Revisions of perl-IO-Socket-SSL
Stephan Kulow (coolo)
committed
(revision 71)
update
buildservice-autocommit
accepted
request 221506
from
Stephan Kulow (coolo)
(revision 70)
baserev update by copy to link target
Stephan Kulow (coolo)
committed
(revision 69)
- updated to 1.967 - verify the hostname inside a certificate by default with a superset of common verification schemes instead of not verifying identity at all. For now it will only complain if name verification failed, in the future it will fail certificate verification, forcing you to set the expected SSL_verifycn_name if you want to accept the certificate. - new option SSL_fingerprint and new methods get_fingerprint and get_fingerprint_bin. Together they can be used to selectively accept specific certificates which would otherwise fail verification, like self-signed, outdated or from unknown CAs. This makes another reason to disable verification obsolete. - Utils: - default RSA key length 2048 - digest algorithm to sign certificate in CERT_create can be given, defaults to SHA-256 - CERT_create can now issue non-CA selfsigned certificate - CERT_create add some more useful constraints to certificate - spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi 1.966 2014/01/21 - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with specifying !TLSv12, only !TLSv1_2 worked - fixed leak of session objects in SessionCache, if another session replaced an existing session (introduced in 1.965) 1.965 2014/01/16 - new key SSL_session_key to influence how sessions are inserted and looked up in the clients session cache. This makes it possible to share sessions over different ip:host (like required with some FTPS servers) - t/core.t - handle case, were default loopback source is not 127.0.0.1, like in FreeBSD jails 1.964 2014/01/15
buildservice-autocommit
accepted
request 208877
from
Stephan Kulow (coolo)
(revision 68)
baserev update by copy to link target
Stephan Kulow (coolo)
committed
(revision 67)
update
buildservice-autocommit
accepted
request 208439
from
Stephan Kulow (coolo)
(revision 66)
baserev update by copy to link target
Stephan Kulow (coolo)
committed
(revision 65)
update
buildservice-autocommit
accepted
request 202212
from
Stephan Kulow (coolo)
(revision 64)
baserev update by copy to link target
Stephan Kulow (coolo)
committed
(revision 63)
update
buildservice-autocommit
accepted
request 184797
from
Factory Maintainer (factory-maintainer)
(revision 62)
baserev update by copy to link target
Stephan Kulow (coolo)
committed
(revision 61)
- updated to 1.953 - fixes to IO::Socket::SSL::Utils, thanks to rurban[AT]x-ray[DOT]at, RT#87052 - fix t/acceptSSL-timeout.t on Win32, RT#86862
buildservice-autocommit
accepted
request 184296
from
Lars Vogdt (lrupp)
(revision 60)
baserev update by copy to link target
Lars Vogdt (lrupp)
accepted
request 182138
from
Ludwig Nussel (lnussel)
(revision 59)
- new version 0.951 * better document builtin defaults for key,cert,CA and how they are depreceated * use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's builtin defaults for CA unless CA path/file was given * MAJOR BEHAVIOR CHANGE: ssl_verify_mode now defaults to verify_peer for client. Until now it used verify_none, but loudly complained since 1.79 about it. It will not complain any longer, but the connection might probably fail. Please don't simply disable ssl verification, but instead set SSL_ca_file etc so that verification succeeds! * MAJOR BEHAVIOR CHANGE: it will now complain if the builtin defaults of certs/my-ca.pem or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert and key are used, e.g. no certificates are specified explicitly. In the future these insecure (relative path!) defaults will be removed and the CA replaced with the system defaults. * Makefile.PL reported wrong version of openssl, if Net::SSLeay was not installed instead of reporting missing dependency to Net::SSLeay. * need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6 years ago. Remove code to work around older releases. * changed AUTHOR in Makefile.PL from array back to string, because the array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739) * Intercept: use sha1-fingerprint of original cert for id into cache unless otherwise given * Fix pod error in IO::Socket::SSL::Utils RT#85733 * added IO::Socket::SSL::Utils for easier manipulation of certificates and keys * moved SSL interception into IO::Socket::SSL::Intercept and simplified it using IO::Socket::SSL::Utils * enhance meta information in Makefile.PL * RT#85290, support more digest, especially SHA-2.
Lars Vogdt (lrupp)
committed
(revision 58)
- update to 1.88 + consider a value of '' the same as undef for SSL_ca_(path|file) + complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are not readable + disabled client side SNI for openssl version < 1.0.0 + added functions can_client_sni, can_server_sni, can_npn to check avaibility of SNI and NPN features. Added more documentation for SNI and NPN + Server Name Indication (SNI) support on the server side + sub error sets $SSL_ERROR etc only if there really is an error, otherwise it will keep the latest error. This causes IO::Socket::SSL->new.. to report the correct problem, even if the problem is deeper in the code (like in connect) + deprecated set_ctx_defaults, new name ist set_defaults + changed handling of default path for SSL_(ca|cert|key)* keys: either if one of these keys is user defined don't add defaults for the others, e.g. don't mix user settings and defaults + cleaner handling of module defaults vs. global settings vs. socket specific settings + prepare transition to a more secure default for SSL_verify_mode. The use of the current default SSL_VERIFY_NONE will cause a big warning for clients, unless SSL_verify_mode was explicitly set inside the application to this insecure value. In the near future the default will be SSL_VERIFY_PEER, and thus causing verification failures in unchanged applications. + use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort from sockaddr in _update_peer, because this provides scope + work around systems which don't defined AF_INET6 + update_peer for IPv6 also + no longer depend on Socket.pm 1.95 for inet_pton, but use
buildservice-autocommit
accepted
request 107589
from
Factory Maintainer (factory-maintainer)
(revision 57)
baserev update by copy to link target
Vítězslav Čížek (vitezslav_cizek)
committed
(revision 56)
- update to 1.55 - work around IO::Sockets work around for systems returning EISCONN etc on connect retry for non-blocking sockets by clearing $! if SUPER::connect returned true. https://rt.cpan.org/Ticket/Display.html?id=75101 Thanks for Manoj Kumar for reporting.
buildservice-autocommit
accepted
request 103907
from
Factory Maintainer (factory-maintainer)
(revision 55)
baserev update by copy to link target
_service
committed
(revision 54)
generated via source service
Vítězslav Čížek (vitezslav_cizek)
committed
(revision 53)
- update to 1.54 - return 0 instead of undef in SSL_verify_callback to fix unitialized warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting the bug and MIKEM for the fix. https://rt.cpan.org/Ticket/Display.html?id=73629
buildservice-autocommit
accepted
request 98292
from
Stephan Kulow (coolo)
(revision 52)
baserev update by copy to link target
Displaying revisions 81 - 100 of 151