Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package perl-IO-Socket-SSL for
openSUSE:Factory checked in at 2022-01-14 23:12:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old)
and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new.1892 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL"
Fri Jan 14 23:12:36 2022 rev:91 rq:946101 version:2.074
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes
2022-01-11 21:20:24.801007096 +0100
+++
/work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new.1892/perl-IO-Socket-SSL.changes
2022-01-14 23:12:59.994622479 +0100
@@ -1,0 +2,11 @@
+Sat Jan 8 03:07:59 UTC 2022 - Tina M??ller <timueller+p...@suse.de>
+
+- updated to 2.074
+ see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
+
+ 2.074
+ - add SSL_ciphersuites option for TLS 1.3 ciphers
+ - no longer use own default for ciphers, instead use system default but
disable
+ some weak ciphers which might still be enabled on older systems
+
+-------------------------------------------------------------------
Old:
----
IO-Socket-SSL-2.073.tar.gz
New:
----
IO-Socket-SSL-2.074.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
--- /var/tmp/diff_new_pack.GJZCeA/_old 2022-01-14 23:13:00.582622858 +0100
+++ /var/tmp/diff_new_pack.GJZCeA/_new 2022-01-14 23:13:00.586622861 +0100
@@ -1,7 +1,7 @@
#
# spec file for package perl-IO-Socket-SSL
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%define cpan_name IO-Socket-SSL
Name: perl-IO-Socket-SSL
-Version: 2.073
+Version: 2.074
Release: 0
Summary: Nearly transparent SSL encapsulation for IO::Socket::INET
License: Artistic-1.0 OR GPL-1.0-or-later
++++++ IO-Socket-SSL-2.073.tar.gz -> IO-Socket-SSL-2.074.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.073/Changes
new/IO-Socket-SSL-2.074/Changes
--- old/IO-Socket-SSL-2.073/Changes 2021-12-22 20:24:38.000000000 +0100
+++ new/IO-Socket-SSL-2.074/Changes 2022-01-07 16:06:58.000000000 +0100
@@ -1,3 +1,7 @@
+2.074
+- add SSL_ciphersuites option for TLS 1.3 ciphers
+- no longer use own default for ciphers, instead use system default but disable
+ some weak ciphers which might still be enabled on older systems
2.073
- fix behavior and tests for openssl 3.0.1
- fix #110 - prevent internal error warning in some cases
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.073/META.json
new/IO-Socket-SSL-2.074/META.json
--- old/IO-Socket-SSL-2.073/META.json 2021-12-22 20:29:50.000000000 +0100
+++ new/IO-Socket-SSL-2.074/META.json 2022-01-07 16:08:40.000000000 +0100
@@ -52,6 +52,6 @@
"url" : "https://github.com/noxxi/p5-io-socket-ssl";
}
},
- "version" : "2.073",
+ "version" : "2.074",
"x_serialization_backend" : "JSON::PP version 4.02"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.073/META.yml
new/IO-Socket-SSL-2.074/META.yml
--- old/IO-Socket-SSL-2.073/META.yml 2021-12-22 20:29:50.000000000 +0100
+++ new/IO-Socket-SSL-2.074/META.yml 2022-01-07 16:08:39.000000000 +0100
@@ -27,5 +27,5 @@
homepage: https://github.com/noxxi/p5-io-socket-ssl
license: http://dev.perl.org/licenses/
repository: https://github.com/noxxi/p5-io-socket-ssl
-version: '2.073'
+version: '2.074'
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.073/lib/IO/Socket/SSL.pm
new/IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pm
--- old/IO-Socket-SSL-2.073/lib/IO/Socket/SSL.pm 2021-12-22
20:24:53.000000000 +0100
+++ new/IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pm 2022-01-07
15:47:38.000000000 +0100
@@ -13,7 +13,7 @@
package IO::Socket::SSL;
-our $VERSION = '2.073';
+our $VERSION = '2.074';
use IO::Socket;
use Net::SSLeay 1.46;
@@ -76,6 +76,7 @@
my $check_partial_chain; # use X509_V_FLAG_PARTIAL_CHAIN if available
my $auto_retry; # (clear|set)_mode SSL_MODE_AUTO_RETRY with OpenSSL
1.1.1+ with non-blocking
my $ssl_mode_release_buffers = 0; # SSL_MODE_RELEASE_BUFFERS if available
+my $can_ciphersuites; # support for SSL_CTX_set_ciphersuites (TLS 1.3)
my $openssl_version;
my $netssleay_version;
@@ -113,6 +114,7 @@
$can_tckt_keycb = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb
&& $netssleay_version >= 1.80;
$can_pha = defined &Net::SSLeay::CTX_set_post_handshake_auth;
+ $can_ciphersuites = defined &Net::SSLeay::CTX_set_ciphersuites;
if (defined &Net::SSLeay::SESSION_up_ref) {
$session_upref = 1;
@@ -203,11 +205,8 @@
SSL_npn_protocols => undef, # meaning depends whether on server or
client side
SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for
example ['http/1.1','spdy/3.1']
- # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
- # "Old backward compatibility" for best compatibility
- # .. "Most ciphers that are not clearly broken and dangerous to use are
supported"
- # slightly reordered to prefer AES since it is cheaper when hardware
accelerated
- SSL_cipher_list =>
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+ # rely on system default but be sure to disable some definitely bad ones
+ SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5
!PSK !SRP',
);
my %DEFAULT_SSL_CLIENT_ARGS = (
@@ -216,64 +215,6 @@
SSL_ca_file => undef,
SSL_ca_path => undef,
-
- # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
- # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
- # http://guest:gu...@rt.openssl.org/Ticket/Display.html?id=2771
- # Ubuntu worked around this by disabling TLSv1_2 on the client side for
- # a while. Later a padding extension was added to OpenSSL to work around
- # broken F5 but then IronPort croaked because it did not understand this
- # extension so it was disabled again :(
- # Firefox, Chrome and IE11 use TLSv1_2 but use only a few ciphers, so
- # that packet stays small enough. We try the same here.
-
- SSL_cipher_list => join(" ",
-
- # SSLabs report for Chrome 48/OSX.
- # This also includes the fewer ciphers Firefox uses.
- 'ECDHE-ECDSA-AES128-GCM-SHA256',
- 'ECDHE-RSA-AES128-GCM-SHA256',
- 'DHE-RSA-AES128-GCM-SHA256',
- 'ECDHE-ECDSA-CHACHA20-POLY1305',
- 'ECDHE-RSA-CHACHA20-POLY1305',
- 'ECDHE-ECDSA-AES256-SHA',
- 'ECDHE-RSA-AES256-SHA',
- 'DHE-RSA-AES256-SHA',
- 'ECDHE-ECDSA-AES128-SHA',
- 'ECDHE-RSA-AES128-SHA',
- 'DHE-RSA-AES128-SHA',
- 'AES128-GCM-SHA256',
- 'AES256-SHA',
- 'AES128-SHA',
- 'DES-CBC3-SHA',
-
- # IE11/Edge has some more ciphers, notably SHA384 and DSS
- # we don't offer the *-AES128-SHA256 and *-AES256-SHA384 non-GCM
- # ciphers IE/Edge offers because they look like a large mismatch
- # between a very strong HMAC and a comparably weak (but sufficient)
- # encryption. Similar all browsers which do SHA384 can do ECDHE
- # so skip the DHE*SHA384 ciphers.
- 'ECDHE-RSA-AES256-GCM-SHA384',
- 'ECDHE-ECDSA-AES256-GCM-SHA384',
- # 'ECDHE-RSA-AES256-SHA384',
- # 'ECDHE-ECDSA-AES256-SHA384',
- # 'ECDHE-RSA-AES128-SHA256',
- # 'ECDHE-ECDSA-AES128-SHA256',
- # 'DHE-RSA-AES256-GCM-SHA384',
- # 'AES256-GCM-SHA384',
- 'AES256-SHA256',
- # 'AES128-SHA256',
- 'DHE-DSS-AES256-SHA256',
- # 'DHE-DSS-AES128-SHA256',
- 'DHE-DSS-AES256-SHA',
- 'DHE-DSS-AES128-SHA',
- 'EDH-DSS-DES-CBC3-SHA',
-
- # Just to make sure, that we don't accidentally add bad ciphers above.
- # This includes dropping RC4 which is no longer supported by modern
- # browsers and also excluded in the SSL libraries of Python and Ruby.
- "!EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP"
- )
);
# set values inside _init to work with perlcc, RT#95452
@@ -2973,6 +2914,16 @@
? $cl->{$_} || $cl->{''} || $DEFAULT_SSL_ARGS{SSL_cipher_list}
|| next
: $cl
) || return IO::Socket::SSL->error("Failed to set SSL cipher list");
+ }
+ }
+ if ( my $cl = $arg_hash->{SSL_ciphersuites} ) {
+ return IO::Socket::SSL->error("no support for SSL_ciphersuites in
Net::SSLeay")
+ if ! $can_ciphersuites;
+ for (keys %ctx) {
+ Net::SSLeay::CTX_set_ciphersuites($ctx{$_}, ref($cl)
+ ? $cl->{$_} || $cl->{''} || $DEFAULT_SSL_ARGS{SSL_cipher_list}
|| next
+ : $cl
+ ) || return IO::Socket::SSL->error("Failed to set SSL cipher list");
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/IO-Socket-SSL-2.073/lib/IO/Socket/SSL.pod
new/IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pod
--- old/IO-Socket-SSL-2.073/lib/IO/Socket/SSL.pod 2021-09-06
19:56:00.000000000 +0200
+++ new/IO-Socket-SSL-2.074/lib/IO/Socket/SSL.pod 2022-01-07
15:47:17.000000000 +0100
@@ -1064,17 +1064,31 @@
=item SSL_cipher_list
If this option is set the cipher list for the connection will be set to the
-given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. Look into the OpenSSL
-documentation
(L<https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-STRINGS>)
+given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. This will only affect
+ciphers for TLS 1.2 and lower. See the OpenSSL documentation
+(L<https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-STRINGS>)
for more details.
Unless you fail to contact your peer because of no shared ciphers it is
-recommended to leave this option at the default setting. The default setting
-prefers ciphers with forward secrecy, disables anonymous authentication and
-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
-at the tests of SSL Labs.
-To use the less secure OpenSSL builtin default (whatever this is) set
-SSL_cipher_list to ''.
+recommended to leave this option at the default setting, which uses the system
+default but disables some insecure ciphers which might still be enabled on
older
+systems.
+
+In case different cipher lists are needed for different SNI hosts a hash can be
+given with the host as key and the cipher suite as value, similar to
+B<SSL_cert*>.
+
+=item SSL_ciphersuites
+
+If this option is set the TLS 1.3 ciphersuites for the connection will be
+set to the given value. This is similar to SSL_cipher_list, but only for TLS
1.3
+ciphers. See argument C<-ciphersuits> in the OpenSSL documentation
+(L<https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html>) for
+details.
+
+Unless you fail to contact your peer because of no shared ciphers it is
+recommended to leave this option at the default setting, which uses the system
+default.
In case different cipher lists are needed for different SNI hosts a hash can be
given with the host as key and the cipher suite as value, similar to
