Accepting request 184296 from devel:languages:perl

- new version 0.951
  * better document builtin defaults for key,cert,CA and how they are depreceated
  * use Net::SSLeay::SSL_CTX_set_default_verify_paths to use
    openssl's builtin defaults for CA unless CA path/file was given
  * MAJOR BEHAVIOR CHANGE:
    ssl_verify_mode now defaults to verify_peer for client. Until
    now it used verify_none, but loudly complained since 1.79 about
    it. It will not complain any longer, but the connection might
    probably fail. Please don't simply disable ssl verification, but
    instead set SSL_ca_file etc so that verification succeeds!
  * MAJOR BEHAVIOR CHANGE:
    it will now complain if the builtin defaults of certs/my-ca.pem
    or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert
    and key are used, e.g. no certificates are specified explicitly.
    In the future these insecure (relative path!) defaults will be
    removed and the CA replaced with the system defaults.
  * Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
    installed instead of reporting missing dependency to Net::SSLeay.
  * need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
    years ago. Remove code to work around older releases.
  * changed AUTHOR in Makefile.PL from array back to string, because the
    array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
  * Intercept: use sha1-fingerprint of original cert for id into cache unless 
    otherwise given
  * Fix pod error in IO::Socket::SSL::Utils RT#85733
  * added IO::Socket::SSL::Utils for easier manipulation of certificates and keys
  * moved SSL interception into IO::Socket::SSL::Intercept and simplified it 
    using IO::Socket::SSL::Utils
  * enhance meta information in Makefile.PL
  * RT#85290, support more digest, especially SHA-2. (forwarded request 182138 from lnussel)

OBS-URL: https://build.opensuse.org/request/show/184296
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/perl-IO-Socket-SSL?expand=0&rev=57

IO-Socket-SSL-1.55.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d32a4dc3a3ac7110e60f0e8aab818816af43bddd34ae8b8d55c820107d74e688
-size 71831

IO-Socket-SSL-1.951.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ebd457936ff6625ce93929b7f8f27368cfa600e185136fe582eae323521fd6f
+size 90040

perl-IO-Socket-SSL.changes

@@ -1,3 +1,104 @@
+-------------------------------------------------------------------
+Wed Jul  3 08:20:14 UTC 2013 - lnussel@suse.de
+
+- new version 0.951
+  * better document builtin defaults for key,cert,CA and how they are depreceated
+  * use Net::SSLeay::SSL_CTX_set_default_verify_paths to use
+    openssl's builtin defaults for CA unless CA path/file was given
+  * MAJOR BEHAVIOR CHANGE:
+    ssl_verify_mode now defaults to verify_peer for client. Until
+    now it used verify_none, but loudly complained since 1.79 about
+    it. It will not complain any longer, but the connection might
+    probably fail. Please don't simply disable ssl verification, but
+    instead set SSL_ca_file etc so that verification succeeds!
+  * MAJOR BEHAVIOR CHANGE:
+    it will now complain if the builtin defaults of certs/my-ca.pem
+    or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert
+    and key are used, e.g. no certificates are specified explicitly.
+    In the future these insecure (relative path!) defaults will be
+    removed and the CA replaced with the system defaults.
+  * Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
+    installed instead of reporting missing dependency to Net::SSLeay.
+  * need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
+    years ago. Remove code to work around older releases.
+  * changed AUTHOR in Makefile.PL from array back to string, because the
+    array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
+  * Intercept: use sha1-fingerprint of original cert for id into cache unless 
+    otherwise given
+  * Fix pod error in IO::Socket::SSL::Utils RT#85733
+  * added IO::Socket::SSL::Utils for easier manipulation of certificates and keys
+  * moved SSL interception into IO::Socket::SSL::Intercept and simplified it 
+    using IO::Socket::SSL::Utils
+  * enhance meta information in Makefile.PL
+  * RT#85290, support more digest, especially SHA-2.
+    Thanks to ujvari[AT]microsec[DOT]hu
+  * added support for easy SSL interception (man in the middle) based
+    on ideas found in mojo*mitm proxy (which was written by Karel Miko)
+  * make 1.46 the minimal required version for Net::SSLeay, because it 
+    introduced lots of useful functions.
+  * if IO::Socket::IP is used it should be at least version 0.20, o
+  * Spelling corrections, thanks to dsteinbrunner
+- remove the dependency on IO::Socket::INET6 as it breaks the test suite
+
+-------------------------------------------------------------------
+Sat May 11 22:51:07 UTC 2013 - lars@linux-schulserver.de
+
+- update to 1.88
+  + consider a value of '' the same as undef for SSL_ca_(path|file)
+  + complain if given SSL_(key|cert|ca)_(file|path) do not exist or
+    if they are not readable
+  + disabled client side SNI for openssl version < 1.0.0 
+  + added functions can_client_sni, can_server_sni, can_npn to check 
+    avaibility of SNI and NPN features. Added more documentation for 
+    SNI and NPN
+  + Server Name Indication (SNI) support on the server side 
+  + sub error sets $SSL_ERROR etc only if there really is an error,
+    otherwise it will keep the latest error. This causes
+    IO::Socket::SSL->new.. to report the correct problem, even if
+    the problem is deeper in the code (like in connect)
+  + deprecated set_ctx_defaults, new name ist set_defaults
+  + changed handling of default path for SSL_(ca|cert|key)* keys: either
+    if one of these keys is user defined don't add defaults for the
+    others, e.g.  don't mix user settings and defaults
+  + cleaner handling of module defaults vs. global settings vs. socket
+    specific settings 
+
+  + prepare transition to a more secure default for SSL_verify_mode.
+  The use of the current default SSL_VERIFY_NONE will cause a big warning
+  for clients, unless SSL_verify_mode was explicitly set inside the
+  application to this insecure value.
+  In the near future the default will be SSL_VERIFY_PEER, and thus
+  causing verification failures in unchanged applications.
+
+  + use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and
+    PeerPort from sockaddr in _update_peer, because this provides scope
+  + work around systems which don't defined AF_INET6
+  + update_peer for IPv6 also
+  + no longer depend on Socket.pm 1.95 for inet_pton, but use 
+    Socket6.pm if no current Socket.pm is available
+  + made it possible to explicitly disable TLSv11 and TLSv12 in 
+    SSL_version
+  + fixed documentation errors
+  + add support to IO::Socket::IP which support inet6 and inet4 
+  + make it possible to disable protols using SSL_version, make 
+    SSL_version default to 'SSLv23:!SSLv2'
+  + remove SSLv2 from default cipher list 
+  + if no explicit cipher list is given it will now default to ALL:!LOW 
+    instead of the openssl default, which usually includes weak ciphers
+  + new config key SSL_honor_cipher_order and documented how to use it
+  + make it thread safer
+  + added NPN (Next Protocol Negotiation) support 
+  + call CTX_set_session_id_context so that servers session caching 
+    works with client certificates too
+  + don't make blocking readline if socket was set nonblocking, but 
+    return as soon no more data are available
+  + if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful
+    message when attempting to use it 
+  + add automatic or explicit (via SSL_hostname) SNI support, needed
+    for multiple SSL hostnames with same IP. Currently only supported
+    for the client
+- enable tests
+
 -------------------------------------------------------------------
 Wed Feb 22 02:35:27 UTC 2012 - vcizek@suse.com
 

perl-IO-Socket-SSL.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package perl-IO-Socket-SSL
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,24 +16,25 @@
 #
 
 
-
 Name:           perl-IO-Socket-SSL
-Version:        1.55
+Version:        1.951
 Release:        0
-License:        Artistic-1.0 or GPL-1.0+
-%define cpan_name IO-Socket-SSL
+%define         cpan_name IO-Socket-SSL
 Summary:        Nearly transparent SSL encapsulation for IO::Socket::INET
-Url:            http://search.cpan.org/dist/IO-Socket-SSL/
+License:        Artistic-1.0 or GPL-1.0+
 Group:          Development/Libraries/Perl
-Source:         http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
+Url:            http://search.cpan.org/dist/IO-Socket-SSL/
+Source:         http://www.cpan.org/modules/by-module/IO/%{cpan_name}-%{version}.tar.gz
 BuildRequires:  perl
 # MANUAL BEGIN
-BuildRequires:  perl(IO::Socket::INET6)
-BuildRequires:  perl(Net::LibIDN)
-BuildRequires:  perl(Net::SSLeay) >= 1.21
 BuildRequires:  perl-macros
-Requires:       perl(Net::SSLeay) >= 1.21
-Recommends:     perl(IO::Socket::INET6)
+# the testsuite does not work with INET6 yet. If INET6 is enabled,
+# at least netcfg has to be installed as well.
+#BuildRequires:  perl(IO::Socket::INET6)
+BuildRequires:  perl(Net::LibIDN)
+BuildRequires:  perl(Net::SSLeay) >= 1.46
+Requires:       perl(Net::SSLeay) >= 1.46
+#Recommends:     perl(IO::Socket::INET6)
 Recommends:     perl(Net::LibIDN)
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
@@ -72,6 +73,9 @@ make %{?_smp_mflags}
 %perl_process_packlist
 %perl_gen_filelist
 
+%check
+make test
+
 %clean
 rm -rf %{buildroot}