Hello community, here is the log from the commit of package perl-IO-Socket-SSL for openSUSE:Factory checked in at 2013-07-25 14:46:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old) and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes 2012-03-01 17:24:27.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes 2013-07-25 14:46:31.000000000 +0200 @@ -1,0 +2,101 @@ +Wed Jul 3 08:20:14 UTC 2013 - lnus...@suse.de + +- new version 0.951 + * better document builtin defaults for key,cert,CA and how they are depreceated + * use Net::SSLeay::SSL_CTX_set_default_verify_paths to use + openssl's builtin defaults for CA unless CA path/file was given + * MAJOR BEHAVIOR CHANGE: + ssl_verify_mode now defaults to verify_peer for client. Until + now it used verify_none, but loudly complained since 1.79 about + it. It will not complain any longer, but the connection might + probably fail. Please don't simply disable ssl verification, but + instead set SSL_ca_file etc so that verification succeeds! + * MAJOR BEHAVIOR CHANGE: + it will now complain if the builtin defaults of certs/my-ca.pem + or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert + and key are used, e.g. no certificates are specified explicitly. + In the future these insecure (relative path!) defaults will be + removed and the CA replaced with the system defaults. + * Makefile.PL reported wrong version of openssl, if Net::SSLeay was not + installed instead of reporting missing dependency to Net::SSLeay. + * need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6 + years ago. Remove code to work around older releases. + * changed AUTHOR in Makefile.PL from array back to string, because the + array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739) + * Intercept: use sha1-fingerprint of original cert for id into cache unless + otherwise given + * Fix pod error in IO::Socket::SSL::Utils RT#85733 + * added IO::Socket::SSL::Utils for easier manipulation of certificates and keys + * moved SSL interception into IO::Socket::SSL::Intercept and simplified it + using IO::Socket::SSL::Utils + * enhance meta information in Makefile.PL + * RT#85290, support more digest, especially SHA-2. + Thanks to ujvari[AT]microsec[DOT]hu + * added support for easy SSL interception (man in the middle) based + on ideas found in mojo*mitm proxy (which was written by Karel Miko) + * make 1.46 the minimal required version for Net::SSLeay, because it + introduced lots of useful functions. + * if IO::Socket::IP is used it should be at least version 0.20, o + * Spelling corrections, thanks to dsteinbrunner +- remove the dependency on IO::Socket::INET6 as it breaks the test suite + +------------------------------------------------------------------- +Sat May 11 22:51:07 UTC 2013 - l...@linux-schulserver.de + +- update to 1.88 + + consider a value of '' the same as undef for SSL_ca_(path|file) + + complain if given SSL_(key|cert|ca)_(file|path) do not exist or + if they are not readable + + disabled client side SNI for openssl version < 1.0.0 + + added functions can_client_sni, can_server_sni, can_npn to check + avaibility of SNI and NPN features. Added more documentation for + SNI and NPN + + Server Name Indication (SNI) support on the server side + + sub error sets $SSL_ERROR etc only if there really is an error, + otherwise it will keep the latest error. This causes + IO::Socket::SSL->new.. to report the correct problem, even if + the problem is deeper in the code (like in connect) + + deprecated set_ctx_defaults, new name ist set_defaults + + changed handling of default path for SSL_(ca|cert|key)* keys: either + if one of these keys is user defined don't add defaults for the + others, e.g. don't mix user settings and defaults + + cleaner handling of module defaults vs. global settings vs. socket + specific settings + + + prepare transition to a more secure default for SSL_verify_mode. + The use of the current default SSL_VERIFY_NONE will cause a big warning + for clients, unless SSL_verify_mode was explicitly set inside the + application to this insecure value. + In the near future the default will be SSL_VERIFY_PEER, and thus + causing verification failures in unchanged applications. + + + use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and + PeerPort from sockaddr in _update_peer, because this provides scope + + work around systems which don't defined AF_INET6 + + update_peer for IPv6 also + + no longer depend on Socket.pm 1.95 for inet_pton, but use + Socket6.pm if no current Socket.pm is available + + made it possible to explicitly disable TLSv11 and TLSv12 in + SSL_version + + fixed documentation errors + + add support to IO::Socket::IP which support inet6 and inet4 + + make it possible to disable protols using SSL_version, make + SSL_version default to 'SSLv23:!SSLv2' + + remove SSLv2 from default cipher list + + if no explicit cipher list is given it will now default to ALL:!LOW + instead of the openssl default, which usually includes weak ciphers + + new config key SSL_honor_cipher_order and documented how to use it + + make it thread safer + + added NPN (Next Protocol Negotiation) support + + call CTX_set_session_id_context so that servers session caching + works with client certificates too + + don't make blocking readline if socket was set nonblocking, but + return as soon no more data are available + + if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful + message when attempting to use it + + add automatic or explicit (via SSL_hostname) SNI support, needed + for multiple SSL hostnames with same IP. Currently only supported + for the client +- enable tests + +------------------------------------------------------------------- Old: ---- IO-Socket-SSL-1.55.tar.gz New: ---- IO-Socket-SSL-1.951.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-IO-Socket-SSL.spec ++++++ --- /var/tmp/diff_new_pack.MxF05d/_old 2013-07-25 14:46:32.000000000 +0200 +++ /var/tmp/diff_new_pack.MxF05d/_new 2013-07-25 14:46:32.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-IO-Socket-SSL # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,24 +16,25 @@ # - Name: perl-IO-Socket-SSL -Version: 1.55 +Version: 1.951 Release: 0 -License: Artistic-1.0 or GPL-1.0+ %define cpan_name IO-Socket-SSL Summary: Nearly transparent SSL encapsulation for IO::Socket::INET -Url: http://search.cpan.org/dist/IO-Socket-SSL/ +License: Artistic-1.0 or GPL-1.0+ Group: Development/Libraries/Perl -Source: http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz +Url: http://search.cpan.org/dist/IO-Socket-SSL/ +Source: http://www.cpan.org/modules/by-module/IO/%{cpan_name}-%{version}.tar.gz BuildRequires: perl # MANUAL BEGIN -BuildRequires: perl(IO::Socket::INET6) -BuildRequires: perl(Net::LibIDN) -BuildRequires: perl(Net::SSLeay) >= 1.21 BuildRequires: perl-macros -Requires: perl(Net::SSLeay) >= 1.21 -Recommends: perl(IO::Socket::INET6) +# the testsuite does not work with INET6 yet. If INET6 is enabled, +# at least netcfg has to be installed as well. +#BuildRequires: perl(IO::Socket::INET6) +BuildRequires: perl(Net::LibIDN) +BuildRequires: perl(Net::SSLeay) >= 1.46 +Requires: perl(Net::SSLeay) >= 1.46 +#Recommends: perl(IO::Socket::INET6) Recommends: perl(Net::LibIDN) BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -72,6 +73,9 @@ %perl_process_packlist %perl_gen_filelist +%check +make test + %clean rm -rf %{buildroot} ++++++ IO-Socket-SSL-1.55.tar.gz -> IO-Socket-SSL-1.951.tar.gz ++++++ ++++ 7739 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org