[libio-socket-ssl-perl] 04/05: Update debian/NEWS entry documenting major behaviour changes

Salvatore Bonaccorso carnil at debian.org
Wed Nov 27 14:45:53 UTC 2013 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository libio-socket-ssl-perl.

commit 6daae006ea0fd1dae417f7300e5e14e1679671be
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Wed Nov 27 15:39:25 2013 +0100

    Update debian/NEWS entry documenting major behaviour changes
---
 debian/NEWS | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/debian/NEWS b/debian/NEWS
index 493efe6..e81ccb7 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,32 @@
+libio-socket-ssl-perl (1.961-1) unstable; urgency=low
+
+  Upstream version 1.956 introduced the following major behaviour changes:
+
+  * BEHAVIOR CHANGE: make default cipher list more secure, especially
+    - no longer support MD5 by default (broken)
+    - no longer support anonymous authentication by default (vulnerable to man in
+      the middle attacks)
+    - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
+      it uses by default forward secrecy, if underlying Net::SSLeay/openssl
+      supports it
+    - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
+      been fixed and now RC4 is considered less safe than 3DES)
+    - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
+      get the best cipher even if client preferes other ciphers
+    PLEASE NOTE that this might break connections with older, less secure
+    implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
+  * BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
+    thus gets reused if context gets reused. PLEASE NOTE that using
+    SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
+    ciphers of the context.
+  * rework hostname verification schemes
+    - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
+    - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
+  * BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'..
+    but not 'www'
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Wed, 27 Nov 2013 15:34:34 +0100
+
 libio-socket-ssl-perl (1.951-1) experimental; urgency=low
 
   Upstream version 1.951 introduced the following two major behaviour changes:

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libio-socket-ssl-perl.git

More information about the Pkg-perl-cvs-commits mailing list