adds 68995c7 1.83_1 - adapted and documented behavior of readline on non-blocking I/O adds 6925c97 1.84 with more stable client side SNI and better support/doc for SNI and NPN adds 0e707b0 updated documentation adds 91708db update SEE ALSO and COPYRIGHT adds 5e3fd26 1.85 - probe for available modules with local __DIE__ and __WARN__handlers. fixes RT#84574 - fix warning, when IO::Socket::IP is installed and inet6 support gets explictly requested. RT#84619 adds 715cea8 1.86 RT#84686 - don't complain about SSL_verify_mode is SSL_reuse_ctx, thanks to CLEACH adds 4868482 1.87 - RT#84829 - complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are not readable. Thanks to perl[AT]minty[DOT]org - fix use of SSL_key|SSL_file objects instead of files, broken with 1.83 adds 98cf0e1 1.88 consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key* and SSL_cert* - some apps like Net::LDAP use it that way. adds 379a00c Spelling corrections adds 4bf7358 Merge pull request #3 from dsteinbrunner/master adds debe24d update Changes adds 221b1b5 1.89 if IO::Socket::IP is used it should be at least version 0.20 to fix RT#81932 (HTTP::Daemon::SSL) adds 764097d added SSL interception adds b7a0309 - added test for intercepting feature - RT#85290 - use more digests by default adds c59f706 1.91 - added IO::Socket::SSL::Utils for easier manipulation of certificates and keys - moved SSL interception into IO::Socket::SSL::Intercept and simplified it using IO::Socket::SSL::Utils - enhance meta information in Makefile.PL adds 5e361a1 Fix pod error in IO::Socket::SSL::Utils RT#85733 adds cd137f4 1.92 Intercept: use sha1-fingerprint of original cert for id into cache unless otherwise given adds 16c4645 1.93 - need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6 years ago. Remove code to work around older releases. - changed AUTHOR in Makefile.PL from array back to string, because the array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739) adds c024113 set version of Intercept to 1.93, so that PAUSE indexer will index it again. Problem was, that Itercept was just once inside SSL.pm file and the version 1.90 was propagated from there. So any new versions will need to be higher. adds cbf2a85 Makefile.PL: if the openssl versions looks to small show the detected version in the error message adds 3e05d82 1.94 - Makefile.PL reported wrong version of openssl, if Net::SSLeay was not installed instead of reporting missing dependency to Net::SSLeay. adds ad0d04f 1.950 - after long time of complaining when using insecure default mode finally changed the default for ssl_verify_mode to ssl_verify_peer for clients, e.g. better fail connection instead of using insecure connection. - start complaining if (insecure, because relative path) builtin defaults for CA and cert/key files/path are used. In the future all certs have to be specified explicitly and CA should use system defaults. adds 1cf5f61 1.951 - better document builtin defaults for key,cert,CA and how they are depreceated - use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's builtin defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins used) adds 5a9c428 1.952 - fix t/acceptSSL-timeout.t on Win32, RT#86862 adds 6e46f6c 1.953 - RT#87052 fix in Utils.pm adds 77608e7 Fix a couple DOC schema typos to scheme adds 0bb1488 Merge pull request #4 from crisman/doc-fix-schema adds e8b71c0 Update README to note needing 1.46 Net::SSLeay adds ffec703 Update use Net::SSLeay 1.46 (continue v1.90 2013.05.27) adds 5ecb952 Merge pull request #5 from crisman/more-net-ssleay-floor adds 2deb985 1.954 - accept older versions of ExtUtils::MakeMaker and add meta information like link to repository only for newer versions. adds e067e09 1.955 - added support for ECDH key exchange with key SSL_ecdh_curve adds e19f5a0 fixed Skipped message in t/ecdhe.t adds e13b372 - cipher_list is now per context, not per SSL object, e.g. behavior change if context was setup independent from SSL object and w/o cipher list, which was then given to SSL object only - move filling-in defaults to Context->new, thus make generating standalone context and implicite context in SSL->new more consistent. Speeds up when using reuse_ctx adds 9f54462 support for handshake protocol TLSv11, TLSv12 adds 9ccacac - fixed error in Utils::CERT_free (wrong free call) - added some tests to git which were in MANIFEST but not in git thanks to lkundrak[AT]v3[DOT]sk for reporting https://rt.cpan.org/Ticket/Display.html?id=89705 adds 449f65d - rework verification schemes based on RFC 6125 - add scheme names with RFC numbers, e.g. rfc2818... - fix scheme for ICAP, POP3, ACAP, NNTP - contrary to LDAP they allow wildcards in common name - fix scheme for SMTP, it is now the same as IMAP - add schemes for SNMP, syslog, netconf, GIST, SIP - fix handling of anywhere wildcards: - www* now matches only www1,www2.. but not www - do not apply anywhere wildcard if hostname starts with xn--, e.g. [...] adds ed5715e - change cipherlist to more secure - add DH paramter and ECDH curve in default configuratio, so that forward secrecy is done by default - write down all Changes from last time and release as 1.956 - fix some tests adds 904464a - fixed t/core.t for older openssl versions - enhance other tests (indent, strict, global vars...) adds a61f48c remove workaround for very old IO::Socket::INET6, instead require fixed version adds cbd2c69 release as 1.958 fix t/session.t for older openssl versions - close socket instead of setting to undef to let it reuse session adds 66dea3c 1.959 - fix test core.t for windows adds 5e18d9e 1.960 - documentation enhancements adds 91efcd8 further documentation enhancements specifically for non-blocking and event loops adds 15dd432 1.961 IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which are not self-signed (by giving issuer_*) adds bdbcb0c 1.962 - work around problems with older F5 BIG-IP by offering fewer ciphers on the client side by default, so that the client hello stays below 255 byte adds c23db6f - documentation enhancements: - special section for differences to IO::Socket - describe problem with blocking accept on non-blocking socket adds 5b0a79c - documentation fix: consistent use of $client instead of sometimes $sock in examples in pod (thanks to alfonso[DOT]caponi[AT]gmail[DOT]com for reporting) adds 355fc38 documentation enhancements to new_from_fd adds 2c33559 1.963 - fix behavior of stop_SSL: for blocking sockets it now enough to call it once, for non-blocking it should be called again as long as EAGAIN and SSL_ERROR is set to SSL_WANT_(READ|WRITE). - don't call blocking if start_SSL failed and downgraded socket has no blocking method, thanks to tokuhirom adds 5c21511 1.964: get_sslversion* function, disabling TLS1_1 fixed adds 8336797 1.965 - new option SSL_session_key to influence client-side session caching adds bd49a91 1.966 - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with specifying !TLSv12, only !TLSv1_2 worked - fixed leak of session objects in SessionCache, if another session replaced an existing session (introduced in 1.965) adds d6dcf22 Spelling fixes adds 8f8196a Merge pull request #10 from scop/master adds f9a5310 WIP: ssl_fingerprint etc adds 697a7d6 1.967: new option SSL_fingerprint, default scheme for verifying names, ... adds a30d104 - require at least version 2.62 instead of 2.55 for IO::Socket::INET6 https://rt.cpan.org/Ticket/Display.html?id=93503 adds 4936ba4 1.968 - better support for usable CA path by default - new function default_ca which emulates openssl search for default CA path. Falls back to Mozilla::CA if no usable CA store is found - enforce use of Mozilla::CA on platforms without usable CA store (windows) - remove long depreceated support for certs/server-{cert,key}.pem, ca/ and certs/my-ca.pem defaults. adds e7f8dc3 1.969 - new function set_args_filter_hack to make it possible to override bad SSL settings from other code at the last moment. - fix set_defaults to match documentation regarding short names - determine default_ca on module load (and not on first use in each thread) - fix hostname verification when reusing context adds f6ff605 pod fix from rt#93907 adds c017684 1.970 fix rt#93987 adds aab477d new file example/simulate_proxy.pl to check behavior of clients against various strange behavior adds 9204be5 1.971 - try to use SSL_hostname for hostname verification if no SSL_verifycn_name is given adds 00a95e7 1.972 fix rt#94117 t/external/usable_ca.t when no SNI support adds 70cf826 small code cleanups adds 7b43284 1.973: option SSL_ca additionally to SSL_ca_{file,path} adds d8cae1b spelling error RT#94219 adds 89858c4 1.974 new function peer_certificates, extend IO::Socket::Utils::CERT_asHash adds f0b0570 1.975 - work around TEA integration on OS X adds 0c322e1 1.976 - check wildcard certificates against public prefix adds 863e07d 1.977 RT#94424 IDN fixes adds 0f7e189 1.978 RT#94424 again, fix test on older openssl version with no SNI support adds f00f9c2 t/public_suffix_lib* - run test even if IDN lib cannot be loaded, but skip IDN tests - don't use done_testing to work with older Test::More adds add79fa This is a combination of 2 commits. adds 3fe3450 hostname check: 'leftmost' renamed to 'full_label' adds ea7eb94 stability improvements for tests adds 906ebe7 relased as 1.979 adds 85a9bda disable elliptic curve support for openssl 1.0.1d on 64bit: http://rt.openssl.org/Ticket/Display.html?id=2975 adds 8f4bb7d 1.980 fix fingerprint calculation adds 9b14e9a update Changes for 1.980 adds 4df7b35 1.981 - fix ecdhe test for openssl 1.0.1d adds 6f4638c 1.982 - fix for using subroutine as argument to set_args_filter_hack adds bee7322 usable_ca.t: update for current fingerprints (changed after heartbleed), check that we have a usable CA for host in CA store allow PEM in CA store to contain "X509 CERTIFICATE" or "TRUSTED CERTIFICATE" too adds 717b8c1 1.983 - fix use of public suffix list RT#95317 adds 0cd71b7 OCSP handling - works but needs test adds c321455 tool util/analyze-ssl.pl to analyze SSL connections adds ab148ea removed util/export_certs.pl - way too old to be useful anymore adds ed15491 update Changes file adds 82f34c9 util/analyze-ssl.pl - fix version check, show usable SSL_version string adds 221b42f analyze-ssl.pl - check if client or server decides over cipher preference adds 558c182 update Net::SSLeay patch for ocsp (include test, update documentation) adds a87828d analyze-ssl.pl - changed handling of http_proxy starttls, fixes for soft_error in ocsp_resolver adds 4405951 current OCSP patch for Net::SSLeay adds fb3a11a small OCSP fixes: - update Net::SSLeay OCSP patch - accept multiple single responses in stapled OCSP response analyze-ssl option --dump-chain adds cfcc86d analyze-ssl.pl: fix starttls smtp, --CApath added t/external/ocsp.t add no ocsp_uri and no certid to soft_errors in ocsp resolver adds 5b41e45 work around/together with OCSP responders, which do not reply to all single requests inside an OCSP request adds 38e9f64 - OCSP resolver: add caching of soft errors + fix expiring if cache too big - new tool util/https_ocsp_bulk.pl to check OCSP status of lots of sites - update OCSP patch for Net::SSLeay (now included in their SVN) adds 774f220 util/https_ocsp_bulk.pl - log ssl version, cipher and bits in pubkey - don't stop if hostname does not match, but continue with OCSP - but log as ssl-badname and log CN - changed output format for better after-analysis adds 20218a1 - don't add ocsp tlsext if server mode - test fix in case no HTTP::Tiny is installed adds 9573865 remove Net::SSLeay OCSP patch and instead refer to Net::SSLeay version 1.59 fix t/io-socket-inet6.t is IO::Socket::INET6 is installed, but too old to use adds 92ea39a update Changes remove util/https_ocsp_bulk.pl (put into p5-scripts repository instead) adds 16090c0 release as 1.984 adds 7ac7d20 fix skip if fingerprint does not match in t/external/ocsp.t adds 6cf16e1 1.985: OCSP enhancements, RT#95633 - make OCSP callback return 1 even if it was called on the server side because of bad setup of the socket. Otherwise we get an endless calling of the OCSP callback. - consider an OCSP response which is not yet or no longer valid a soft error instead of an hard error - RT#95633 call EVP_PKEY_free not EVP_KEY_free in IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org - util/analyze.pl - with --show-chain chec [...] adds 7158b35 support for IP in common name for www verification scheme. Need to add tests for this. adds 50c903e 1.986 - allow IPv4 in CN for www/http scheme. Fix public suffix list handling. adds cf80a79 1.987 fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6 adds 9eeb788 typo adds 1050d8f NEEDS testing: transparent support for DER and PKCS12 files in certificate and key adds 15bc33b 1.988 - transparent support for DER and PKCS12 files for key and cert adds 8d25008 document behavior regarding freeing certificates, when using multiple certificates in SSL_cert adds 45a6f50 1.989 fix #95881 adds 4426734 1.989_1 #95967, work around temporary OCSP error in t/external/ocsp.t adds 60681ec 1.990 added option SSL_ocsp_staple_callback to get the stapled OCSP response adds 5e38bed 1.991 new option SSL_OCSP_TRY_STAPLE to enforce staple request even if VERIFY_NONE - work around for RT#96013 in peer_certificates adds 9f66a9c analyse-ssl.pl - do hostname verification which scheme matching starttls. set verified to name-mismatch if not matches, show subjectAltnames in show-chain adds bf5d7eb 1.992 - set $! to undef before doing IO (accept, read..). On Winwdows a connection reset could cause SSL read error without setting $!, so make sure we don't keep the old value and maybe thus run into endless loop. adds b45a119 - rework error handling to distinguish between SSL errors and internal errors (like missing capabilities). - util/analyze-ssl.pl - fix hostname check if SNI does not work adds fe8519d 1.923 - major rewrite of documentation adds 8be8769 documentation fix after #96451 adds 7c3108b 1.994 - make socket switchable between plain and SSL with the same object adds 0188eff fix documentation error RT#96765 adds 520fc76 - refresh option for peer_certificate, so that it checks if the certificate changed in the mean time (on renegotiation) - fix fingerprint checking - now applies only to topmost certificate - IO::Socket::SSL::Utils - accept extensions within CERT_create adds 7612091 Fix some typos and grammar issues adds 1700f71 Merge pull request #14 from frioux/patch-1 adds c66bb67 1.995 - RT#95452: move initialization and creation of OpenSSL-internals into INIT section, so they get executed after compilation and perlcc is happy. adds 7eb1d78 1.996 move initialization out of INIT again because this breaks when used with require. Document work-arounds needed for perlcc adds c110b7e 1.997 - found way to detect when initialization was needed, so user needs no longer workarounds for perlcc adds b123501 add debug message on call to _internal_error or error fix pass message in t/external/ocsp.t adds 8aaad64 update example/ssl_client,ssl_server adds cc08c98 Enhance the SNI support by configuring the SNI contexts in the same way as the main context. This fixes problems like client certificate validation for SNI hosts. Added a SNI test that verifies the client certificate. adds ac7e5d8 Merge branch 'jelu-sni-enhancement' adds 112bc7a 1.998 - redesign creation of SSL contexts, so that all contexts have CA path, verification callback etc adds 68b1ba1 accept PeerHost additionally to PeerAddr in all places, accept PeerService, enhance util/analyze-ssl.pl adds b6af754 RT#98258 - make sure to set $/ to "\n" before using <$fh> in PublicSuffix adds f032710 make sure we don't use version 0.30 of IO::Socket::IP adds 0ff7eb3 release as 1.999 adds b8bc6d3 Better skipping of tests requiring fork() adds 5aa23a2 Merge pull request #18 from steve-m-hay/master adds 7925def update Changes after merge adds de1451f Solve Debian Bug#764868: with environment NO_NETWORK_TESTING set no external tests will be done. Simplify checks for fork by putting it into testlib and fix it by including Config. adds 42fd97a SSL3.0 is no longer allowed in default SSL_version because of POODLE adds fdc0e48 2.000 - update documentation regarding disabled SSL3.0 adds 8572135 fix typo adds ce9628e util/analyze-ssl.pl - work around cloudflare behavior, where you get different ciphers with SNI then without adds 5abf633 make it work with 5.8.1 again adds d12477e update expected site fingerprints in t/external/* adds 935c05b add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security adds a6b3690 call it 2.001 adds fad6ac6 Update PublicSuffix with latest version from publicsuffix.org - lots of new top level domains. Add exception to PSL for s3.amazonaws.com - RT#99702 adds 9407373 fix check for (invalid) IPv4 when validating hostname against certificate. Do not use aton any longer RT#99448 adds ec3cdf6 release as 2.002 adds 1f94827 use only ICANN part in public suffix list fix typo adds a09f29f Propagate error if cert/key could not be used instead of continuing with an invalid context which might cause a segmentation fault adds 3b96ed5 skip io-socket-ip.t with IO::Socket::IP version 0.30 instead of failing adds 99c1abd max-cipher option for util/analyze.pl. Fix host parsing adds a49cffb 2.003 make SSLv3 accessible unless forbidden (default), even if the SSL library disables it by default in the context (LibreSSL) adds ea2eb29 2.004 fix t/protocol_version.t to deal with OpenSSL installations which are compiled without SSLv3 support. adds 2dfb8ed 2.005 next try to fix t/protocol_version.t for OpenSSL w/o SSLv3 support adds d95289d 2.005_1: enable non-blocking support for windows, mainly by using EWOULDBLOCK instead of EAGAIN adds fbf66f2 make PublicSuffix::_default_data thread safe by storing the default data inside a function inside within __DATA__ adds da52dac Release as 2.006, update PublicSuffix with latest list from publicsuffix.org adds 1a95a4f Utils: documentation fixes adds 141d2b1 2.007 - implement getline/readline properly when not sslified (RT#100529) adds 8d6c3b1 2.008 - fix test because of external errors. Small enhancements for analyze.pl adds 4f11bca fix #101020 (SSL.pm, analyze.pl) adds 1e66fe4 util/analyze.pl - analyze handshake compatibility adds 01421a4 analyze.pl - fix retry without SNI adds 8b16bb8 analyze.pl - fix for max_version, don't croak on anyonmous ciphers adds 5d11618 example/*.pl - sysread with 16k (max ssl frame size) to avoid issues with pending data adds 3c99b11 util/analyze.pl - compare sent chain certificates again used certificates and also display local root certificate adds 8d2a520 reset $! after successful connect/accept with timeout adds b26ec49 dummy util/analyze-ssl.pl adds 71dfd76 2.009 added ALPN support thanks to TEAM RT#101452 adds 710ca92 t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay. RT#101485 adds f75a0ee 2.009 - new options SSL_client_ca_file and SSL_client_ca adds 72eb5d4 Minor pod fixes adds 7750ebf Merge pull request #21 from frioux/patch-2 adds f80a23d removed RC4 from default cipher suites on the server site adds f447f6b Utils::CERT_create - add purpose client for non-CA certificates adds a02d5f8 added option 'purpose' to Utils::CERT_create adds 5921fbe increase version in Utils.pm to 0.031 adds de79931 Minor pod fixes adds 21fed25 removed RC4 from default cipher suites on the server site adds 313adf1 Utils::CERT_create - add purpose client for non-CA certificates adds 8f138a2 added option 'purpose' to Utils::CERT_create adds cdf3eda increase version in Utils.pm to 0.031 adds e8f4058 ported some tests to use Test::More adds 8cf2973 white space and intendation fixes adds e79e825 replace various skip_all with fail, because these should fail adds c1af848 don't use Test::More in t/alpn.t since it does not work with parent and forked child doing test output adds a585ee6 Merge branch 'Sweet-kid-use_Test_More' adds dedca19 t/external/ocsp.t - don't count on revoked.grc.com using OCSP stapling SSL.pm - clear SSL_ERROR before attempting SSLeay::{connect,accept} adds 42765f2 release 2.011 adds a5a716b 2.012 - fix t/ocsp.t in case no HTTP::Tiny is installed adds b2841cb fixed Changes - last entries for 2014 should have been 2015 (thanks to Alvar Freude vor pointing out) adds 933bc45 fixed a few grammatical problems and made some slight word changes to enhance readability. I also made mention of module names links instead of plain text adds a3b16fc a few more fixes. about 40% done with the POD adds 3226a74 a bit further along. There is a lot to read adds 53d7da6 Merge branch 'genio-master' adds c1490e4 updated Changes adds 2021d91 Replace fail(...) with ok(0,...) in t/alpn.t. adds 02db0fc Put back a not ok accept failure that got lost in e8f4058. adds 81d17e0 Merge pull request #28 from bluhm/alpn.t adds 1f430ea 2.013 - rework error handling so that follow-up errors don't replace the original errors adds 75eeb90 2.014 - Utils::CERT_create - work around problems with authorityInfoAccess, where OpenSSL i2v does not create the same string as v2i expects - Intercept - don't clone some specific extensions which make only sense with the original certificate adds 7f2e97e print module that was used as a parent adds 086ef1c Merge pull request #32 from chorny/patch-1 adds c94b27d t/01loadmodule.t - add also version of @ISA module to diagnostics adds dcc09a5 explicit check that IPv6 address only contains hex,'.' and ':' because inet_pton on some systems seems to accept something like "[::1.2.3.4]". https://github.com/noxxi/p5-io-socket-ssl/issues/31 adds 4b3e466 2.015 - work around problem with IO::Socket::INET6 on windows in tests by enforcing AF_INET as Domain adds 19033d8 accept Domain and Family argument, so it does not matter if the superclass uses Family (IO::Socket::IP) or Domain (IO::Socket::INET6) adds 3c44971 update documentation to make it more clear where to get the X509* and EV_PKEY* objects for SSL_ca, SSL_cert and SSL_key adds db39502 add better debugging based on a patch from H.Merijn Brand adds 6c69321 make t/memleak_bad_handshake.t work on cygwin and other systems having /proc/pid/statm., see RT#104659 adds 8349289 make some tests work with older Test::More w/o done_testing adds a542b05 update version to 2.015_001 adds 9eb322b removed wrong domain AF_INET from t/io-socket-ip.t set version to 2.015_002 adds de1b62b 2.015_003 work around hanging prompt() with older perl in Makefile.PL RT#104731 adds 7306627 2.015_004 - fix handling of default for yesno in Makefile.PL adds 3ede5be 2.015_005 add flag X509_V_FLAG_TRUSTED_FIRST by default if available, RT#104759 adds 3304d81 another try with X509_V_FLAG_TRUSTED_FIRST adds b922605 relase as 2.016 adds 894f7b8 2.016_001 - support different ciphers for SNI hosts adds fa27238 2.016_002 - enforce default verification scheme if none was specified instead of just warning if name is wrong (i.e. hard fail vs. soft fail) adds eb8a20e add more detail to example in documentation to show that the user must do the SMTP dialogs by itself (RT#105936) adds 58d3aa8 Fix failing non-blocking test on Unix platforms where EWOULDBLOCK is not the same as EAGAIN (Solaris, AIX, HP-UX, etc). This bug was introduced by commit d95289 for 2.006. The fix is simply to check for either of these errors instead of just one. adds 00858d8 Merge pull request #35 from andygrundman/master adds 6a98f0f fix _update_peer for IPv6 (wrong use of getnameinfo) adds 7432b34 remove -r for checking SSL_{cert,key}_file since this will cause a usable error later anywy if file does not exist. This fixes some part of #106295 adds d139352 added interface sock_certificate to get local certificate as suggest in #15733 enhanced get_fingerprint* to fingerprint any certificate, not only peer adds 421ac8e check with open/opendir if SSL_ca_file/path is accessible. RT#106295 adds d2ef480 catch cases where SSL_verify_mode is used with string instead number. Update Changes and release as 2.017 adds 0ea12ea 2.018 - RT#106687 - startssl.t failed on darwin with old openssl since server requested client certificate but offered also anon ciphers adds 3f9b660 2.019 work around different behavior of getnameinfo from Socket and Socket6 adds 2cb6d54 Fix typos adds 0def00f Merge pull request #34 from jwilk/typos adds 9d495d0 2.020 support multiple directories in SSL_ca_path as proposed in RT#106711 adds d8556e6 fix socket variable name in documentation adds 7805d01 Merge pull request #36 from DavsX/doc/non_blocking_documentation_fix adds c9006b7 make documentation more clear regarding enforcing IPv4 adds f356d58 update public suffix list with latest version, adapt tests to changed list adds 248725a Fix typos adds 09ae45c Merge pull request #38 from jwilk/spelling adds f853a6e 2.021 update PublicSuffix again before new release adds 4d5d42b 2.022 fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash, RT#110253 adds 52c1948 Fix typo adds fd2184f Merge pull request #39 from jwilk/spelling adds 6e23ee4 2.023 - work around changes in OpenSSL 1.0.2f regarding SSL_shutdown adds 32c2ebc small documentation fixes for Intercept small code cleanup for Utils adds f8ee6e7 Fix calls to X509_NAME_add_entry_by_txt in Utils::CREATE_cert in case the given string is not UTF-8. Retry with T.61 and finally use Octet adds b80a30d Intercept: ignore unknown extensions (unknown nid,sn) when cloning adds a1f4fdd 2.024 - work around issue with AI_ADDRCONFIG default an IO::Socket::IP, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813796 adds 5c11d87 2.025 Resolved memleak if SSL_crl_file was used: RT#113257, RT#113530 adds c42cb54 2.026 - update default server and client ciphers based on recommendation of Mozilla and what the current browsers use. Notably this finally disables RC4 for the client (was disabled for server long ago) and adds CHACHA20. adds b1cf42e 2.027 - only included changes for 2.027 in Changes file adds b47ebe2 example/ssl_server.pl - make it clear that client certificates are only requested if option --ca is used adds d62f932 2.028 - add del_session method to session cache - send accepted CA in example/ssl_server.pl in case of SSL_ca_file adds 1ed5429 2.029 - fix del_session method in case a single item was in the cache - use SSL_session_key as the real key for the cache and not some derivate of it, so that it works to remove the entry using the same key adds 781c5a5 support for creating ECC keys in IO::Socket::SSL::Utils once supported by Net::SSLeay adds e329b07 assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates with the reverse order as in the PKCS12 file, because that's what it does. adds dab44e4 Utils::CERT_create - don't add given extensions again if they were already added. Firefox croaks with sec_error_extension_value_invalid if (specific?) extensions are given twice. adds da45bd5 2.030 remove internal sub session_cache and access cache directly (faster) This also fixes a problem when SSL_session_key was used, which was introduced in 2.029 adds 2edc281 2.031 fix for bug in session handling introduced in 2.031, RT#115975 adds 07baa9d 2.032 - Set session id context only on the server side. Even if the documentation for SSL_CTX_set_session_id_context makes clear that this function is server side only it actually affects hndling of session reuse on the client side too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session in different context" at the client. adds 7e5d364 - support for session ticket reuse over multiple contexts and processes (if supported by Net::SSLeay) - small optimizations, like saving various Net::SSLeay constants into variables and access variables instead of calling the constant sub all the time adds d67d3c3 release as 2.033 make t/dhe.t work with openssl 1.1.0 adds 8645496 Fix POD (arrows in C<> sequences) adds 26bf287 Fix POD: brackets in SSL_ticket_keycb example adds 8182684 Merge pull request #44 from choroba/master adds 8eb0130 describe problem with validating self-signed non-CA certificates adds 3e15230 2.034 - move handling of global SSL arguments into creation of context, so that these get also applied when creating a context only. adds 00ae563 update expected certificate fingerprints for external tests adds aaa7c76 switched to different hosts for live OCSP tests in the hope that these use the same certificates world-wide adds 662178d apply (configurable) global settings after builtin default settings adds 9e7fbf7 configure_SSL: return if context creation failed, might result in segfault otherwise adds e159207 released as 2.035 adds e5596ce 2.036 - set can_ocsp to false for Net::SSLeay 1.75..1.77, see RT#116795 adds b86694d forgot Changes information adds 252f015 2.037 fix session cache del_session: it freed the session but did not properly remove it from the cache. Further reuse causes crash. adds 0a6e3e4 2.038 - restrict session ticket callback to Net::SSLeay 1.79+ since version before contains bug. Add test for session reuse - extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....' - fix t/external/ocsp.t to use different server (under my control) to check OCSP stapling adds a97b5d3 - don't check if SSL_key_file and SSL_cert_file are files, instead just check if they can be opened which includes that they are readable - for SSL_ca_file skip the check for -f, open(..) should be sufficient adds ca92657 2.039: adapt to the changed behavior of SSL_read on EOF without SSL shutdown which was introducted with OpenSSL 1.1.0c. adds e16fbcd Decode the serial number the right way adds cb43675 Include signature algorithm in CERT_asHash adds aef8b82 Merge pull request #47 from odenbach/serial adds 32ddca6 testlib: clear __DIE__ handler in child adds 8c81f60 Fix number used for SSLEAY_DIR/OPENSSL_DIR since this changed with OpenSSL 1.1. This caused it to not find the default path for CA any longer with OpenSSL 1.1. adds 4abb901 release as 2.040 document signature_alg in Utils::CERT_asHash adds de001a9 2.041 disable session ticket callback for now until the feature is fully implemented in Net::SSLeay adds 44dad7c 2.042 - enable session ticket callback with Net::SSLeay>=1.80 adds 3fda2f1 2.043 - make t/session_ticket.t work with OpenSSL 1.1.0. adds e2ace02 2.044 protect various 'eval'-based capability detections at startup with a localized __DIE__ handler. This way dynamically requiring IO::Socket::SSL as done by various third party software should cause less problems even if there is a global __DIE__ handler which does not properly deal with 'eval'. adds aebd75c fix memory leak with %CREATED_IN_THIS_THREAD based on pull request https://github.com/noxxi/p5-io-socket-ssl/pull/55 adds 7167c64 Fix typos adds 137f428 Merge pull request #52 from jwilk/spelling adds 1e50f80 only do "stop_SSL" after accept_SSL failed with SSL_startHandshake=0 in place adds f1b51fd call to connect_SSL will fail if handshake already done; adds DEBUG message adds 7d6042a Merge pull request #53 from hubandr/handshake_failed_stop_ssl adds 586b24d optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if perl is compiled w/o thread support adds 1bacf7e when setting SSL_keepSocketOnError to true the socket will not be closed on fatal error This is a modified version of https://github.com/noxxi/p5-io-socket-ssl/pull/53/ adds 4f4a3ad release as 2.045 small fix in t/protocol_version.t to use older versions of Net::SSLeay with openssl build w/o SSLv3 support adds 7ee0ba3 2.046 cleanup everything in DESTROY and make sure to start with a fresh %{*self} in configure_SSL because it can happen that a GLOB gets used again without calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56) adds 5122caa New upstream version 2.046 new 187d4c1 Merge tag 'upstream/2.046' new 3d49223 Update debian/changelog new d379506 Prepare changelog for release The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: Changes | 4 ++++ META.json | 4 ++-- META.yml | 4 ++-- debian/changelog | 6 ++++++ lib/IO/Socket/SSL.pm | 12 +++++++----- 5 files changed, 21 insertions(+), 9 deletions(-) -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libio-socket-ssl-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits