|
|
|
|
@@ -1,3 +1,87 @@
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 21 15:37:34 UTC 2017 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
- update to 2.051
|
|
|
|
|
- syswrite: if SSL_write sets SSL_ERROR_SYSCALL but no $! (as seen with
|
|
|
|
|
OpenSSL 1.1.0 on Windows) set $! to EPIPE to propagate a useful error up
|
|
|
|
|
https://github.com/noxxi/p5-io-socket-ssl/issues/62
|
|
|
|
|
- removed unecessary settings of SSL_version and SSL_cipher_list from tests
|
|
|
|
|
- protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not supported
|
|
|
|
|
as is the case with openssl versions in latest Debian (buster)
|
|
|
|
|
- fixed problem caused by typo in the context of session cache
|
|
|
|
|
https://github.com/noxxi/p5-io-socket-ssl/issues/60
|
|
|
|
|
- update PublicSuffix information from publicsuffix.org
|
|
|
|
|
- fixed small memory leaks during destruction of socket and context, RT#120643
|
|
|
|
|
- better fix for problem which 2.046 tried to fix but broke LWP this way
|
|
|
|
|
- cleanup everything in DESTROY and make sure to start with a fresh %{*self}
|
|
|
|
|
in configure_SSL because it can happen that a GLOB gets used again without
|
|
|
|
|
calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
|
|
|
|
|
- fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
|
|
|
|
|
objects -> github pull#55
|
|
|
|
|
- optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD
|
|
|
|
|
if perl is compiled w/o thread support
|
|
|
|
|
- small fix in t/protocol_version.t to use older versions of Net::SSLeay
|
|
|
|
|
with openssl build w/o SSLv3 support
|
|
|
|
|
- when setting SSL_keepSocketOnError to true the socket will not be closed
|
|
|
|
|
on fatal error. This is a modified version of
|
|
|
|
|
https://github.com/noxxi/p5-io-socket-ssl/pull/53/
|
|
|
|
|
- protect various 'eval'-based capability detections at startup with a localized
|
|
|
|
|
__DIE__ handler. This way dynamically requiring IO::Socket::SSL as done by
|
|
|
|
|
various third party software should cause less problems even if there is a
|
|
|
|
|
global __DIE__ handler which does not properly deal with 'eval'.
|
|
|
|
|
- make t/session_ticket.t work with OpenSSL 1.1.0. With this version the
|
|
|
|
|
session does not get reused any longer if it was not properly closed which
|
|
|
|
|
is now done using an explicit close by the client which causes a
|
|
|
|
|
proper SSL_shutdown
|
|
|
|
|
- enable session ticket callback with Net::SSLeay>=1.80
|
|
|
|
|
- leave session ticket callback off for now until the needed patch is
|
|
|
|
|
included in Net::SSLeay. See
|
|
|
|
|
https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146
|
|
|
|
|
- fix detection of default CA path for OpenSSL 1.1.x
|
|
|
|
|
- Utils::CERT_asHash now includes the signature algorithm used
|
|
|
|
|
- Utils::CERT_asHash can now deal with large serial numbers
|
|
|
|
|
- OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1 on
|
|
|
|
|
EOF without proper SSL shutdown. Since it looks like that this behavior will
|
|
|
|
|
be kept at least for 1.1.1+ adapt to the changed API by treating errno=NOERR
|
|
|
|
|
on SSL_ERROR_SYSCALL as EOF.
|
|
|
|
|
- restrict session ticket callback to Net::SSLeay 1.79+ since version before
|
|
|
|
|
contains bug. Add test for session reuse
|
|
|
|
|
- extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....'
|
|
|
|
|
- fix t/external/ocsp.t to use different server (under my control) to check
|
|
|
|
|
OCSP stapling
|
|
|
|
|
- fix session cache del_session: it freed the session but did not properly
|
|
|
|
|
remove it from the cache. Further reuse causes crash.
|
|
|
|
|
- disable OCSP support when Net::SSLeay 1.75..1.77 is used, see RT#116795
|
|
|
|
|
- move handling of global SSL arguments into creation of context, so that these
|
|
|
|
|
get also applied when creating a context only.
|
|
|
|
|
- support for session ticket reuse over multiple contexts and processes
|
|
|
|
|
(if supported by Net::SSLeay)
|
|
|
|
|
- small optimizations, like saving various Net::SSLeay constants into variables
|
|
|
|
|
and access variables instead of calling the constant sub all the time
|
|
|
|
|
- make t/dhe.t work with openssl 1.1.0
|
|
|
|
|
- Set session id context only on the server side. Even if the documentation for
|
|
|
|
|
SSL_CTX_set_session_id_context makes clear that this function is server side
|
|
|
|
|
only it actually affects hndling of session reuse on the client side too and
|
|
|
|
|
can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session in
|
|
|
|
|
different context" at the client.
|
|
|
|
|
- Utils::CERT_create - don't add given extensions again if they were already
|
|
|
|
|
added. Firefox croaks with sec_error_extension_value_invalid if (specific?)
|
|
|
|
|
extensions are given twice.
|
|
|
|
|
- assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
|
|
|
|
|
with the reverse order as in the PKCS12 file, because that's what it does.
|
|
|
|
|
- support for creating ECC keys in Utils once supported by Net::SSLeay
|
|
|
|
|
- remove internal sub session_cache and access cache directly (faster)
|
|
|
|
|
- fix del_session method in case a single item was in the cache
|
|
|
|
|
- use SSL_session_key as the real key for the cache and not some derivate of it,
|
|
|
|
|
so that it works to remove the entry using the same key
|
|
|
|
|
- add del_session method to session cache
|
|
|
|
|
- only added Changes for 2.026
|
|
|
|
|
- update default server and client ciphers based on recommendation of
|
|
|
|
|
Mozilla and what the current browsers use. Notably this finally disables
|
|
|
|
|
RC4 for the client (was disabled for server long ago) and adds CHACHA20.
|
|
|
|
|
- drop perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch
|
|
|
|
|
(upstream)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 6 09:46:47 UTC 2016 - coolo@suse.com
|
|
|
|
|
|
|
|
|
|
|
Git OBS Bridge