------------------------------------------------------------------- Thu Aug 8 11:09:57 UTC 2019 - Pedro Monreal Gonzalez - Support for forward secrecy using ECDH, if the Net::SSLeay/openssl version supports it [bsc#1137643] * Added patch perl-IO-Socket-SSL-ECDH.patch ------------------------------------------------------------------- Wed Aug 17 14:49:38 CEST 2011 - dmueller@suse.de - require perl-IO-Socket-INET6 for IPv6 support - update to 1.38 as required by the libwww-perl-libwww certificate handling fix(bnc#712654): - fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1 instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for reporting https://rt.cpan.org/Ticket/Display.html?id=64864 - don't complain about invalid certificate locations if user explicitly set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what he is doing and will work around the problems by itself. http://rt.cpan.org/Ticket/Display.html?id=63741 - update documentation for SSL_verify_callback based on https://rt.cpan.org/Ticket/Display.html?id=63743 https://rt.cpan.org/Ticket/Display.html?id=63740 - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid it will no longer fall back to VERIFY_NONE but throw an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for pointing out the problem, see also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 - schema http for certificate verification changed to wildcards_in_cn=1, because according to rfc2818 this is valid and also seen in the wild - if upgrading socket from inet to ssl fails due to handshake problems the socket gets downgraded, but is still open. See https://rt.cpan.org/Ticket/Display.html?id=61466 - depreceate kill_socket, just use close() - attempt to make t/memleak_bad_handshake.t more stable, it fails for unknown reason on various systems - fix hostname checking: an IP should only be checked against subjectAltName GEN_IPADD, never against GEN_DNS or CN. Thanks to rusch[AT]genua[DOT]de for bug report - Makefile.PL: die if Scalar::Util has no dualvar support instead of only complaining. Thanks to w[DOT]phillip[DOT]moore[AT]gmail[DOT]com for reporting. - add and export constants for SSL_VERIFY_* - set SSL_use_cert if cert is given and not SSL_server - support alternative CRL file with SSL_crl_file thanks to patch of w[DOT]phillip[DOT]moore[AT]gmail[DOT]com - make t/memleak_bad_handshake.t more stable (increase listen queue, ignore errors on connect, don't run on windows..) - t/memleak_bad_handshake.t don't write errors with ps to stderr, -o vsize argument is not supported on all platforms, just skip test then - make sure that idn_to_ascii gets no \0 bytes from identity, because it simply cuts the string their (using C semantics). Not really a security problem because IDN like identity is provided by user in hostname, not by certificate. - fix test t/memleak_bad_handshake.t - fixed thanks for version 1.28 - fix memleak when SSL handshake failed. Thanks richardhundtu[AT]gmail[DOT]com - changed possible local/utf-8 depended \w in some regex against more explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service names can't have '-' inside - fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131 where eli[AT]dvns[DOT]com reported warnings when perl -w was used. While there made it more aware of errors in Net::ssl_write_all (return undef not 0 in generic_write) - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting - t/nonblock.t: increase number of bytes written to fix bug with OS X 10.5 https://rt.cpan.org/Ticket/Display.html?id=47240 - add verify hostname scheme ftp, same as http - renew test certificates again (root CA expired, now valid for 10 years) - if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the default values have no existing file|path) disable checking of certificates, but carp about the problem - new test certificates, the old ones expired and caused tests to fail - Net::SSLeay stores verify callbacks inside hash and never clears them, so set verify callback to NULL in destroy of context - auto verification of name in certificate created circular reference between SSL and CTX object with the verify_callback, which caused the objects to be destroyed only at program end. Fix it be no longer access $self from inside the callback. - only changes on test suite to make it ready for win32 (tested with strawberry perl 5.8.8) - fix verifycn_name autodetection from PeerAddr/PeerHost - fixed typo in argument: wildcars_in_cn -> wildcards_in_cn http://rt.cpan.org/Ticket/Display.html?id=40997 thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting - no code changes, publish v.16_3 as v.17 because it looks better than v.16 - document win32 behavior regarding non-blocking and timeouts - better support for IPv6: - IPv6 is enabled by default if IO::Socket::INET6 is available - t/inet6.t for basic tests - change code for SSL_check_crl to use X509_STORE_set_flags instead of X509_STORE_CTX_set_flags based on bug report from - change opened() to report -1 if the IO::Handle is open, but the SSL connection failed, needed with HTTP::Daemon::SSL which will send an error mssage over the unencrypted socket ------------------------------------------------------------------- Tue Sep 1 10:05:53 CEST 2009 - anicka@suse.cz - fix certificate hostname comparing (bnc#535554) - update certificates to files from 1.24 because old were expired ------------------------------------------------------------------- Mon Feb 23 12:04:25 CET 2009 - ro@suse.de - ignore test suite errors, too many unreproducable failures ------------------------------------------------------------------- Mon Nov 17 16:45:47 CET 2008 - lnussel@suse.de - fix typo that prevented wildcards in CN (bnc#445678) ------------------------------------------------------------------- Mon Oct 6 15:05:26 CEST 2008 - anicka@suse.cz - update to 1.16 * change code for SSL_check_crl to use X509_STORE_set_flags instead of X509_STORE_CTX_set_flags * change opened() to report -1 if the IO::Handle is open, but the SSL connection failed, needed with HTTP::Daemon::SSL which will send an error mssage over the unencrypted socket ------------------------------------------------------------------- Wed Sep 10 16:58:20 CEST 2008 - anicka@suse.cz - update to 1.15 * change internal behavior when SSL handshake failed (like when verify callback returned an error) in the hope to fix spurios errors in t/auto_verify_hostname.t ------------------------------------------------------------------- Mon Aug 18 13:54:40 CEST 2008 - ro@suse.de - hack to build also in buildservice where 127.0.0.1 can resolve to the hostname instead of localhost ------------------------------------------------------------------- Mon Aug 4 00:35:10 CEST 2008 - ro@suse.de - update require for Net_SSLeay to Net-SSLeay ------------------------------------------------------------------- Fri Jul 25 15:59:47 CEST 2008 - anicka@suse.cz - update to 1.14 * added support for verification of hostname from certificate including subjectAltNames, support for IDN etc * automatic verification of hostnames with SSL_verifycn_scheme and SSL_verifycn_name * global setting of default context options like SSL_verifycn_scheme, SSL_verify_mode with set_ctx_defaults * fix import of inet4,inet6 which got broken within 1.13_X. * clarified and enhanced debugging supppport * put information into README regarding the supported and recommanded version of Net::SSLeay ------------------------------------------------------------------- Mon Jan 28 15:27:25 CET 2008 - anicka@suse.cz - update to 1.13 * removed CLONE_SKIP which was added in 1.03 because this breaks windows forking. Handled threads/windows forking better by making sure that CTX from Net::SSLeay gets not freed multiple times from different threads after cloning/forking * removed setting LocalPort to 0 in tests, instead leave it undef if a random port should be allocated. ------------------------------------------------------------------- Thu Nov 1 15:42:58 CET 2007 - anicka@suse.cz - update to 1.12 * treat timeouts of 0 for accept_SSL and connect_SSL like no timeout, like IO::Socket does. * fixed errors in accept_SSL which would work when called from start_SSL but not from accept * start_SSL, accept_SSL and connect_SSL have argument for Timeout so that the SSL handshake will not block forever. Only used if the socket is blocking. If not set the Timeout value from the underlying IO::Socket is used ------------------------------------------------------------------- Mon Oct 8 09:24:08 CEST 2007 - anicka@suse.cz - update to 1.09 * new method stop_SSL as opposite of start_SSL * try to make it clearer that thread support is buggy * make sure that Scalar::Util has support for dualvar (Makefile.PL,SSL.pm) because the perl*only version has has no dualvar ------------------------------------------------------------------- Mon Jun 11 09:36:41 CEST 2007 - anicka@suse.cz - update to 1.07 * fix t/nonblock.t on systems which have by default a larger socket buffer. Set SO_SNDBUF explicitly with setsockopt to force smaller writes on the socket - move testing to %check ------------------------------------------------------------------- Tue May 15 16:10:34 CEST 2007 - anicka@suse.cz - update to 1.06 * instead of setting undef args to '' in configure_SSL drop them. This makes Net::SMTP::SSL working again because it does not give LocalPort of '' to IO::Socket::INET any more ------------------------------------------------------------------- Mon Apr 23 13:31:13 CEST 2007 - anicka@suse.cz - update to 1.05 * make session cache working even if the IO::Socket::SSL object was not created with IO::Socket::SSL->new but with IO::Socket::SSL->start_SSL on an established socket ------------------------------------------------------------------- Fri Mar 30 16:02:45 CEST 2007 - anicka@suse.cz - update to 1.04 * added way to create SSL object with predefined session cache ------------------------------------------------------------------- Wed Mar 7 10:46:00 CET 2007 - anicka@suse.cz - update to 1.03 * add CLONE_SKIP ------------------------------------------------------------------- Wed Dec 13 12:18:37 CET 2006 - anicka@suse.cz - update to 1.02 * added some info to BUGS and to BUGS section of pod * added TELL and BINMODE to IO::Socket::SSL::SSL_HANDLE, even if they do nothing useful. * all tests allocate now the ports dynamically, so there should be no longer a conflict with open ports on the system where the tests run ------------------------------------------------------------------- Thu Sep 14 12:24:11 CEST 2006 - anicka@suse.cz - update to 1.01 * add support for Diffie Hellman Key Exchange. * accept_SSL sets errors on $socket (the accepted socket) not $self (the listening socket if called from accept) * many bugfixes ------------------------------------------------------------------- Mon Jul 24 14:54:30 CEST 2006 - anicka@suse.cz - update to 0.993 * added test for sysread/syswrite behavior * fix Makefile.PL to allow detectection of failures in PREREQ_PM * fix problems with HTTP::Daemon::SSL ------------------------------------------------------------------- Tue Jul 18 17:07:11 CEST 2006 - anicka@suse.cz - update to 0.99 * Maintainer changed to * Better support for nonblocking sockets * Bugfixes ------------------------------------------------------------------- Wed Jan 25 21:39:46 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Mon Aug 1 12:46:17 CEST 2005 - mjancar@suse.cz - update to 0.97 ------------------------------------------------------------------- Wed Sep 29 18:54:55 CEST 2004 - mls@suse.de - use X509_STORE_set_flags instead of X509_STORE_CTX_set_flags ------------------------------------------------------------------- Thu Aug 19 13:10:44 CEST 2004 - mjancar@suse.cz - update to 0.96 ------------------------------------------------------------------- Thu Feb 26 16:06:13 CET 2004 - mjancar@suse.cz - update to 0.95 ------------------------------------------------------------------- Sun Jan 11 11:30:00 CET 2004 - adrian@suse.de - build as user ------------------------------------------------------------------- Fri Aug 22 14:58:22 CEST 2003 - mjancar@suse.cz - require the perl version we build with ------------------------------------------------------------------- Thu Jul 24 13:21:17 CEST 2003 - mjancar@suse.cz - update 0.94 ------------------------------------------------------------------- Thu Jul 17 16:44:45 CEST 2003 - mjancar@suse.cz - adapt to perl-5.8.1 - use %perl_process_packlist ------------------------------------------------------------------- Mon Jun 16 20:27:20 CEST 2003 - mjancar@suse.cz - run make test - fix filelist ------------------------------------------------------------------- Tue May 20 12:40:04 CEST 2003 - mjancar@suse.cz - remove unpackaged files ------------------------------------------------------------------- Fri Dec 20 14:51:46 CET 2002 - prehak@suse.cz - updated to 0.92 - added example directory ------------------------------------------------------------------- Wed Dec 18 18:18:55 CET 2002 - prehak@suse.cz - updated to version 0.901 ------------------------------------------------------------------- Thu Jul 11 11:01:40 CEST 2002 - prehak@suse.cz - updated to version 0.81 - added demo, util and more to documetation ------------------------------------------------------------------- Tue Jul 2 17:40:06 MEST 2002 - mls@suse.de - remove race in .packlist generation ------------------------------------------------------------------- Mon Jan 14 19:10:00 CET 2002 - rvasice@suse.cz - update to version 0.80 ------------------------------------------------------------------- Fri Aug 24 14:19:33 CEST 2001 - rvasice@suse.cz - removed make test - need network ------------------------------------------------------------------- Tue Aug 14 15:54:06 CEST 2001 - rvasice@suse.cz - update to version 0.79 - add make test ------------------------------------------------------------------- Tue Mar 13 15:38:31 CET 2001 - cihlar@suse.cz - update to version 0.77 ------------------------------------------------------------------- Fri Nov 10 11:34:51 CET 2000 - cihlar@suse.cz - renamed p_iossl -> perl-IO-Socket-SSL ------------------------------------------------------------------- Wed Aug 23 10:47:31 CEST 2000 - cihlar@suse.cz - package created