| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Changes from 1.35:
v1.44 2011.05.27
- fix invalid call to inet_pton in verify_hostname_of_cert when
identity should be verified as ipv6 address, because it contains
colon.
v1.43_1 2011.05.12
- try to make t/nonblock.t more stable, especially on Mac OS X
v1.43 2011.05.11
- fix t/nonblock.t
- stability improvements t/inet6.t
v1.42 2011.05.10
- add SSL_create_ctx_callback to have a way to adjust context on
creation. https://rt.cpan.org/Ticket/Display.html?id=67799
- describe problem of fake memory leak because of big session cache
and how to fix it, see https://rt.cpan.org/Ticket/Display.html?id=68073
v1.41 2011.05.09
- fix issue in stop_SSL where it did not issue a shutdown of the
SSL connection if it first received the shutdown from the other
side. Thanks to fencingleo[AT]gmail[DOT]com for reporting
- try to make t/nonblock.t more reliable, at least report the real
cause of ssl connection errors
v1.40 2011.05.02
- integrated patch from GAAS to get IDN support from URI.
https://rt.cpan.org/Ticket/Display.html?id=67676
v1.39_1 2011.05.02
- fix in exampel/async_https_server.
Thanks to DetlefPilzecker[AT]web[DOT]de for reporting
v1.39 2011.03.03
- fixed documentation of http verification: wildcards in cn is allowed
v1.38_1 2011.01.24
- close should undef _SSL_fileno, because the fileno is no longer
valid (SSL connection and socket are closed)
v1.38 2011.01.18
- fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1
instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for
reporting
https://rt.cpan.org/Ticket/Display.html?id=64864
v1.37 2010.12.09
- don't complain about invalid certificate locations if user explicitly
set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what
he is doing and will work around the problems by itself.
http://rt.cpan.org/Ticket/Display.html?id=63741
v1.36 2010.12.08
- update documentation for SSL_verify_callback based on
https://rt.cpan.org/Ticket/Display.html?id=63743
https://rt.cpan.org/Ticket/Display.html?id=63740
|
|
|
|
Security fix
v1.35 2010.12.06
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
verified as valid it will no longer fall back to VERIFY_NONE but throw
an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
pointing out the problem, see also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
|
|
v1.34 2010.11.01
- schema http for certificate verification changed to
wildcards_in_cn=1, because according to rfc2818 this is valid and
also seen in the wild
- if upgrading socket from inet to ssl fails due to handshake problems
the socket gets downgraded, but is still open.
See https://rt.cpan.org/Ticket/Display.html?id=61466
- deprecate kill_socket, just use close()
|
|
to trigger/signal a rebuild for the transition 5.10.1 -> 5.12.1.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=..."), minus the packages updated after
the perl package update.
sno@ was right after all, obache@ kindly asked and he@ led the
way. Thanks!
|
|
Upstream changes:
v1.33 2010.03.17
- attempt to make t/memleak_bad_handshake.t more stable, it fails
for unknown reason on various systems
- fix hostname checking: an IP should only be checked against
subjectAltName GEN_IPADD, never against GEN_DNS or CN.
Thanks to rusch[AT]genua[DOT]de for bug report
|
|
Upstream changes:
v1.32 2010.02.22
- Makefile.PL: die if Scalar::Util has no dualvar support instead of
only complaining. Thanks to w[DOT]phillip[DOT]moore[AT]gmail[DOT]com
for reporting.
|
|
Upstream changes:
v1.31 2009.09.25
- add and export constants for SSL_VERIFY_*
- set SSL_use_cert if cert is given and not SSL_server
- support alternative CRL file with SSL_crl_file thanks to patch of
w[DOT]phillip[DOT]moore[AT]gmail[DOT]com
|
|
Upstream changes:
v1.30 2009.08.19
- fix test t/memleak_bad_handshake.t
v1.29 2009.08.19
- fixed thanks for version 1.28
v1.28 2009.08.19
- fix memleak when SSL handshake failed.
Thanks richardhundtu[AT]gmail[DOT]com
|
|
Upstream changes:
v1.27 2009.07.24
- changed possible local/utf-8 depended \w in some regex against more
explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service
names can't have '-' inside
- fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131
where eli[AT]dvns[DOT]com reported warnings when perl -w was used.
While there made it more aware of errors in Net::ssl_write_all (return
undef not 0 in generic_write)
|
|
set license to ${PERL5_LICENSE} according to module's documentation (POD).
Upstream changes:
v1.26 2009.07.03
- SECURITY BUGFIX!
fix Bug in verify_hostname_of_cert where it matched only the prefix for
the hostname when no wildcard was given, e.g. www.example.org matched
against a certificate with name www.exam in it
Thanks to MLEHMANN for reporting
v1.25 2009.07.02
- t/nonblock.t: increase number of bytes written to fix bug with OS X 10.5
https://rt.cpan.org/Ticket/Display.html?id=47240
|
|
- updating package to 1.24
Upstream changes:
v1.24 2009.04.01
- add verify hostname scheme ftp, same as http
- renew test certificates again (root CA expired, now valid for 10 years)
|
|
Update dependency to security/p5-Net-SSLeay to 1.33 as notes in modules
META.yml
Upstream Changes:
v1.23 2009.02.23
- if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the
default values have no existing file|path) disable checking of
certificates, but carp about the problem
- new test certificates, the old ones expired and caused tests to fail
|
|
v1.22 2009.01.24
- Net::SSLeay stores verify callbacks inside hash and never clears them, so
set verify callback to NULL in destroy of context
v1.21 2009.01.22
- auto verification of name in certificate created circular reference between
SSL and CTX object with the verify_callback, which caused the objects to be
destroyed only at program end. Fix it be no longer access $self from inside
the callback.
Thanks to odenbach[AT]uni-paderborn[DOT]de for reporting
v1.20 2009.01.15
- only changes on test suite to make it ready for win32
(tested with strawberry perl 5.8.8)
|
|
v1.19 2008.12.31
- fix verfycn_name autodetection from PeerAddr/PeerHost
|
|
Fixes PR#40188, though the dependency bump is not done
(is not reflected in the module's META.yml).
Upstream changes:
v1.18 2008.11.17
- fixed typo in argument: wildcars_in_cn -> wildcards_in_cn
http://rt.cpan.org/Ticket/Display.html?id=40997
thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting
|
|
for IDN and inet6 support.
v.17 2008.10.13
- no code changes, publish v.16_3 as v.17 because it looks better
than v.16
- document win32 behavior regarding non-blocking and timeouts
v.16_3 2008.09.25
- fix t/nonblock.t with workaround for problems with
IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do
nonblocking connect and leaves socket blocked.
- make some tests less verbose by fixing diag in t/testlib.t
(send output to STDOUT not STDERR and prefix with '#')
v.16_2 2008.09.24
- work around Bug in IO::Socket::INET6 on BSD systems
http://rt.cpan.org/Ticket/Display.html?id=39550
by setting Domain based on PeerAddr
Thanks to srezic for report and support
- remove tests of recv/send from t/core.t. Might badly interact
with SSL handshake and cause crashes as seen on OS X 10.4
v.16_1 2008.09.19
- better support for IPv6:
- IPv6 is enabled by default if IO::Socket::INET6 is available
- t/inet6.t for basic tests
|
|
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
|
|
v1.16
- change code for SSL_check_crl to use X509_STORE_set_flags instead of
X509_STORE_CTX_set_flags based on bug report from
<tjtoocool[AT]phreaker[DOT]net >
- change opened() to report -1 if the IO::Handle is open, but the
SSL connection failed, needed with HTTP::Daemon::SSL which will send
an error mssage over the unencrypted socket
|
|
v1.15
- change internal behavior when SSL handshake failed (like when verify
callback returned an error) in the hope to fix spurios errors in
t/auto_verify_hostname.t
|
|
v1.14
- added support for verification of hostname from certificate
including subjectAltNames, support for IDN etc based on patch and
input from christopher[AT]odenbachs[DOT]de and
achim[AT]grolmsnet[DOT]de.
It is also possible to get more information from peer_certificate
based on this patch. See documentation for peer_certificate and
verify_hostname
- automatic verification of hostnames with SSL_verifycn_scheme and
SSL_verifycn_name
- global setting of default context options like SSL_verifycn_scheme,
SSL_verify_mode with set_ctx_defaults
- fix import of inet4,inet6 which got broken within 1.13_X.
Thanks to <at[AT]altlinux[DOT]ru> for bugreport and patch
- clarified and enhanced debugging supppport based on bugreport
http://rt.cpan.org/Ticket/Display.html?id=32960
- put information into README regarding the supported and recommanded
version of Net::SSLeay
|
|
v1.13
- removed CLONE_SKIP which was added in 1.03 because this breaks
windows forking. Handled threads/windows forking better by making
sure that CTX from Net::SSLeay gets not freed multiple times from
different threads after cloning/forking
- removed setting LocalPort to 0 in tests, instead leave it undef
if a random port should be allocated. This should fix build problems
with 5.6.1. Thanks to <andrew[DOT]benham[AT]thus[DOT]net>
|
|
v1.12
- treat timeouts of 0 for accept_SSL and connect_SSL like no timeout,
like IO::Socket does.
|
|
can handle packages having no PLIST files.
|
|
v1.11
- fixed errors in accept_SSL which would work when called from start_SSL
but not from accept
v1.10
- start_SSL, accept_SSL and connect_SSL have argument for Timeout
so that the SSL handshake will not block forever. Only used if the
socket is blocking. If not set the Timeout value from the underlying
IO::Socket is used
|
|
v1.09
- new method stop_SSL as opposite of start_SSL based on a idea
of Bron Gondwana <brong[AT]fastmail[DOT]fm>
To support this method the SSL_shutdown handling had to be
fixed, e.g. in close a proper unidirectional shutdown
should be done while in stop_SSL a bidirectional shutdown
- try to make it clearer that thread support is buggy
|
|
v1.08
- make sure that Scalar::Util has support for dualvar
(Makefile.PL,SSL.pm) because the perl-only version has
has no dualvar
|
|
v1.07
- fix t/nonblock.t on systems which have by default a larger
socket buffer. Set SO_SNDBUF explicitly with setsockopt
to force smaller writes on the socket
|
|
v1.06
- instead of setting undef args to '' in configure_SSL drop
them. This makes Net::SMTP::SSL working again because it
does not give LocalPort of '' to IO::Socket::INET any more
|
|
v1.05
- make session cache working even if the IO::Socket::SSL object
was not created with IO::Socket::SSL->new but with
IO::Socket::SSL->start_SSL on an established socket
|
|
v1.04
- added way to create SSL object with predefined session
cache, thus making it possible to share the cache between
objects even if the rest of the context is not shared
key SSL_session_cache
Note that the arguments of IO::Socket::SSL::SessionCache::new
changed (but you should never have used this class directly
because it's internal to IO::Socket::SSL)
|
|
v1.03
- add CLONE_SKIP as proposed by
Jarrod Johnson jbjohnso at us dot ibm dot com
|
|
v1.02
- added some info to BUGS and to BUGS section of pod
- added TELL and BINMODE to IO::Socket::SSL::SSL_HANDLE, even
if they do nothing useful.
- all tests allocate now the ports dynamically, so there should
be no longer a conflict with open ports on the system where
the tests run
v1.01
- work around Bug in Net::HTTPS where it defines sub blocking
as {}, e.g. force scalar context when calling sub blocking
(in IO::Socket::SSL::write)
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383106
v1.0
- fix depreciated and practically undocumented function
get_peer_certificate so that LWP Net::HTTPS works again
- set arg 'Blocking' while calling SUPER::configure only
if it was set by the caller to work around Problem in LWP
Net::HTTPS
|
|
|
|
- If SSL_cipher_list is not given it uses the openssl default
instead of setting it to 'ALL:!LOW:!EXP' like before. The old
value included ADH and this might be a bad idea, see BUGS why.
Resolves PR pkg/34392 by Martin Wilke
|
|
v0.998
- declare socket as opened before calling fatal_ssl_error
because the SSL_error_trap set up from HTTP::Daemon
needs this
- accept_SSL sets errors on $socket (the accepted socket)
not $self (the listening socket if called from accept)
so it can be queried from SSL_error_trap
- note in BUGS section that IO::Socket::SSL is not thread-safe
Note: The previous update from 0.97 broke all https:// URLs in p5-libwww,
will address that in next commit (to p5-libwww)
|
|
v0.997
- fix readline (e.g. getline,getlines,<>) so that it behaves
regarding $/ like written in the $/ dokumentation.
v0.996
- removed links and comments to inofficial release of
Net::SSLeay, because there is a newer version already
v0.995
- add support for Diffie Hellman Key Exchange.
See parameter SSL_dh_file and SSL_dh.
v0.994
- hide DEBUG statements and remove test to load Debug.pm
because packets like Spamassisin cannot cope with it
(at least the OpenBSD port)
v0.993
- added SSL_cert and SSL_key parameter which do not take
a file name like SSL_cert_file and SSL_key_file but
an internal X509* resp. EVP_PKEY* value. Useful for
dynamically created certificates and keys.
- added test for sysread/syswrite behavior (which was changed
in v0.991)
v0.992
- _set_rw_error does $!||=EAGAIN only if error is one of
SSL_WANT_READ|SSL_WANT_WRITE (patch from Mike Smith
<mike at mailchannels dot com>)
- Fix Makefile.PL to allow detectection of failures in PREREQ_PM
(http://rt.cpan.org/Public/Bug/Display.html?id=20563, patch
by alexchorny at gmail dot com)
v0.991
- sysread and syswrite ar no longer the same as read and write,
but can return already if only parts of the data are read
or written (which is the usual semantic for sysread and syswrite)
This should fix problems with HTTP::Daemon::SSL
v0.99
- just upgrade Version number because I've screwed up upload
of v0.98 to cpan
v0.98
- Maintainer changed to <Steffen_Ullrich at genua dot de>
- Better support for nonblocking sockets:
. exports $SSL_ERROR which contains the latest error from
the openssl library. Exports constants SSL_WANT_READ and
SSL_WANT_WRITE es special errors which will be set if
openssl wants to write or read during nonblocking connects,
accepts, reads or writes.
. accept,accept_SSL,connect and connect_SSL don't block
anymore if the socket is nonblocking.
Instead $! will be set from the underlying IO::Socket::INET
connect or accept if it failed there (usually EAGAIN or
EINPROGRESS) or if the underlying openssl needs to read or
write $! will be set to EAGAIN and $SSL_ERROR will be set
to SSL_WANT_READ or SSL_WANT_WRITE
. syswrite returns undef and sets $!,$SSL_ERROR if it fails
to write instead of returning 0.
- Bugfixes (http://rt.cpan.org/Public/Bug/Display.html?id=Bugid)
. Bug 18439: fileno 0 should be valid
. Bug 15001: sysread interpretes buffer "0" as ""
- peer_certifcate returns X509 struct string if no field
for extraction was specified
- get_peer_certificate returns the certificate instead of the
IO::Socket::SSL object
|
|
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
|
|
No pkgsrc changes.
Changes since version 0.96:
===========================
v0.97
- Writes now correctly return errors. (Problem noted by
Dominique Quatravaux <dom at idealx.com>).
- CA paths now work without passing an empty SSL_ca_file
argument. (Problem found by Phil Pennock, <phil.pennock
at globnix.org>).
- IO::Socket::SSL now automatically passes Proto => tcp (if
not already specified) to IO::Socket::INET to work around
/etc/services files with udp entries listed first. (Fix
suggested by Phil Pennock).
- $socket->accept() now returns the peer address in array
context for better conformance with IO::Socket::INET.
However, if you were doing "map { $_->accept } (@sockets)",
or similar tricks, you will need to use "scalar" to get the
old behavior back. (Problem noted by Nils Sowen, <n.sowen
at kon.de>).
- IO::Socket::SSL should now properly block on reads larger
than the buffer size of Net::SSLeay. (Problem found by Eric
Jergensen, <eric at dvns.com>).
- IO::Socket::SSL should now send CA Certs (if necessary)
along with certificates. (Problem found by <roy at
momentous.ca>).
- Timeouts should now work, but be aware that if multiple
reads/writes are necessary to complete a connection, then
each one may have a separate timeout. (Request from
Dominique Quatravaux <dom at idealx.com>).
- In certain cases, start_SSL() would misplace a socket's
fileno, causing problems with starting SSL. This should now
be fixed. (Problem found by <russ at zerotech.net>).
- IO::Socket::SSL now requires a minimum of Net::SSLeay 1.21.
|
|
of Perl files to deal with the perl-5.8.7 update that moved all
pkgsrc-installed Perl files into the "vendor" directories.
|
|
These paths are now relative to PERL5_PACKLIST_DIR, which currently
defaults to ${PERL5_SITEARCH}. There is no change to the binary
packages.
|
|
|
|
|
|
- Makefile's error messages now correct if output is
redirected (patch from Ilya Zakharevich).
- Non-blocking connects/accepts now work (Problem found by
Uri Guttman).
- new_from_fd() now works.
- getline() and <> in scalar context now return undef
instead of '' when the read failed. (Problem found by
Christian Gilmore).
- Broken pipe signals are now ignored during socket close
to prevent a SSL shutdown message from killing the parent
program. (Problem found by Christian Gilmore).
- Tests should proceed much more quickly, and a semi-race was
fixed, meaning that on slow machines the tests should be
more reliable.
- Check for Scalar::Util and Weakref now uses default
$SIG{__DIE__} instead of a potentially user-altered one
(suggestion from Olaf Schneider). This only applies to Perl 5.6.0 & above.
- Session caching support (patch from Marko Asplund).
- set_default_context() added to alter the behavior of
modules that use IO::Socket::SSL from the main program.
- get_ssl_object() renamed to _get_ssl_object() to reflect
the fact that it's only supposed to be used internally
(not that you should have cared, of course).
- Added patch for Net::SSLeay to take advantage of
client-side session caching. (i.e. use 1.26 of Net-SSLeay)
|
|
module directory has changed (eg. "darwin-2level" vs.
"darwin-thread-multi-2level").
binary packages of perl modules need to be distinguishable between
being built against threaded perl and unthreaded perl, so bump the
PKGREVISION of all perl module packages and introduce
BUILDLINK_RECOMMENDED for perl as perl>=5.8.5nb5 so the correct
dependencies are registered and the binary packages are distinct.
addresses PR pkg/28619 from H. Todd Fujinaka.
|
|
Buildlink files: RECOMMENDED version changed to current version.
|
|
|
|
|
|
include:
- Better opened() behavior when sockets close unexpectedly.
- Added support for WeakRef and Scalar::Util to allow
IO::Socket::SSL objects to auto-destroy themselves when
they go out of scope.
- Added croak()ing for unimplemented send() and recv() methods
so they are not accidentally used to transmit unencrypted
data. The Perl builtin functions cannot be reliably trapped
and are still dangerous, a fact that the POD now reflects
- Changed accept() to use inherited accept() instead of
IO::Socket::accept, so that IPv6 inheritance is possible.
- Added options to import() so that a user could specify
IPv6 or IPv4 mode of operation.
|
|
|
