Accepting request 528108 from home:vitezslav_cizek:branches:devel:languages:perl

- update to 2.051
fixes build with openssl 1.1
  - syswrite: if SSL_write sets SSL_ERROR_SYSCALL but no $! (as seen with
    OpenSSL 1.1.0 on Windows) set $! to EPIPE to propagate a useful error up
    https://github.com/noxxi/p5-io-socket-ssl/issues/62
  - removed unecessary settings of SSL_version and SSL_cipher_list from tests
  - protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not supported
    as is the case with openssl versions in latest Debian (buster)
  - fixed problem caused by typo in the context of session cache
    https://github.com/noxxi/p5-io-socket-ssl/issues/60
  - update PublicSuffix information from publicsuffix.org
  - fixed small memory leaks during destruction of socket and context, RT#120643
  - better fix for problem which 2.046 tried to fix but broke LWP this way
  - cleanup everything in DESTROY and make sure to start with a fresh %{*self}
    in configure_SSL because it can happen that a GLOB gets used again without
    calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
  - fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
    objects -> github pull#55
  - optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD
    if perl is compiled w/o thread support
  - small fix in t/protocol_version.t to use older versions of Net::SSLeay
    with openssl build w/o SSLv3 support
  - when setting SSL_keepSocketOnError to true the socket will not be closed
    on fatal error. This is a modified version of
    https://github.com/noxxi/p5-io-socket-ssl/pull/53/
  - protect various 'eval'-based capability detections at startup with a localized
    __DIE__ handler. This way dynamically requiring IO::Socket::SSL as done by
    various third party software should cause less problems even if there is a
    global __DIE__ handler which does not properly deal with 'eval'.
  - make t/session_ticket.t work with OpenSSL 1.1.0. With this version the
    session does not get reused any longer if it was not properly closed which

OBS-URL: https://build.opensuse.org/request/show/528108
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-IO-Socket-SSL?expand=0&rev=92

IO-Socket-SSL-2.025.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5b7d4db9c15f5c9e342bad26a5e1b8b59899a09f22ed8a5345b1b19df83fcc3
-size 209795

IO-Socket-SSL-2.051.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:18453ceca9a2490dbde0154355c0dc7915f5848b7e452c5e0282914c1f4219f3
+size 220529

cpanspec.yml

@@ -1,3 +1,2 @@
 ---
 patches:
- perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch: -p1

perl-IO-Socket-SSL.changes

@@ -1,3 +1,87 @@
+-------------------------------------------------------------------
+Thu Sep 21 15:37:34 UTC 2017 - vcizek@suse.com
+
+- update to 2.051
+  - syswrite: if SSL_write sets SSL_ERROR_SYSCALL but no $! (as seen with
+    OpenSSL 1.1.0 on Windows) set $! to EPIPE to propagate a useful error up
+    https://github.com/noxxi/p5-io-socket-ssl/issues/62
+  - removed unecessary settings of SSL_version and SSL_cipher_list from tests
+  - protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not supported
+    as is the case with openssl versions in latest Debian (buster)
+  - fixed problem caused by typo in the context of session cache
+    https://github.com/noxxi/p5-io-socket-ssl/issues/60
+  - update PublicSuffix information from publicsuffix.org
+  - fixed small memory leaks during destruction of socket and context, RT#120643
+  - better fix for problem which 2.046 tried to fix but broke LWP this way
+  - cleanup everything in DESTROY and make sure to start with a fresh %{*self}
+    in configure_SSL because it can happen that a GLOB gets used again without
+    calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
+  - fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
+    objects -> github pull#55
+  - optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD
+    if perl is compiled w/o thread support
+  - small fix in t/protocol_version.t to use older versions of Net::SSLeay
+    with openssl build w/o SSLv3 support
+  - when setting SSL_keepSocketOnError to true the socket will not be closed
+    on fatal error. This is a modified version of
+    https://github.com/noxxi/p5-io-socket-ssl/pull/53/
+  - protect various 'eval'-based capability detections at startup with a localized
+    __DIE__ handler. This way dynamically requiring IO::Socket::SSL as done by
+    various third party software should cause less problems even if there is a
+    global __DIE__ handler which does not properly deal with 'eval'.
+  - make t/session_ticket.t work with OpenSSL 1.1.0. With this version the
+    session does not get reused any longer if it was not properly closed which
+    is now done using an explicit close by the client which causes a
+    proper SSL_shutdown
+  - enable session ticket callback with Net::SSLeay>=1.80
+  - leave session ticket callback off for now until the needed patch is
+    included in Net::SSLeay. See
+    https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146
+  - fix detection of default CA path for OpenSSL 1.1.x
+  - Utils::CERT_asHash now includes the signature algorithm used
+  - Utils::CERT_asHash can now deal with large serial numbers
+  - OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1 on
+    EOF without proper SSL shutdown. Since it looks like that this behavior will
+    be kept at least for 1.1.1+ adapt to the changed API by treating errno=NOERR
+    on SSL_ERROR_SYSCALL as EOF.
+  - restrict session ticket callback to Net::SSLeay 1.79+ since version before
+    contains bug. Add test for session reuse
+  - extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
+  - fix t/external/ocsp.t to use different server (under my control) to check 
+    OCSP stapling
+  - fix session cache del_session: it freed the session but did not properly
+    remove it from the cache. Further reuse causes crash.
+  - disable OCSP support when Net::SSLeay 1.75..1.77 is used, see RT#116795
+  - move handling of global SSL arguments into creation of context, so that these
+    get also applied when creating a context only.
+  - support for session ticket reuse over multiple contexts and processes
+    (if supported by Net::SSLeay)
+  - small optimizations, like saving various Net::SSLeay constants into variables
+    and access variables instead of calling the constant sub all the time
+  - make t/dhe.t work with openssl 1.1.0
+  - Set session id context only on the server side. Even if the documentation for
+    SSL_CTX_set_session_id_context makes clear that this function is server side
+    only it actually affects hndling of session reuse on the client side too and
+    can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session in
+    different context" at the client.
+  - Utils::CERT_create - don't add given extensions again if they were already
+    added. Firefox croaks with sec_error_extension_value_invalid if (specific?)
+    extensions are given twice.
+  - assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
+    with the reverse order as in the PKCS12 file, because that's what it does.
+  - support for creating ECC keys in Utils once supported by Net::SSLeay
+  - remove internal sub session_cache and access cache directly (faster)
+  - fix del_session method in case a single item was in the cache
+  - use SSL_session_key as the real key for the cache and not some derivate of it,
+    so that it works to remove the entry using the same key
+  - add del_session method to session cache
+  - only added Changes for 2.026
+  - update default server and client ciphers based on recommendation of
+    Mozilla and what the current browsers use. Notably this finally disables
+    RC4 for the client (was disabled for server long ago) and adds CHACHA20.
+- drop perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch
+  (upstream)
+
 -------------------------------------------------------------------
 Wed Apr  6 09:46:47 UTC 2016 - coolo@suse.com
 

perl-IO-Socket-SSL.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-IO-Socket-SSL
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           perl-IO-Socket-SSL
-Version:        2.025
+Version:        2.051
 Release:        0
 %define cpan_name IO-Socket-SSL
 Summary:        Nearly transparent SSL encapsulation for IO::Socket::INET
@@ -26,7 +26,6 @@ Group:          Development/Libraries/Perl
 Url:            http://search.cpan.org/dist/IO-Socket-SSL/
 Source0:        http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
 Source1:        cpanspec.yml
-Patch0:         perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch
 BuildArch:      noarch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  perl
@@ -77,7 +76,6 @@ Additional documentation can be found in
 %prep
 %setup -q -n %{cpan_name}-%{version}
 find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
-%patch0 -p1
 
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor

perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch

@@ -1,14 +0,0 @@
-Index: IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pm
-===================================================================
---- IO-Socket-SSL-2.012.orig/lib/IO/Socket/SSL.pm	2015-02-02 08:44:32.000000000 +0100
-+++ IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pm	2015-04-18 11:37:15.730344825 +0200
-@@ -129,6 +129,9 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
- 	    DHE-DSS-AES128-SHA
- 	    DHE-DSS-AES256-SHA256
- 	    DHE-DSS-AES256-SHA
-+            DHE-RSA-AES128-SHA
-+            DHE-RSA-AES256-SHA256
-+            DHE-RSA-AES256-SHA
- 	    AES128-SHA256
- 	    AES128-SHA
- 	    AES256-SHA256