This is an automated email from the git hooks/post-receive script.
carnil pushed a change to branch master
in repository libio-socket-ssl-perl.
from 825e44a Prepare changelog for release to experimental
adds 3ac64c0 git-svn-id: file:///home/steffen/SVN/p5-io-socket-ssl@1
4cec71fa-2046-0410-ae00-8a945e15d811
adds c84bb82 - new certificates in certs/ which are more current -
Makefile.PL: try to find usable IDN library and warn if nothing is found.
Check SSLeay version and warn if not sufficient for certificate checking -
SSL.pm: add certificate checking with various policies *** NOT testet, work
in Progress****
adds b9f3a10 update wildcard cert new test verify_hostname to test
verify_hostname() small fixes on certificate verification
adds 0f2feb8 version 1.13_2 - IDN stuff added to certs/wildcard.pem
and to t/verify_hostname.t - dokument changes to peer_certificate and new
method verify_hostname
adds 219996d - update Changes - add forgotten server-wildcard.pem to
MANIFEST - bump to 1.13_3
adds 38460d0 - automatic verification of hostnames with
SSL_verifycn_scheme and SSL_verifycn_name - global setting of default context
options like SSL_verifycn_scheme, SSL_verify_mode with set_ctx_defaults -
version 1.13_4
adds e48d529 small fix in import
adds 008439c - clarified and enhanced debugging supppport based on
bugreport http://rt.cpan.org/Ticket/Display.html?id=32960 - put information
into README regarding the supported and recommanded version of Net::SSLeay -
bump version to 1.14, even if Net::SSLeay 1.33 is not released yet
adds 4e7fd69 hopefully fix t/auto_verify_hostname by changing behavior
on SSL error _SSL_opened is now -1 on failure, no longer 1
adds 131945b change code for SSL_check_crl to use X509_STORE_set_flags
instead of X509_STORE_CTX_set_flags based on bug report from
<tjtoocool[AT]phreaker[DOT]net >
adds 07d4f47 - change opened() to report -1 if the IO::Handle is open,
but the SSL connection failed, needed with HTTP::Daemon::SSL which will send
an error mssage over the unencrypted socket - document opened() - bump version
to 1.16
adds 28772de -
adds 67b3a74 - better IPv6 support, enabled by default if
IO::Socket::INET6 is available
adds 9714dc4 -
adds 1963777 v.16_2 2008.09.24 - work around Bug in
IO::Socket::INET6 on BSD systems
http://rt.cpan.org/Ticket/Display.html?id=39550 by setting Domain based on
PeerAddr Thanks to srezic for report and support
adds 6db9914 +v.16_3 2008.09.25 +- fix t/nonblock.t with workaround
for problems with + IO::Socket::INET on some systems (Mac,5.6.2) where it
cannot do + nonblocking connect and leaves socket blocked. +- make some tests
less verbose by fixing diag in t/testlib.t + (send output to STDOUT not STDERR
and prefix with '#')
adds 63f0751 - make version 1.17, no code changes - document Win32
problems with non-blocking, timeouts and test suite
adds 274244a 1.18 - fixed typo in argument: wildcars_in_cn ->
wildcards_in_cn
adds 9b4df5a -
adds 2bb07b1 -
adds 00953d8 -
adds c3b6a2f +v1.21 2009.01.22 +- auto verification of name in
certificate created circular reference between + SSL and CTX object with the
verify_callback, which caused the objects to be + destroyed only at program
end. Fix it be no longer access $self from inside + the callback.
adds 794e034 v1.22 2009.01.24 - Net::SSLeay stores verify callbacks
inside hash and never clears them, so set verify callback to NULL in destroy
of context
adds 624c8cb delete META.yml from rep and MANIFEST, let it be created
from Makefile.PL
adds b34f9b8 new test certificates, old expired
adds 672e84e checkin myca
adds 683a91c - if neither SSL_ca_file nor SSL_ca_path are known don't
check cert but warn
adds 5a062eb warnings fix
adds 80a08a0 - renew certs
adds 97793f5 1.25 Fix t/nonblock.t for OS X 10.5 -
https://rt.cpan.org/Ticket/Display.html?id=47240
adds a44d892 security fix for verify_hostname_of_cert, Version 1.26
adds 8169413 t/verify_hostname.t fixed number of tests
adds ff91ddd v1.27 regex fixes and resolve Bug#48131 which only
happened with perl -w: - changed possible local/utf-8 depended \w in some regex
against more explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that
service names can't have '-' inside - fixed bug
https://rt.cpan.org/Ticket/Display.html?id=48131 where eli[AT]dvns[DOT]com
reported warnings when perl -w was used. While there made it more aware of
errors in Net::ssl_write_all (return undef not 0 in gene [...]
adds b30ca0b v1.28, v1.29 memleak fix
adds 13a474e 1.30 - fix t/memleak_bad_handshake.t
adds e6a15fe 1.30_1 - make sure that idn_to_ascii is not called with
identity containing \0
adds a0afa60 1.30_3: make t/memleak_bad_handshake.t more stable
adds b05d358 1.31 - SSL_crl_file, SSL_VERIFY constants...
adds 88d7a01 version 1.32 and 1.33
adds e57891c removed svn-commit.tmp which should never have been
checked in
adds 9c61977 1.34: wildcards_in_cn for http, start_SSL does not close
socket on failure
adds fdc5997 1.35 - no fallback to verify_none if ca_* is not valid,
instead throw error
adds 055e730 update SSL_verify_callback documentation
adds fa30f8a let user explicitly set SSL_ca_{path,file} to undef
adds b2f400e 1.38 - fixed setting for wildcards_in_cn from 1 to
anywhere for http
adds ea8c6f5 1.38_1 - make fileno on closed socket return undef
adds 34f23d1 fixed docu for http cn wildcard behavior
adds bbea27f version upgrade
adds a6f14fa small fix in example/async_https_server
adds 2fc0505 added t/startssl-failed.t
adds 99f45ad more fixes to async_https_server
adds a5f3196 1.40 - IDN support from URI.
https://rt.cpan.org/Ticket/Display.html?id=67676
adds f8a45f1 v1.40_1 2011.05.09 - fix issue in stop_SSL where it did
not issue a shutdown of the SSL connection if it first received the shutdown
from the other side. Thanks to fencingleo[AT]gmail[DOT]com for reporting
adds 6b119af make 1.40_1 ->1.41, better error handling in t/nonblock.t
adds b19a332 1.42: add SSL_create_ctx_callback option
adds 719d77a 1.43 - fix t/nonblock.t
adds e4fc1c9 stability improvements t/inet6.t
adds 5412bbf 1.43_1 - try to make t/nonblock.t more stable
adds 3a0f745 1.44 - fix invalid call to inet_pton in
verify_hostname_of_cert
adds 35f52fa 1.45 rewrite readline for better signal handling
adds 66e6dc5 forgot to git add test for 1.45
adds 5a12676 1.46 - disable t/signal-readline.t for windows
adds efd2bab 1.47 - fix for readline introduced in 1.45
adds c2e8168 1.47 fix os check in t/signal-readline.t
adds ff967a4 1.48 Merge branch 'master' of
github.com:noxxi/p5-io-socket-ssl
adds 3c37524 1.49 - yet another readline regression. Add more tests to
t/readline.t
adds 64f5672 1.50 workaround t/nonblock.t for AIX
adds 3c93d86 1.52 fix syntax error in t/memleak_bad_handshake.t
adds 2be90e4 1.53 - fix child leak in memleak_bad_handshake.t when
failing test
adds fc93f68 1.54 - solved rt#73629 (unitialized warning)
adds 6d7a53e 1.55 work around IO::Sockets work around for ystems
returning EISCONN etc on connect retry
adds 4f83a3c 1.56 added SNI support for client
adds 266ecce 1.57 - fix t/dhe.t for openssl 1.0.1beta
adds ef87a2b 1.58 - disable workaround in t/dhe.t for older openssl
versions
adds cb6982a 1.60 - doc update + fix readline for nonblocking socket
adds d61da37 1.59 - useful error message on attempt to use unsupported
SSLv2
adds 728004f Merge branch 'master' of github.com:noxxi/p5-io-socket-ssl
adds f633127 1.61 rt#76053 automatically use
CTX_set_session_id_context
adds 200bc6a 1.62 small fix to 1.61
adds b5e793e 1.63 fix rt#76147 making Win32 tests more stable
adds 419f418 1.64 clarify verifycn_* behavior
adds 17f5fb7 1.65 NPN support
adds 6d468a5 1.66 resolve bug with threads
adds d69ded9 1.67 - more secure defaults, new key
SSL_honor_cipher_order to mitigate BEAST
adds f86e95b 1.68 - remove sslv2 from default cipher list
adds c32a7ec 1.69 - reenabled workaround in t/dhe.t
adds abc3821 1.70 - make disabling protocols via SSL_version possible,
default SSLv23:!SSLv2
adds cf4608a 1.71: 1.70 done right
adds 035be8a 1.72 set DEFAULT_CIPHER_LIST to ALL:!LOW not HIGH:!LOW
adds 00483ba 1.73 fixes to t/dhe.t to support more openssl versions
adds ddd0ae7 1.74 - accept SSLv2/3 again at interpret it as SSLv23
adds 819770a 1.74_1 - integrate IO::Socket::IP (rt#75218)
adds 1ff9a8a 1.74_2 fix documentation of SSL_version, rt#77690
adds 222735a 1.75 - make it possible to disable TLS version 1.1 and 1.2
adds 6d6ad4b 1.76 - no longer depend on recent Socket.pm
adds b708b85 1.77 - rt#79916 - update_peer for IPv6
adds b9867b5 work around systems were AF_INET6 is not defined
https://rt.cpan.org/Ticket/Display.html?id=81216
adds 7a60697 fix format - change everything to sts=4 sw=4 ts=8, prev.
formatting was mostly tab 8 with some tab 4
adds 0f44ccd moved SSL.pm to lib/IO/Socket/SSL.pm
adds 5cbf946 use getnameinfo instead of unpack_sockaddr_in6 to get
PeerAddr and PeerPort from sockaddr in _update_peer, keeping scope
adds e388825 1.79 - start migration to more secure default of
SSL_verify_mode by issuing big warning, if current insecure default gets used
adds 74d8363 1.80 - fixed tests so that don't hang anymore on windows
rt#81493
adds 6aad6ba 1.81 - cleanups.. - depreceated set_ctx_defaults, new
name ist set_defaults (but old name still available) - changed handling of
default path for SSL_(ca|cert|key)* keys: either if one of these keys is user
defined don't add defaults for the others, e.g. don't mix user settings and
defaults - cleaner handling of module defaults vs. global settings vs. socket
specific settings. Global and socket specific settings are both provided by
the user, while module [...]
adds 16b65e5 correct spelling of deprecated
https://rt.cpan.org/Ticket/Display.html?id=82790
adds 9078b66 add link to github to Makefile.PL
adds aa9fd54 1.82 better error preserving
adds 30acc99 - server side SNI - do not call DEBUG() unless debugging
is on to speed up module
adds 1a1c1ea much better documentation
adds 799468f release as 1.83
adds b4e960d add more debugging for SNI
adds 68995c7 1.83_1 - adapted and documented behavior of readline on
non-blocking I/O
adds 6925c97 1.84 with more stable client side SNI and better
support/doc for SNI and NPN
adds 0e707b0 updated documentation
adds 91708db update SEE ALSO and COPYRIGHT
adds 5e3fd26 1.85 - probe for available modules with local __DIE__ and
__WARN__handlers. fixes RT#84574 - fix warning, when IO::Socket::IP is
installed and inet6 support gets explictly requested. RT#84619
adds 715cea8 1.86 RT#84686 - don't complain about SSL_verify_mode is
SSL_reuse_ctx, thanks to CLEACH
adds 4868482 1.87 - RT#84829 - complain if given
SSL_(key|cert|ca)_(file|path) do not exist or if they are not readable.
Thanks to perl[AT]minty[DOT]org - fix use of SSL_key|SSL_file objects instead
of files, broken with 1.83
adds 98cf0e1 1.88 consider a value of '' the same as undef for
SSL_ca_(path|file), SSL_key* and SSL_cert* - some apps like Net::LDAP use it
that way.
adds 379a00c Spelling corrections
adds 4bf7358 Merge pull request #3 from dsteinbrunner/master
adds debe24d update Changes
adds 221b1b5 1.89 if IO::Socket::IP is used it should be at least
version 0.20 to fix RT#81932 (HTTP::Daemon::SSL)
adds 764097d added SSL interception
adds b7a0309 - added test for intercepting feature - RT#85290 - use
more digests by default
adds c59f706 1.91 - added IO::Socket::SSL::Utils for easier
manipulation of certificates and keys - moved SSL interception into
IO::Socket::SSL::Intercept and simplified it using IO::Socket::SSL::Utils -
enhance meta information in Makefile.PL
adds 5e361a1 Fix pod error in IO::Socket::SSL::Utils RT#85733
adds cd137f4 1.92 Intercept: use sha1-fingerprint of original cert for
id into cache unless otherwise given
adds 16c4645 1.93 - need at least OpenSSL version 0.9.8 now, since
last 0.9.7 was released 6 years ago. Remove code to work around older
releases. - changed AUTHOR in Makefile.PL from array back to string, because
the array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
adds c024113 set version of Intercept to 1.93, so that PAUSE indexer
will index it again. Problem was, that Itercept was just once inside SSL.pm
file and the version 1.90 was propagated from there. So any new versions will
need to be higher.
adds cbf2a85 Makefile.PL: if the openssl versions looks to small show
the detected version in the error message
adds 3e05d82 1.94 - Makefile.PL reported wrong version of openssl, if
Net::SSLeay was not installed instead of reporting missing dependency to
Net::SSLeay.
adds ad0d04f 1.950 - after long time of complaining when using
insecure default mode finally changed the default for ssl_verify_mode to
ssl_verify_peer for clients, e.g. better fail connection instead of using
insecure connection. - start complaining if (insecure, because relative path)
builtin defaults for CA and cert/key files/path are used. In the future all
certs have to be specified explicitly and CA should use system defaults.
adds 1cf5f61 1.951 - better document builtin defaults for key,cert,CA
and how they are depreceated - use
Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's builtin
defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins
used)
adds 5a9c428 1.952 - fix t/acceptSSL-timeout.t on Win32, RT#86862
adds 6e46f6c 1.953 - RT#87052 fix in Utils.pm
adds 77608e7 Fix a couple DOC schema typos to scheme
adds 0bb1488 Merge pull request #4 from crisman/doc-fix-schema
adds e8b71c0 Update README to note needing 1.46 Net::SSLeay
adds ffec703 Update use Net::SSLeay 1.46 (continue v1.90 2013.05.27)
adds 5ecb952 Merge pull request #5 from crisman/more-net-ssleay-floor
adds 2deb985 1.954 - accept older versions of ExtUtils::MakeMaker and
add meta information like link to repository only for newer versions.
adds e067e09 1.955 - added support for ECDH key exchange with key
SSL_ecdh_curve
adds e19f5a0 fixed Skipped message in t/ecdhe.t
adds e13b372 - cipher_list is now per context, not per SSL object,
e.g. behavior change if context was setup independent from SSL object and w/o
cipher list, which was then given to SSL object only - move filling-in
defaults to Context->new, thus make generating standalone context and
implicite context in SSL->new more consistent. Speeds up when using reuse_ctx
adds 9f54462 support for handshake protocol TLSv11, TLSv12
adds 9ccacac - fixed error in Utils::CERT_free (wrong free call) -
added some tests to git which were in MANIFEST but not in git thanks to
lkundrak[AT]v3[DOT]sk for reporting
https://rt.cpan.org/Ticket/Display.html?id=89705
adds 449f65d - rework verification schemes based on RFC 6125 - add
scheme names with RFC numbers, e.g. rfc2818... - fix scheme for ICAP, POP3,
ACAP, NNTP - contrary to LDAP they allow wildcards in common name - fix
scheme for SMTP, it is now the same as IMAP - add schemes for SNMP, syslog,
netconf, GIST, SIP - fix handling of anywhere wildcards: - www* now matches
only www1,www2.. but not www - do not apply anywhere wildcard if hostname
starts with xn--, e.g. [...]
adds ed5715e - change cipherlist to more secure - add DH paramter and
ECDH curve in default configuratio, so that forward secrecy is done by
default - write down all Changes from last time and release as 1.956 - fix some
tests
adds 904464a - fixed t/core.t for older openssl versions - enhance
other tests (indent, strict, global vars...)
adds a61f48c remove workaround for very old IO::Socket::INET6, instead
require fixed version
adds cbd2c69 release as 1.958 fix t/session.t for older openssl
versions - close socket instead of setting to undef to let it reuse session
adds 66dea3c 1.959 - fix test core.t for windows
adds 5e18d9e 1.960 - documentation enhancements
adds 91efcd8 further documentation enhancements specifically for
non-blocking and event loops
adds 15dd432 1.961 IO::Socket::SSL::Utils::CERT_create can now create
CA-certificates which are not self-signed (by giving issuer_*)
adds bdbcb0c 1.962 - work around problems with older F5 BIG-IP by
offering fewer ciphers on the client side by default, so that the client hello
stays below 255 byte
adds c23db6f - documentation enhancements: - special section for
differences to IO::Socket - describe problem with blocking accept on
non-blocking socket
adds 5b0a79c - documentation fix: consistent use of $client instead of
sometimes $sock in examples in pod (thanks to
alfonso[DOT]caponi[AT]gmail[DOT]com for reporting)
adds 355fc38 documentation enhancements to new_from_fd
adds 2c33559 1.963 - fix behavior of stop_SSL: for blocking sockets it
now enough to call it once, for non-blocking it should be called again as
long as EAGAIN and SSL_ERROR is set to SSL_WANT_(READ|WRITE). - don't call
blocking if start_SSL failed and downgraded socket has no blocking method,
thanks to tokuhirom
adds 5c21511 1.964: get_sslversion* function, disabling TLS1_1 fixed
adds 8336797 1.965 - new option SSL_session_key to influence
client-side session caching
adds bd49a91 1.966 - fixed bug introduced in 1.964 - disabling TLSv1_2
worked no longer with specifying !TLSv12, only !TLSv1_2 worked - fixed leak
of session objects in SessionCache, if another session replaced an existing
session (introduced in 1.965)
adds d6dcf22 Spelling fixes
adds 8f8196a Merge pull request #10 from scop/master
adds f9a5310 WIP: ssl_fingerprint etc
adds 697a7d6 1.967: new option SSL_fingerprint, default scheme for
verifying names, ...
adds a30d104 - require at least version 2.62 instead of 2.55 for
IO::Socket::INET6 https://rt.cpan.org/Ticket/Display.html?id=93503
adds 4936ba4 1.968 - better support for usable CA path by default -
new function default_ca which emulates openssl search for default CA path.
Falls back to Mozilla::CA if no usable CA store is found - enforce use of
Mozilla::CA on platforms without usable CA store (windows) - remove long
depreceated support for certs/server-{cert,key}.pem, ca/ and certs/my-ca.pem
defaults.
adds e7f8dc3 1.969 - new function set_args_filter_hack to make it
possible to override bad SSL settings from other code at the last moment. -
fix set_defaults to match documentation regarding short names - determine
default_ca on module load (and not on first use in each thread) - fix hostname
verification when reusing context
adds f6ff605 pod fix from rt#93907
adds c017684 1.970 fix rt#93987
adds aab477d new file example/simulate_proxy.pl to check behavior of
clients against various strange behavior
adds 9204be5 1.971 - try to use SSL_hostname for hostname verification
if no SSL_verifycn_name is given
adds 00a95e7 1.972 fix rt#94117 t/external/usable_ca.t when no SNI
support
adds 70cf826 small code cleanups
adds 7b43284 1.973: option SSL_ca additionally to SSL_ca_{file,path}
adds d8cae1b spelling error RT#94219
adds 89858c4 1.974 new function peer_certificates, extend
IO::Socket::Utils::CERT_asHash
adds f0b0570 1.975 - work around TEA integration on OS X
adds 0c322e1 1.976 - check wildcard certificates against public prefix
adds 863e07d 1.977 RT#94424 IDN fixes
adds 0f7e189 1.978 RT#94424 again, fix test on older openssl version
with no SNI support
adds f00f9c2 t/public_suffix_lib* - run test even if IDN lib cannot be
loaded, but skip IDN tests - don't use done_testing to work with older
Test::More
adds add79fa This is a combination of 2 commits.
adds 3fe3450 hostname check: 'leftmost' renamed to 'full_label'
adds ea7eb94 stability improvements for tests
adds 906ebe7 relased as 1.979
adds 85a9bda disable elliptic curve support for openssl 1.0.1d on
64bit: http://rt.openssl.org/Ticket/Display.html?id=2975
adds 8f4bb7d 1.980 fix fingerprint calculation
adds 9b14e9a update Changes for 1.980
adds 4df7b35 1.981 - fix ecdhe test for openssl 1.0.1d
adds 6f4638c 1.982 - fix for using subroutine as argument to
set_args_filter_hack
adds bee7322 usable_ca.t: update for current fingerprints (changed
after heartbleed), check that we have a usable CA for host in CA store allow
PEM in CA store to contain "X509 CERTIFICATE" or "TRUSTED CERTIFICATE" too
adds 717b8c1 1.983 - fix use of public suffix list RT#95317
adds 0cd71b7 OCSP handling - works but needs test
adds c321455 tool util/analyze-ssl.pl to analyze SSL connections
adds ab148ea removed util/export_certs.pl - way too old to be useful
anymore
adds ed15491 update Changes file
adds 82f34c9 util/analyze-ssl.pl - fix version check, show usable
SSL_version string
adds 221b42f analyze-ssl.pl - check if client or server decides over
cipher preference
adds 558c182 update Net::SSLeay patch for ocsp (include test, update
documentation)
adds a87828d analyze-ssl.pl - changed handling of http_proxy starttls,
fixes for soft_error in ocsp_resolver
adds 4405951 current OCSP patch for Net::SSLeay
adds fb3a11a small OCSP fixes: - update Net::SSLeay OCSP patch -
accept multiple single responses in stapled OCSP response analyze-ssl option
--dump-chain
adds cfcc86d analyze-ssl.pl: fix starttls smtp, --CApath added
t/external/ocsp.t add no ocsp_uri and no certid to soft_errors in ocsp resolver
adds 5b41e45 work around/together with OCSP responders, which do not
reply to all single requests inside an OCSP request
adds 38e9f64 - OCSP resolver: add caching of soft errors + fix
expiring if cache too big - new tool util/https_ocsp_bulk.pl to check OCSP
status of lots of sites - update OCSP patch for Net::SSLeay (now included in
their SVN)
adds 774f220 util/https_ocsp_bulk.pl - log ssl version, cipher and
bits in pubkey - don't stop if hostname does not match, but continue with OCSP
- but log as ssl-badname and log CN - changed output format for better
after-analysis
adds 20218a1 - don't add ocsp tlsext if server mode - test fix in case
no HTTP::Tiny is installed
adds 9573865 remove Net::SSLeay OCSP patch and instead refer to
Net::SSLeay version 1.59 fix t/io-socket-inet6.t is IO::Socket::INET6 is
installed, but too old to use
adds 92ea39a update Changes remove util/https_ocsp_bulk.pl (put into
p5-scripts repository instead)
adds 16090c0 release as 1.984
adds 7ac7d20 fix skip if fingerprint does not match in
t/external/ocsp.t
adds 6cf16e1 1.985: OCSP enhancements, RT#95633 - make OCSP callback
return 1 even if it was called on the server side because of bad setup of the
socket. Otherwise we get an endless calling of the OCSP callback. - consider
an OCSP response which is not yet or no longer valid a soft error instead of
an hard error - RT#95633 call EVP_PKEY_free not EVP_KEY_free in
IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org -
util/analyze.pl - with --show-chain chec [...]
adds 7158b35 support for IP in common name for www verification
scheme. Need to add tests for this.
adds 50c903e 1.986 - allow IPv4 in CN for www/http scheme. Fix public
suffix list handling.
adds cf80a79 1.987 fix t/verify_hostname_standalone.t on systems
without usable IDNA or IPv6
adds 9eeb788 typo
adds 1050d8f NEEDS testing: transparent support for DER and PKCS12
files in certificate and key
adds 15bc33b 1.988 - transparent support for DER and PKCS12 files for
key and cert
adds 8d25008 document behavior regarding freeing certificates, when
using multiple certificates in SSL_cert
adds 45a6f50 1.989 fix #95881
adds 4426734 1.989_1 #95967, work around temporary OCSP error in
t/external/ocsp.t
adds 60681ec 1.990 added option SSL_ocsp_staple_callback to get the
stapled OCSP response
adds 5e38bed 1.991 new option SSL_OCSP_TRY_STAPLE to enforce staple
request even if VERIFY_NONE - work around for RT#96013 in peer_certificates
adds 9f66a9c analyse-ssl.pl - do hostname verification which scheme
matching starttls. set verified to name-mismatch if not matches, show
subjectAltnames in show-chain
adds bf5d7eb 1.992 - set $! to undef before doing IO (accept, read..).
On Winwdows a connection reset could cause SSL read error without setting $!,
so make sure we don't keep the old value and maybe thus run into endless loop.
adds b45a119 - rework error handling to distinguish between SSL errors
and internal errors (like missing capabilities). - util/analyze-ssl.pl - fix
hostname check if SNI does not work
adds fe8519d 1.923 - major rewrite of documentation
adds 8be8769 documentation fix after #96451
adds 7c3108b 1.994 - make socket switchable between plain and SSL with
the same object
adds 0188eff fix documentation error RT#96765
adds 520fc76 - refresh option for peer_certificate, so that it checks
if the certificate changed in the mean time (on renegotiation) - fix
fingerprint checking - now applies only to topmost certificate -
IO::Socket::SSL::Utils - accept extensions within CERT_create
adds 7612091 Fix some typos and grammar issues
adds 1700f71 Merge pull request #14 from frioux/patch-1
adds c66bb67 1.995 - RT#95452: move initialization and creation of
OpenSSL-internals into INIT section, so they get executed after compilation and
perlcc is happy.
adds 7eb1d78 1.996 move initialization out of INIT again because this
breaks when used with require. Document work-arounds needed for perlcc
adds c110b7e 1.997 - found way to detect when initialization was
needed, so user needs no longer workarounds for perlcc
adds b123501 add debug message on call to _internal_error or error fix
pass message in t/external/ocsp.t
adds 8aaad64 update example/ssl_client,ssl_server
adds cc08c98 Enhance the SNI support by configuring the SNI contexts
in the same way as the main context. This fixes problems like client
certificate validation for SNI hosts. Added a SNI test that verifies the client
certificate.
adds ac7e5d8 Merge branch 'jelu-sni-enhancement'
adds 112bc7a 1.998 - redesign creation of SSL contexts, so that all
contexts have CA path, verification callback etc
adds 68b1ba1 accept PeerHost additionally to PeerAddr in all places,
accept PeerService, enhance util/analyze-ssl.pl
adds b6af754 RT#98258 - make sure to set $/ to "\n" before using <$fh>
in PublicSuffix
adds f032710 make sure we don't use version 0.30 of IO::Socket::IP
adds 0ff7eb3 release as 1.999
adds b8bc6d3 Better skipping of tests requiring fork()
adds 5aa23a2 Merge pull request #18 from steve-m-hay/master
adds 7925def update Changes after merge
adds de1451f Solve Debian Bug#764868: with environment
NO_NETWORK_TESTING set no external tests will be done. Simplify checks for fork
by putting it into testlib and fix it by including Config.
adds 42fd97a SSL3.0 is no longer allowed in default SSL_version
because of POODLE
adds fdc0e48 2.000 - update documentation regarding disabled SSL3.0
adds 8572135 fix typo
adds ce9628e util/analyze-ssl.pl - work around cloudflare behavior,
where you get different ciphers with SNI then without
adds 5abf633 make it work with 5.8.1 again
adds d12477e update expected site fingerprints in t/external/*
adds 935c05b add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to
increase PFS security
adds a6b3690 call it 2.001
adds fad6ac6 Update PublicSuffix with latest version from
publicsuffix.org - lots of new top level domains. Add exception to PSL for
s3.amazonaws.com - RT#99702
adds 9407373 fix check for (invalid) IPv4 when validating hostname
against certificate. Do not use aton any longer RT#99448
adds ec3cdf6 release as 2.002
adds 1f94827 use only ICANN part in public suffix list fix typo
adds a09f29f Propagate error if cert/key could not be used instead of
continuing with an invalid context which might cause a segmentation fault
adds 3b96ed5 skip io-socket-ip.t with IO::Socket::IP version 0.30
instead of failing
adds 99c1abd max-cipher option for util/analyze.pl. Fix host parsing
adds a49cffb 2.003 make SSLv3 accessible unless forbidden (default),
even if the SSL library disables it by default in the context (LibreSSL)
adds ea2eb29 2.004 fix t/protocol_version.t to deal with OpenSSL
installations which are compiled without SSLv3 support.
adds 2dfb8ed 2.005 next try to fix t/protocol_version.t for OpenSSL
w/o SSLv3 support
adds d95289d 2.005_1: enable non-blocking support for windows, mainly
by using EWOULDBLOCK instead of EAGAIN
adds fbf66f2 make PublicSuffix::_default_data thread safe by storing
the default data inside a function inside within __DATA__
adds da52dac Release as 2.006, update PublicSuffix with latest list
from publicsuffix.org
adds 1a95a4f Utils: documentation fixes
adds 141d2b1 2.007 - implement getline/readline properly when not
sslified (RT#100529)
adds 8d6c3b1 2.008 - fix test because of external errors. Small
enhancements for analyze.pl
adds 4f11bca fix #101020 (SSL.pm, analyze.pl)
adds 1e66fe4 util/analyze.pl - analyze handshake compatibility
adds 01421a4 analyze.pl - fix retry without SNI
adds 8b16bb8 analyze.pl - fix for max_version, don't croak on
anyonmous ciphers
adds 5d11618 example/*.pl - sysread with 16k (max ssl frame size) to
avoid issues with pending data
adds 3c99b11 util/analyze.pl - compare sent chain certificates again
used certificates and also display local root certificate
adds 8d2a520 reset $! after successful connect/accept with timeout
adds b26ec49 dummy util/analyze-ssl.pl
adds 71dfd76 2.009 added ALPN support thanks to TEAM RT#101452
adds 710ca92 t/protocol_version.t - fix in case SSLv3 is not supported
in Net::SSLeay. RT#101485
adds f75a0ee 2.009 - new options SSL_client_ca_file and SSL_client_ca
adds 72eb5d4 Minor pod fixes
adds 7750ebf Merge pull request #21 from frioux/patch-2
adds f80a23d removed RC4 from default cipher suites on the server site
adds f447f6b Utils::CERT_create - add purpose client for non-CA
certificates
adds a02d5f8 added option 'purpose' to Utils::CERT_create
adds 5921fbe increase version in Utils.pm to 0.031
adds de79931 Minor pod fixes
adds 21fed25 removed RC4 from default cipher suites on the server site
adds 313adf1 Utils::CERT_create - add purpose client for non-CA
certificates
adds 8f138a2 added option 'purpose' to Utils::CERT_create
adds cdf3eda increase version in Utils.pm to 0.031
adds e8f4058 ported some tests to use Test::More
adds 8cf2973 white space and intendation fixes
adds e79e825 replace various skip_all with fail, because these should
fail
adds c1af848 don't use Test::More in t/alpn.t since it does not work
with parent and forked child doing test output
adds a585ee6 Merge branch 'Sweet-kid-use_Test_More'
adds dedca19 t/external/ocsp.t - don't count on revoked.grc.com using
OCSP stapling SSL.pm - clear SSL_ERROR before attempting
SSLeay::{connect,accept}
adds 42765f2 release 2.011
adds a5a716b 2.012 - fix t/ocsp.t in case no HTTP::Tiny is installed
adds b2841cb fixed Changes - last entries for 2014 should have been
2015 (thanks to Alvar Freude vor pointing out)
adds 933bc45 fixed a few grammatical problems and made some slight
word changes to enhance readability. I also made mention of module names links
instead of plain text
adds a3b16fc a few more fixes. about 40% done with the POD
adds 3226a74 a bit further along. There is a lot to read
adds 53d7da6 Merge branch 'genio-master'
adds c1490e4 updated Changes
adds 2021d91 Replace fail(...) with ok(0,...) in t/alpn.t.
adds 02db0fc Put back a not ok accept failure that got lost in e8f4058.
adds 81d17e0 Merge pull request #28 from bluhm/alpn.t
adds 1f430ea 2.013 - rework error handling so that follow-up errors
don't replace the original errors
adds 75eeb90 2.014 - Utils::CERT_create - work around problems with
authorityInfoAccess, where OpenSSL i2v does not create the same string as v2i
expects - Intercept - don't clone some specific extensions which make only
sense with the original certificate
adds 7f2e97e print module that was used as a parent
adds 086ef1c Merge pull request #32 from chorny/patch-1
adds c94b27d t/01loadmodule.t - add also version of @ISA module to
diagnostics
adds dcc09a5 explicit check that IPv6 address only contains hex,'.'
and ':' because inet_pton on some systems seems to accept something like
"[::1.2.3.4]". https://github.com/noxxi/p5-io-socket-ssl/issues/31
adds 4b3e466 2.015 - work around problem with IO::Socket::INET6 on
windows in tests by enforcing AF_INET as Domain
adds 19033d8 accept Domain and Family argument, so it does not matter
if the superclass uses Family (IO::Socket::IP) or Domain (IO::Socket::INET6)
adds 3c44971 update documentation to make it more clear where to get
the X509* and EV_PKEY* objects for SSL_ca, SSL_cert and SSL_key
adds db39502 add better debugging based on a patch from H.Merijn Brand
adds 6c69321 make t/memleak_bad_handshake.t work on cygwin and other
systems having /proc/pid/statm., see RT#104659
adds 8349289 make some tests work with older Test::More w/o
done_testing
adds a542b05 update version to 2.015_001
adds 9eb322b removed wrong domain AF_INET from t/io-socket-ip.t set
version to 2.015_002
adds de1b62b 2.015_003 work around hanging prompt() with older perl
in Makefile.PL RT#104731
adds 7306627 2.015_004 - fix handling of default for yesno in
Makefile.PL
adds 3ede5be 2.015_005 add flag X509_V_FLAG_TRUSTED_FIRST by default
if available, RT#104759
adds 3304d81 another try with X509_V_FLAG_TRUSTED_FIRST
adds b922605 relase as 2.016
adds 894f7b8 2.016_001 - support different ciphers for SNI hosts
adds fa27238 2.016_002 - enforce default verification scheme if none
was specified instead of just warning if name is wrong (i.e. hard fail vs. soft
fail)
adds eb8a20e add more detail to example in documentation to show that
the user must do the SMTP dialogs by itself (RT#105936)
adds 58d3aa8 Fix failing non-blocking test on Unix platforms where
EWOULDBLOCK is not the same as EAGAIN (Solaris, AIX, HP-UX, etc). This bug was
introduced by commit d95289 for 2.006. The fix is simply to check for either of
these errors instead of just one.
adds 00858d8 Merge pull request #35 from andygrundman/master
adds 6a98f0f fix _update_peer for IPv6 (wrong use of getnameinfo)
adds 7432b34 remove -r for checking SSL_{cert,key}_file since this
will cause a usable error later anywy if file does not exist. This fixes some
part of #106295
adds d139352 added interface sock_certificate to get local certificate
as suggest in #15733 enhanced get_fingerprint* to fingerprint any certificate,
not only peer
adds 421ac8e check with open/opendir if SSL_ca_file/path is
accessible. RT#106295
adds d2ef480 catch cases where SSL_verify_mode is used with string
instead number. Update Changes and release as 2.017
adds 0ea12ea 2.018 - RT#106687 - startssl.t failed on darwin with old
openssl since server requested client certificate but offered also anon ciphers
adds 3f9b660 2.019 work around different behavior of getnameinfo from
Socket and Socket6
adds 2cb6d54 Fix typos
adds 0def00f Merge pull request #34 from jwilk/typos
adds 9d495d0 2.020 support multiple directories in SSL_ca_path as
proposed in RT#106711
adds d8556e6 fix socket variable name in documentation
adds 7805d01 Merge pull request #36 from
DavsX/doc/non_blocking_documentation_fix
adds c9006b7 make documentation more clear regarding enforcing IPv4
adds f356d58 update public suffix list with latest version, adapt
tests to changed list
adds 248725a Fix typos
adds 09ae45c Merge pull request #38 from jwilk/spelling
adds f853a6e 2.021 update PublicSuffix again before new release
adds 4d5d42b 2.022 fix stringification of IPv6 inside subjectAltNames
in Utils::CERT_asHash, RT#110253
adds 52c1948 Fix typo
adds fd2184f Merge pull request #39 from jwilk/spelling
adds 6e23ee4 2.023 - work around changes in OpenSSL 1.0.2f regarding
SSL_shutdown
adds 32c2ebc small documentation fixes for Intercept small code
cleanup for Utils
adds f8ee6e7 Fix calls to X509_NAME_add_entry_by_txt in
Utils::CREATE_cert in case the given string is not UTF-8. Retry with T.61 and
finally use Octet
adds b80a30d Intercept: ignore unknown extensions (unknown nid,sn)
when cloning
adds a1f4fdd 2.024 - work around issue with AI_ADDRCONFIG default an
IO::Socket::IP, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813796
adds 5c11d87 2.025 Resolved memleak if SSL_crl_file was used:
RT#113257, RT#113530
adds c42cb54 2.026 - update default server and client ciphers based on
recommendation of Mozilla and what the current browsers use. Notably this
finally disables RC4 for the client (was disabled for server long ago) and
adds CHACHA20.
adds b1cf42e 2.027 - only included changes for 2.027 in Changes file
adds b47ebe2 example/ssl_server.pl - make it clear that client
certificates are only requested if option --ca is used
adds d62f932 2.028 - add del_session method to session cache - send
accepted CA in example/ssl_server.pl in case of SSL_ca_file
adds 1ed5429 2.029 - fix del_session method in case a single item was
in the cache - use SSL_session_key as the real key for the cache and not some
derivate of it, so that it works to remove the entry using the same key
adds 781c5a5 support for creating ECC keys in IO::Socket::SSL::Utils
once supported by Net::SSLeay
adds e329b07 assume that Net::SSLeay::P_PKCS12_load_file will return
the CA certificates with the reverse order as in the PKCS12 file, because
that's what it does.
adds dab44e4 Utils::CERT_create - don't add given extensions again if
they were already added. Firefox croaks with sec_error_extension_value_invalid
if (specific?) extensions are given twice.
adds da45bd5 2.030 remove internal sub session_cache and access cache
directly (faster) This also fixes a problem when SSL_session_key was used,
which was introduced in 2.029
adds 2edc281 2.031 fix for bug in session handling introduced in
2.031, RT#115975
adds 07baa9d 2.032 - Set session id context only on the server side.
Even if the documentation for SSL_CTX_set_session_id_context makes clear that
this function is server side only it actually affects hndling of session
reuse on the client side too and can result in error
"SSL3_GET_SERVER_HELLO:attempt to reuse session in different context" at the
client.
adds 7e5d364 - support for session ticket reuse over multiple contexts
and processes (if supported by Net::SSLeay) - small optimizations, like
saving various Net::SSLeay constants into variables and access variables
instead of calling the constant sub all the time
adds d67d3c3 release as 2.033 make t/dhe.t work with openssl 1.1.0
adds 8645496 Fix POD (arrows in C<> sequences)
adds 26bf287 Fix POD: brackets in SSL_ticket_keycb example
adds 8182684 Merge pull request #44 from choroba/master
adds 8eb0130 describe problem with validating self-signed non-CA
certificates
adds 3e15230 2.034 - move handling of global SSL arguments into
creation of context, so that these get also applied when creating a context
only.
adds 00ae563 update expected certificate fingerprints for external
tests
adds aaa7c76 switched to different hosts for live OCSP tests in the
hope that these use the same certificates world-wide
adds 662178d apply (configurable) global settings after builtin
default settings
adds 9e7fbf7 configure_SSL: return if context creation failed, might
result in segfault otherwise
adds e159207 released as 2.035
adds e5596ce 2.036 - set can_ocsp to false for Net::SSLeay 1.75..1.77,
see RT#116795
adds b86694d forgot Changes information
adds 252f015 2.037 fix session cache del_session: it freed the session
but did not properly remove it from the cache. Further reuse causes crash.
adds 0a6e3e4 2.038 - restrict session ticket callback to Net::SSLeay
1.79+ since version before contains bug. Add test for session reuse - extend
SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....' - fix
t/external/ocsp.t to use different server (under my control) to check OCSP
stapling
adds a97b5d3 - don't check if SSL_key_file and SSL_cert_file are
files, instead just check if they can be opened which includes that they are
readable - for SSL_ca_file skip the check for -f, open(..) should be sufficient
adds ca92657 2.039: adapt to the changed behavior of SSL_read on EOF
without SSL shutdown which was introducted with OpenSSL 1.1.0c.
adds e16fbcd Decode the serial number the right way
adds cb43675 Include signature algorithm in CERT_asHash
adds aef8b82 Merge pull request #47 from odenbach/serial
adds 32ddca6 testlib: clear __DIE__ handler in child
adds 8c81f60 Fix number used for SSLEAY_DIR/OPENSSL_DIR since this
changed with OpenSSL 1.1. This caused it to not find the default path for CA
any longer with OpenSSL 1.1.
adds 4abb901 release as 2.040 document signature_alg in
Utils::CERT_asHash
adds de001a9 2.041 disable session ticket callback for now until the
feature is fully implemented in Net::SSLeay
adds 44dad7c 2.042 - enable session ticket callback with
Net::SSLeay>=1.80
adds 3fda2f1 2.043 - make t/session_ticket.t work with OpenSSL 1.1.0.
adds e2ace02 2.044 protect various 'eval'-based capability detections
at startup with a localized __DIE__ handler. This way dynamically requiring
IO::Socket::SSL as done by various third party software should cause less
problems even if there is a global __DIE__ handler which does not properly
deal with 'eval'.
adds aebd75c fix memory leak with %CREATED_IN_THIS_THREAD based on
pull request https://github.com/noxxi/p5-io-socket-ssl/pull/55
adds 7167c64 Fix typos
adds 137f428 Merge pull request #52 from jwilk/spelling
adds 1e50f80 only do "stop_SSL" after accept_SSL failed with
SSL_startHandshake=0 in place
adds f1b51fd call to connect_SSL will fail if handshake already done;
adds DEBUG message
adds 7d6042a Merge pull request #53 from
hubandr/handshake_failed_stop_ssl
adds 586b24d optimization: don't track SSL objects and CTX in
*CREATED_IN_THIS_THREAD if perl is compiled w/o thread support
adds 1bacf7e when setting SSL_keepSocketOnError to true the socket
will not be closed on fatal error This is a modified version of
https://github.com/noxxi/p5-io-socket-ssl/pull/53/
adds 4f4a3ad release as 2.045 small fix in t/protocol_version.t to use
older versions of Net::SSLeay with openssl build w/o SSLv3 support
adds 7ee0ba3 2.046 cleanup everything in DESTROY and make sure to
start with a fresh %{*self} in configure_SSL because it can happen that a GLOB
gets used again without calling DESTROY
(https://github.com/noxxi/p5-io-socket-ssl/issues/56)
adds 5122caa New upstream version 2.046
new 187d4c1 Merge tag 'upstream/2.046'
new 3d49223 Update debian/changelog
new d379506 Prepare changelog for release
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Summary of changes:
Changes | 4 ++++
META.json | 4 ++--
META.yml | 4 ++--
debian/changelog | 6 ++++++
lib/IO/Socket/SSL.pm | 12 +++++++-----
5 files changed, 21 insertions(+), 9 deletions(-)
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libio-socket-ssl-perl.git
_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
