[libio-socket-ssl-perl] annotated tag upstream/2.046 created (now 051d42a)
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 16 05:19:38 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a change to annotated tag upstream/2.046
in repository libio-socket-ssl-perl.
at 051d42a (tag)
tagging 5122caaa0c605f1248d90c61fd399b162ef8897d (commit)
replaces upstream/2.045
tagged by Salvatore Bonaccorso
on Thu Feb 16 06:09:23 2017 +0100
- Log -----------------------------------------------------------------
Upstream version 2.046
Alexander Bluhm (2):
Replace fail(...) with ok(0,...) in t/alpn.t.
Put back a not ok accept failure that got lost in e8f4058.
Alexandr Ciornii (1):
print module that was used as a parent
Andreas Huber (2):
only do "stop_SSL" after accept_SSL failed with SSL_startHandshake=0 in place
call to connect_SSL will fail if handshake already done; adds DEBUG message
Andy Grundman (1):
Fix failing non-blocking test on Unix platforms where EWOULDBLOCK is not the same as EAGAIN (Solaris, AIX, HP-UX, etc). This bug was introduced by commit d95289 for 2.006. The fix is simply to check for either of these errors instead of just one.
Chase Whitener (3):
fixed a few grammatical problems and made some slight word changes to enhance readability. I also made mention of module names links instead of plain text
a few more fixes. about 40% done with the POD
a bit further along. There is a lot to read
Christopher Odenbach (2):
Decode the serial number the right way
Include signature algorithm in CERT_asHash
Daniel Frederick Crisman (3):
Fix a couple DOC schema typos to scheme
Update README to note needing 1.46 Net::SSLeay
Update use Net::SSLeay 1.46 (continue v1.90 2013.05.27)
David Steinbrunner (1):
Spelling corrections
Davs (1):
fix socket variable name in documentation
E. Choroba (2):
Fix POD (arrows in C<> sequences)
Fix POD: brackets in SSL_ticket_keycb example
Jakub Wilk (4):
Fix typos
Fix typos
Fix typo
Fix typos
Jerry Lundström (1):
Enhance the SNI support by configuring the SNI contexts in the same way as the main context.
Salvatore Bonaccorso (1):
New upstream version 2.046
Steffen Ullrich (355):
1.25
security fix for verify_hostname_of_cert, Version 1.26
t/verify_hostname.t fixed number of tests
v1.27 regex fixes and resolve Bug#48131 which only happened with perl -w:
v1.28, v1.29
1.30 - fix t/memleak_bad_handshake.t
1.30_1 - make sure that idn_to_ascii is not called with identity containing \0
1.30_3: make t/memleak_bad_handshake.t more stable
1.31 - SSL_crl_file, SSL_VERIFY constants...
removed svn-commit.tmp which should never have been checked in
1.34: wildcards_in_cn for http, start_SSL does not close socket on failure
1.35 - no fallback to verify_none if ca_* is not valid, instead throw error
update SSL_verify_callback documentation
let user explicitly set SSL_ca_{path,file} to undef
1.38 - fixed setting for wildcards_in_cn from 1 to anywhere for http
1.38_1 - make fileno on closed socket return undef
fixed docu for http cn wildcard behavior
version upgrade
small fix in example/async_https_server
added t/startssl-failed.t
more fixes to async_https_server
1.40 - IDN support from URI. https://rt.cpan.org/Ticket/Display.html?id=67676
v1.40_1 2011.05.09
make 1.40_1 ->1.41, better error handling in t/nonblock.t
1.42: add SSL_create_ctx_callback option
1.43 - fix t/nonblock.t
stability improvements t/inet6.t
1.43_1 - try to make t/nonblock.t more stable
1.44 - fix invalid call to inet_pton in verify_hostname_of_cert
1.45 rewrite readline for better signal handling
forgot to git add test for 1.45
1.46 - disable t/signal-readline.t for windows
1.47 fix os check in t/signal-readline.t
1.47 - fix for readline introduced in 1.45
1.48
1.49 - yet another readline regression. Add more tests to t/readline.t
1.50 workaround t/nonblock.t for AIX
1.52 fix syntax error in t/memleak_bad_handshake.t
1.53 - fix child leak in memleak_bad_handshake.t when failing test
1.54 - solved rt#73629 (unitialized warning)
1.55 work around IO::Sockets work around for ystems returning EISCONN etc on connect retry
1.56 added SNI support for client
1.57 - fix t/dhe.t for openssl 1.0.1beta
1.58 - disable workaround in t/dhe.t for older openssl versions
1.59 - useful error message on attempt to use unsupported SSLv2
1.60 - doc update + fix readline for nonblocking socket
Merge branch 'master' of github.com:noxxi/p5-io-socket-ssl
1.61 rt#76053 automatically use CTX_set_session_id_context
1.62 small fix to 1.61
1.63 fix rt#76147 making Win32 tests more stable
1.64 clarify verifycn_* behavior
1.65 NPN support
1.66 resolve bug with threads
1.67 - more secure defaults, new key SSL_honor_cipher_order to mitigate BEAST
1.68 - remove sslv2 from default cipher list
1.69 - reenabled workaround in t/dhe.t
1.70 - make disabling protocols via SSL_version possible, default SSLv23:!SSLv2
1.71: 1.70 done right
1.72 set DEFAULT_CIPHER_LIST to ALL:!LOW not HIGH:!LOW
1.73 fixes to t/dhe.t to support more openssl versions
1.74 - accept SSLv2/3 again at interpret it as SSLv23
1.74_1 - integrate IO::Socket::IP (rt#75218)
1.74_2 fix documentation of SSL_version, rt#77690
1.75 - make it possible to disable TLS version 1.1 and 1.2
1.76 - no longer depend on recent Socket.pm
1.77 - rt#79916 - update_peer for IPv6
work around systems were AF_INET6 is not defined
fix format - change everything to sts=4 sw=4 ts=8, prev. formatting was mostly tab 8 with some tab 4
moved SSL.pm to lib/IO/Socket/SSL.pm
use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort from sockaddr in _update_peer, keeping scope
1.79 - start migration to more secure default of SSL_verify_mode by issuing big warning, if current insecure default gets used
1.80 - fixed tests so that don't hang anymore on windows rt#81493
1.81 - cleanups..
correct spelling of deprecated
add link to github to Makefile.PL
1.82 better error preserving
- server side SNI
much better documentation
release as 1.83
add more debugging for SNI
1.83_1 - adapted and documented behavior of readline on non-blocking I/O
1.84 with more stable client side SNI and better support/doc for SNI and NPN
updated documentation
update SEE ALSO and COPYRIGHT
1.85
1.86
1.87
1.88
Merge pull request #3 from dsteinbrunner/master
update Changes
1.89 if IO::Socket::IP is used it should be at least version 0.20 to fix RT#81932 (HTTP::Daemon::SSL)
added SSL interception
- added test for intercepting feature
1.91
Fix pod error in IO::Socket::SSL::Utils RT#85733
1.92
1.93
set version of Intercept to 1.93, so that PAUSE indexer will index it again.
Makefile.PL: if the openssl versions looks to small show the detected version in the error message
1.94
1.950
1.951
1.952 - fix t/acceptSSL-timeout.t on Win32, RT#86862
1.953 - RT#87052 fix in Utils.pm
Merge pull request #4 from crisman/doc-fix-schema
Merge pull request #5 from crisman/more-net-ssleay-floor
1.954 - accept older versions of ExtUtils::MakeMaker and add meta information like link to repository only for newer versions.
1.955 - added support for ECDH key exchange with key SSL_ecdh_curve
fixed Skipped message in t/ecdhe.t
- cipher_list is now per context, not per SSL object, e.g. behavior change if
support for handshake protocol TLSv11, TLSv12
- fixed error in Utils::CERT_free (wrong free call)
- rework verification schemes based on RFC 6125
- change cipherlist to more secure
- fixed t/core.t for older openssl versions
remove workaround for very old IO::Socket::INET6, instead require fixed version
release as 1.958
1.959 - fix test core.t for windows
1.960 - documentation enhancements
further documentation enhancements specifically for non-blocking and event loops
1.961 IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which are not self-signed (by giving issuer_*)
1.962 - work around problems with older F5 BIG-IP by offering fewer ciphers on the client side by default, so that the client hello stays below 255 byte
- documentation enhancements:
- documentation fix: consistent use of $client instead of sometimes
documentation enhancements to new_from_fd
1.963
1.964: get_sslversion* function, disabling TLS1_1 fixed
1.965 - new option SSL_session_key to influence client-side session caching
1.966
Merge pull request #10 from scop/master
WIP: ssl_fingerprint etc
1.967: new option SSL_fingerprint, default scheme for verifying names, ...
- require at least version 2.62 instead of 2.55 for IO::Socket::INET6
1.968 - better support for usable CA path by default
1.969
pod fix from rt#93907
1.970 fix rt#93987
new file example/simulate_proxy.pl to check behavior of clients against various strange behavior
1.971 - try to use SSL_hostname for hostname verification if no SSL_verifycn_name is given
1.972 fix rt#94117 t/external/usable_ca.t when no SNI support
small code cleanups
1.973: option SSL_ca additionally to SSL_ca_{file,path}
spelling error RT#94219
1.974 new function peer_certificates, extend IO::Socket::Utils::CERT_asHash
1.975 - work around TEA integration on OS X
1.976 - check wildcard certificates against public prefix
1.977 RT#94424 IDN fixes
1.978 RT#94424 again, fix test on older openssl version with no SNI support
t/public_suffix_lib*
This is a combination of 2 commits.
hostname check: 'leftmost' renamed to 'full_label'
stability improvements for tests
relased as 1.979
disable elliptic curve support for openssl 1.0.1d on 64bit: http://rt.openssl.org/Ticket/Display.html?id=2975
1.980 fix fingerprint calculation
update Changes for 1.980
1.981 - fix ecdhe test for openssl 1.0.1d
1.982 - fix for using subroutine as argument to set_args_filter_hack
usable_ca.t: update for current fingerprints (changed after heartbleed), check that we have a usable CA for host in CA store
1.983 - fix use of public suffix list RT#95317
OCSP handling - works but needs test
tool util/analyze-ssl.pl to analyze SSL connections
removed util/export_certs.pl - way too old to be useful anymore
update Changes file
util/analyze-ssl.pl - fix version check, show usable SSL_version string
analyze-ssl.pl - check if client or server decides over cipher preference
update Net::SSLeay patch for ocsp (include test, update documentation)
analyze-ssl.pl - changed handling of http_proxy starttls, fixes for soft_error in ocsp_resolver
current OCSP patch for Net::SSLeay
small OCSP fixes:
analyze-ssl.pl: fix starttls smtp, --CApath
work around/together with OCSP responders, which do not reply to all single requests inside an OCSP request
- OCSP resolver: add caching of soft errors + fix expiring if cache too big
util/https_ocsp_bulk.pl
- don't add ocsp tlsext if server mode
remove Net::SSLeay OCSP patch and instead refer to Net::SSLeay version 1.59
update Changes
release as 1.984
fix skip if fingerprint does not match in t/external/ocsp.t
1.985: OCSP enhancements, RT#95633
support for IP in common name for www verification scheme. Need to add tests for this.
1.986 - allow IPv4 in CN for www/http scheme. Fix public suffix list handling.
1.987 fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6
typo
NEEDS testing: transparent support for DER and PKCS12 files in certificate and key
1.988 - transparent support for DER and PKCS12 files for key and cert
document behavior regarding freeing certificates, when using multiple certificates in SSL_cert
1.989 fix #95881
1.989_1 #95967, work around temporary OCSP error in t/external/ocsp.t
1.990 added option SSL_ocsp_staple_callback to get the stapled OCSP response
1.991 new option SSL_OCSP_TRY_STAPLE to enforce staple request even if VERIFY_NONE
analyse-ssl.pl - do hostname verification which scheme matching starttls. set verified to name-mismatch if not matches, show subjectAltnames in show-chain
1.992 - set $! to undef before doing IO (accept, read..).
- rework error handling to distinguish between SSL errors and internal errors
1.923 - major rewrite of documentation
documentation fix after #96451
1.994 - make socket switchable between plain and SSL with the same object
fix documentation error RT#96765
- refresh option for peer_certificate, so that it checks if the certificate
Merge pull request #14 from frioux/patch-1
1.995 - RT#95452: move initialization and creation of OpenSSL-internals into INIT section, so they get executed after compilation and perlcc is happy.
1.996 move initialization out of INIT again because this breaks when used with require. Document work-arounds needed for perlcc
1.997 - found way to detect when initialization was needed, so user needs no longer workarounds for perlcc
add debug message on call to _internal_error or error
update example/ssl_client,ssl_server
Merge branch 'jelu-sni-enhancement'
1.998 - redesign creation of SSL contexts, so that all contexts have CA path, verification callback etc
accept PeerHost additionally to PeerAddr in all places, accept PeerService, enhance util/analyze-ssl.pl
RT#98258 - make sure to set $/ to "\n" before using <$fh> in PublicSuffix
make sure we don't use version 0.30 of IO::Socket::IP
release as 1.999
Merge pull request #18 from steve-m-hay/master
update Changes after merge
Solve Debian Bug#764868: with environment NO_NETWORK_TESTING set no external tests will be done.
SSL3.0 is no longer allowed in default SSL_version because of POODLE
2.000 - update documentation regarding disabled SSL3.0
fix typo
util/analyze-ssl.pl - work around cloudflare behavior, where you get different ciphers with SNI then without
make it work with 5.8.1 again
update expected site fingerprints in t/external/*
add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security
call it 2.001
Update PublicSuffix with latest version from publicsuffix.org - lots of new top level domains.
fix check for (invalid) IPv4 when validating hostname against certificate. Do not use aton any longer RT#99448
release as 2.002
use only ICANN part in public suffix list
Propagate error if cert/key could not be used instead of continuing with an invalid context which might cause a segmentation fault
skip io-socket-ip.t with IO::Socket::IP version 0.30 instead of failing
max-cipher option for util/analyze.pl. Fix host parsing
2.003 make SSLv3 accessible unless forbidden (default), even if the SSL library disables it by default in the context (LibreSSL)
2.004 fix t/protocol_version.t to deal with OpenSSL installations which are compiled without SSLv3 support.
2.005 next try to fix t/protocol_version.t for OpenSSL w/o SSLv3 support
2.005_1: enable non-blocking support for windows, mainly by using EWOULDBLOCK instead of EAGAIN
make PublicSuffix::_default_data thread safe by storing the default data inside a function inside within __DATA__
Release as 2.006, update PublicSuffix with latest list from publicsuffix.org
Utils: documentation fixes
2.007 - implement getline/readline properly when not sslified (RT#100529)
2.008 - fix test because of external errors. Small enhancements for analyze.pl
fix #101020 (SSL.pm, analyze.pl)
util/analyze.pl - analyze handshake compatibility
analyze.pl - fix retry without SNI
analyze.pl - fix for max_version, don't croak on anyonmous ciphers
example/*.pl - sysread with 16k (max ssl frame size) to avoid issues with pending data
util/analyze.pl - compare sent chain certificates again used certificates and also display local root certificate
reset $! after successful connect/accept with timeout
dummy util/analyze-ssl.pl
2.009 added ALPN support thanks to TEAM RT#101452
t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay. RT#101485
2.009 - new options SSL_client_ca_file and SSL_client_ca
Merge pull request #21 from frioux/patch-2
removed RC4 from default cipher suites on the server site
Utils::CERT_create - add purpose client for non-CA certificates
added option 'purpose' to Utils::CERT_create
increase version in Utils.pm to 0.031
removed RC4 from default cipher suites on the server site
Utils::CERT_create - add purpose client for non-CA certificates
added option 'purpose' to Utils::CERT_create
increase version in Utils.pm to 0.031
white space and intendation fixes
replace various skip_all with fail, because these should fail
don't use Test::More in t/alpn.t since it does not work with parent and forked child doing test output
Merge branch 'Sweet-kid-use_Test_More'
t/external/ocsp.t - don't count on revoked.grc.com using OCSP stapling
release 2.011
2.012 - fix t/ocsp.t in case no HTTP::Tiny is installed
fixed Changes - last entries for 2014 should have been 2015 (thanks to Alvar Freude vor pointing out)
Merge branch 'genio-master'
updated Changes
Merge pull request #28 from bluhm/alpn.t
2.013 - rework error handling so that follow-up errors don't replace the original errors
2.014
Merge pull request #32 from chorny/patch-1
t/01loadmodule.t - add also version of @ISA module to diagnostics
explicit check that IPv6 address only contains hex,'.' and ':' because
2.015 - work around problem with IO::Socket::INET6 on windows in tests by enforcing AF_INET as Domain
accept Domain and Family argument, so it does not matter if the superclass uses Family (IO::Socket::IP) or Domain (IO::Socket::INET6)
update documentation to make it more clear where to get the X509* and EV_PKEY* objects for SSL_ca, SSL_cert and SSL_key
add better debugging based on a patch from H.Merijn Brand
make t/memleak_bad_handshake.t work on cygwin and other systems having /proc/pid/statm., see RT#104659
make some tests work with older Test::More w/o done_testing
update version to 2.015_001
removed wrong domain AF_INET from t/io-socket-ip.t
2.015_003 work around hanging prompt() with older perl in Makefile.PL RT#104731
2.015_004 - fix handling of default for yesno in Makefile.PL
2.015_005 add flag X509_V_FLAG_TRUSTED_FIRST by default if available, RT#104759
another try with X509_V_FLAG_TRUSTED_FIRST
relase as 2.016
2.016_001 - support different ciphers for SNI hosts
2.016_002 - enforce default verification scheme if none was specified instead of just warning if name is wrong (i.e. hard fail vs. soft fail)
add more detail to example in documentation to show that the user must do the SMTP dialogs by itself (RT#105936)
Merge pull request #35 from andygrundman/master
fix _update_peer for IPv6 (wrong use of getnameinfo)
remove -r for checking SSL_{cert,key}_file since this will cause a usable error later anywy if file does not exist.
added interface sock_certificate to get local certificate as suggest in #15733
check with open/opendir if SSL_ca_file/path is accessible. RT#106295
catch cases where SSL_verify_mode is used with string instead number.
2.018 - RT#106687 - startssl.t failed on darwin with old openssl since server
2.019 work around different behavior of getnameinfo from Socket and Socket6
Merge pull request #34 from jwilk/typos
2.020 support multiple directories in SSL_ca_path as proposed in RT#106711
Merge pull request #36 from DavsX/doc/non_blocking_documentation_fix
make documentation more clear regarding enforcing IPv4
update public suffix list with latest version, adapt tests to changed list
Merge pull request #38 from jwilk/spelling
2.021 update PublicSuffix again before new release
2.022 fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash, RT#110253
Merge pull request #39 from jwilk/spelling
2.023 - work around changes in OpenSSL 1.0.2f regarding SSL_shutdown
small documentation fixes for Intercept
Fix calls to X509_NAME_add_entry_by_txt in Utils::CREATE_cert in case
Intercept: ignore unknown extensions (unknown nid,sn) when cloning
2.024 - work around issue with AI_ADDRCONFIG default an IO::Socket::IP,
2.025 Resolved memleak if SSL_crl_file was used: RT#113257, RT#113530
2.026
2.027 - only included changes for 2.027 in Changes file
example/ssl_server.pl - make it clear that client certificates are only requested
2.028
2.029
support for creating ECC keys in IO::Socket::SSL::Utils once supported by Net::SSLeay
assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates with
Utils::CERT_create - don't add given extensions again if they were already
2.030
2.031 fix for bug in session handling introduced in 2.031, RT#115975
2.032
- support for session ticket reuse over multiple contexts and processes
release as 2.033
Merge pull request #44 from choroba/master
describe problem with validating self-signed non-CA certificates
2.034
update expected certificate fingerprints for external tests
switched to different hosts for live OCSP tests in the hope that these
apply (configurable) global settings after builtin default settings
configure_SSL: return if context creation failed, might result in segfault otherwise
released as 2.035
2.036 - set can_ocsp to false for Net::SSLeay 1.75..1.77, see RT#116795
forgot Changes information
2.037
2.038
- don't check if SSL_key_file and SSL_cert_file are files, instead just
2.039:
Merge pull request #47 from odenbach/serial
testlib: clear __DIE__ handler in child
Fix number used for SSLEAY_DIR/OPENSSL_DIR since this changed with OpenSSL 1.1.
release as 2.040
2.041 disable session ticket callback for now until the feature is
2.042 - enable session ticket callback with Net::SSLeay>=1.80
2.043 - make t/session_ticket.t work with OpenSSL 1.1.0.
2.044 protect various 'eval'-based capability detections at startup with a localized
fix memory leak with %CREATED_IN_THIS_THREAD based on pull request
Merge pull request #52 from jwilk/spelling
Merge pull request #53 from hubandr/handshake_failed_stop_ssl
optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if perl is compiled w/o thread support
when setting SSL_keepSocketOnError to true the socket will not be closed on fatal error
release as 2.045
2.046 cleanup everything in DESTROY and make sure to start with a fresh %{*self} in configure_SSL
Steve Hay (1):
Better skipping of tests requiring fork()
Upasana (1):
ported some tests to use Test::More
Ville Skyttä (1):
Spelling fixes
fREW Schmidt (3):
Fix some typos and grammar issues
Minor pod fixes
Minor pod fixes
steffen (30):
git-svn-id: file:///home/steffen/SVN/p5-io-socket-ssl@1 4cec71fa-2046-0410-ae00-8a945e15d811
- new certificates in certs/ which are more current
update wildcard cert
version 1.13_2
- update Changes
- automatic verification of hostnames with SSL_verifycn_scheme and
small fix in import
- clarified and enhanced debugging supppport based on bugreport
hopefully fix t/auto_verify_hostname by changing behavior on SSL error
change code for SSL_check_crl to use X509_STORE_set_flags instead of
- change opened() to report -1 if the IO::Handle is open, but the
-
- better IPv6 support, enabled by default if IO::Socket::INET6
-
v.16_2 2008.09.24
+v.16_3 2008.09.25
- make version 1.17, no code changes
1.18
-
-
-
+v1.21 2009.01.22
v1.22 2009.01.24
delete META.yml from rep and MANIFEST, let it be created from Makefile.PL
new test certificates, old expired
checkin myca
- if neither SSL_ca_file nor SSL_ca_path are known don't check cert but warn
warnings fix
- renew certs
version 1.32 and 1.33
-----------------------------------------------------------------------
No new revisions were added by this update.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libio-socket-ssl-perl.git
More information about the Pkg-perl-cvs-commits
mailing list