Hello community, here is the log from the commit of package perl-LWP-Protocol-https for openSUSE:Factory checked in at 2015-04-25 16:46:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-LWP-Protocol-https (Old) and /work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-LWP-Protocol-https" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-LWP-Protocol-https/perl-LWP-Protocol-https.changes 2014-05-17 06:43:04.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.perl-LWP-Protocol-https.new/perl-LWP-Protocol-https.changes 2015-04-25 16:46:53.000000000 +0200 @@ -1,0 +2,36 @@ +Thu Apr 23 06:00:03 UTC 2015 - co...@suse.com + +- updated to 6.06 + see /usr/share/doc/packages/perl-LWP-Protocol-https/Changes + + 2014-04-18 LWP-Protocol-https 6.06 + + Mike Schilli (3): + Merge pull request #12 from drieux/subjectAltName + Merge pull request #9 from chorny/master + Updated libwww requirement to 6.06 to fix failing t/proxy.t test cases. + + Gisle Aas (2): + Getopt::Long isn't actually used + Merge pull request #7 from noxxi/master + + Alexandr Ciornii (1): + better diagnostics in case of failures in apache.t + + Karen Etheridge (1): + Merge pull request #8 from cpansprout/patch-1 + + Steffen Ullrich (1): + correct behavior for https_proxy, this goes together with change to + libwww-perl cb80c2ddb7, new method _upgrade_sock in LWP::Protocol::https + + cpansprout (1): + Typo fix: envirionment =~ s/io/o/ + + drieux (1): + support for subjectAltName + + + _______________________________________________________________________________ + +------------------------------------------------------------------- Old: ---- LWP-Protocol-https-6.04.tar.gz New: ---- LWP-Protocol-https-6.06.tar.gz cpanspec.yml ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-LWP-Protocol-https.spec ++++++ --- /var/tmp/diff_new_pack.10t4IE/_old 2015-04-25 16:46:53.000000000 +0200 +++ /var/tmp/diff_new_pack.10t4IE/_new 2015-04-25 16:46:53.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package perl-LWP-Protocol-https # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,15 +17,15 @@ Name: perl-LWP-Protocol-https -Version: 6.04 +Version: 6.06 Release: 0 %define cpan_name LWP-Protocol-https Summary: Provide https support for LWP::UserAgent License: Artistic-1.0 or GPL-1.0+ Group: Development/Libraries/Perl Url: http://search.cpan.org/dist/LWP-Protocol-https/ -Source: http://www.cpan.org/authors/id/G/GA/GAAS/%{cpan_name}-%{version}.tar.gz -# patch for using system certificates +Source0: http://www.cpan.org/authors/id/M/MS/MSCHILLI/%{cpan_name}-%{version}.tar.gz +Source1: cpanspec.yml Patch0: %{cpan_name}-6.04-systemca.diff Patch1: CVE-2014-3230.patch BuildArch: noarch @@ -33,14 +33,14 @@ BuildRequires: perl BuildRequires: perl-macros BuildRequires: perl(IO::Socket::SSL) >= 1.54 -BuildRequires: perl(LWP::UserAgent) >= 6.04 +BuildRequires: perl(LWP::UserAgent) >= 6.06 #BuildRequires: perl(Mozilla::CA) >= 20110101 BuildRequires: perl(Net::HTTPS) >= 6 -#BuildRequires: perl(LWP::Protocol::http) Requires: perl(IO::Socket::SSL) >= 1.54 -Requires: perl(LWP::UserAgent) >= 6.04 +Requires: perl(LWP::UserAgent) >= 6.06 #Requires: perl(Mozilla::CA) >= 20110101 Requires: perl(Net::HTTPS) >= 6 +BuildRequires: ca-certificates %{perl_requires} %description ++++++ CVE-2014-3230.patch ++++++ --- /var/tmp/diff_new_pack.10t4IE/_old 2015-04-25 16:46:53.000000000 +0200 +++ /var/tmp/diff_new_pack.10t4IE/_new 2015-04-25 16:46:53.000000000 +0200 @@ -8,11 +8,11 @@ lib/LWP/Protocol/https.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm +Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm =================================================================== ---- LWP-Protocol-https-6.04.orig/lib/LWP/Protocol/https.pm 2014-05-15 11:46:54.319643759 +0200 -+++ LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm 2014-05-15 11:46:55.856660773 +0200 -@@ -20,7 +20,11 @@ sub _extra_sock_opts +--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm ++++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm +@@ -21,7 +21,11 @@ sub _extra_sock_opts $ssl_opts{SSL_verifycn_scheme} = 'www'; } else { @@ -23,5 +23,18 @@ + $ssl_opts{SSL_verifycn_scheme} = 'none'; + } } - $self->{ssl_opts} = \%ssl_opts; - return (%ssl_opts, $self->SUPER::_extra_sock_opts); + my $suse_allows_mozilla_ca = 0; + if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) { +Index: LWP-Protocol-https-6.06/t/https_proxy.t +=================================================================== +--- LWP-Protocol-https-6.06.orig/t/https_proxy.t ++++ LWP-Protocol-https-6.06/t/https_proxy.t +@@ -66,7 +66,7 @@ my %ua; + $ua{noproxy} = LWP::UserAgent->new( + keep_alive => 10, # size of connection cache + # server does not know the expected name and returns generic certificate +- ssl_opts => { verify_hostname => 0 } ++ ssl_opts => { verify_hostname => 0, SSL_ca_file => $cafile, } + ); + + $ua{proxy} = LWP::UserAgent->new( ++++++ LWP-Protocol-https-6.04-systemca.diff ++++++ --- /var/tmp/diff_new_pack.10t4IE/_old 2015-04-25 16:46:53.000000000 +0200 +++ /var/tmp/diff_new_pack.10t4IE/_new 2015-04-25 16:46:53.000000000 +0200 @@ -11,37 +11,37 @@ lib/LWP/Protocol/https.pm | 23 ----------------------- 3 files changed, 1 insertion(+), 32 deletions(-) -diff --git a/Makefile.PL b/Makefile.PL -index 805eac8..3c66fb7 100644 ---- a/Makefile.PL -+++ b/Makefile.PL +Index: LWP-Protocol-https-6.06/Makefile.PL +=================================================================== +--- LWP-Protocol-https-6.06.orig/Makefile.PL ++++ LWP-Protocol-https-6.06/Makefile.PL @@ -15,7 +15,6 @@ WriteMakefile( - 'LWP::UserAgent' => '6.04', + 'LWP::UserAgent' => '6.06', 'Net::HTTPS' => 6, 'IO::Socket::SSL' => "1.54", - 'Mozilla::CA' => "20110101", }, META_MERGE => { resources => { -diff --git a/README b/README -index 8e67078..7c4b5e2 100644 ---- a/README -+++ b/README -@@ -13,13 +13,6 @@ DESCRIPTION +Index: LWP-Protocol-https-6.06/README +=================================================================== +--- LWP-Protocol-https-6.06.orig/README ++++ LWP-Protocol-https-6.06/README +@@ -17,13 +17,6 @@ DESCRIPTION you don't use it directly. Once the module is installed LWP is able to access sites using HTTP over SSL/TLS. -- If hostname verification is requested by LWP::UserAgent's `ssl_opts', -- and neither `SSL_ca_file' nor `SSL_ca_path' is set, then `SSL_ca_file' +- If hostname verification is requested by LWP::UserAgent's "ssl_opts", +- and neither "SSL_ca_file" nor "SSL_ca_path" is set, then "SSL_ca_file" - is implied to be the one provided by Mozilla::CA. If the Mozilla::CA - module isn't available SSL requests will fail. Either install this -- module, set up an alternative `SSL_ca_file' or disable hostname +- module, set up an alternative "SSL_ca_file" or disable hostname - verification. - This module used to be bundled with the libwww-perl, but it was unbundled in v6.02 in order to be able to declare its dependencies properly for the CPAN tool-chain. Applications that need https support -@@ -27,7 +20,7 @@ DESCRIPTION +@@ -31,7 +24,7 @@ DESCRIPTION longer need to know what underlying modules to install. SEE ALSO @@ -50,40 +50,17 @@ COPYRIGHT Copyright 1997-2011 Gisle Aas. -diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm -index f7230e2..e210049 100644 ---- a/lib/LWP/Protocol/https.pm -+++ b/lib/LWP/Protocol/https.pm -@@ -22,29 +22,6 @@ sub _extra_sock_opts +Index: LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm +=================================================================== +--- LWP-Protocol-https-6.06.orig/lib/LWP/Protocol/https.pm ++++ LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm +@@ -23,7 +23,8 @@ sub _extra_sock_opts else { $ssl_opts{SSL_verify_mode} = 0; } - if ($ssl_opts{SSL_verify_mode}) { -- unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { -- eval { -- require Mozilla::CA; -- }; -- if ($@) { -- if ($@ =! /^Can't locate Mozilla\/CA\.pm/) { -- $@ = <<'EOT'; --Can't verify SSL peers without knowing which Certificate Authorities to trust -- --This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE --envirionment variable or by installing the Mozilla::CA module. -- --To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME --envirionment variable to 0. If you do this you can't be sure that you --communicate with the expected peer. --EOT -- } -- die $@; -- } -- $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file(); -- } -- } - $self->{ssl_opts} = \%ssl_opts; - return (%ssl_opts, $self->SUPER::_extra_sock_opts); - } --- -1.8.1.4 - ++ my $suse_allows_mozilla_ca = 0; ++ if ($suse_allows_mozilla_ca && $ssl_opts{SSL_verify_mode}) { + unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { + eval { + require Mozilla::CA; ++++++ LWP-Protocol-https-6.04.tar.gz -> LWP-Protocol-https-6.06.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/Changes new/LWP-Protocol-https-6.06/Changes --- old/LWP-Protocol-https-6.04/Changes 2013-04-29 23:19:02.000000000 +0200 +++ new/LWP-Protocol-https-6.06/Changes 2014-04-18 18:38:48.000000000 +0200 @@ -1,4 +1,33 @@ _______________________________________________________________________________ +2014-04-18 LWP-Protocol-https 6.06 + +Mike Schilli (3): + Merge pull request #12 from drieux/subjectAltName + Merge pull request #9 from chorny/master + Updated libwww requirement to 6.06 to fix failing t/proxy.t test cases. + +Gisle Aas (2): + Getopt::Long isn't actually used + Merge pull request #7 from noxxi/master + +Alexandr Ciornii (1): + better diagnostics in case of failures in apache.t + +Karen Etheridge (1): + Merge pull request #8 from cpansprout/patch-1 + +Steffen Ullrich (1): + correct behavior for https_proxy, this goes together with change to + libwww-perl cb80c2ddb7, new method _upgrade_sock in LWP::Protocol::https + +cpansprout (1): + Typo fix: envirionment =~ s/io/o/ + +drieux (1): + support for subjectAltName + + +_______________________________________________________________________________ 2013-04-29 LWP-Protocol-https 6.04 Fix IO::Socket::SSL warnings when not verifying hostname. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/MANIFEST new/LWP-Protocol-https-6.06/MANIFEST --- old/LWP-Protocol-https-6.04/MANIFEST 2013-04-29 23:23:13.000000000 +0200 +++ new/LWP-Protocol-https-6.06/MANIFEST 2014-04-18 19:00:39.000000000 +0200 @@ -4,5 +4,5 @@ README lib/LWP/Protocol/https.pm Access with HTTP/1.1 protocol over SSL t/apache.t -META.yml Module YAML meta-data (added by MakeMaker) -META.json Module JSON meta-data (added by MakeMaker) +t/https_proxy.t +META.yml Module meta-data (added by MakeMaker) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/META.json new/LWP-Protocol-https-6.06/META.json --- old/LWP-Protocol-https-6.04/META.json 2013-04-29 23:23:13.000000000 +0200 +++ new/LWP-Protocol-https-6.06/META.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,51 +0,0 @@ -{ - "abstract" : "Provide https support for LWP::UserAgent", - "author" : [ - "Gisle Aas <gi...@activestate.com>" - ], - "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 6.6501, CPAN::Meta::Converter version 2.120921", - "license" : [ - "perl_5" - ], - "meta-spec" : { - "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", - "version" : "2" - }, - "name" : "LWP-Protocol-https", - "no_index" : { - "directory" : [ - "t", - "inc" - ] - }, - "prereqs" : { - "build" : { - "requires" : { - "ExtUtils::MakeMaker" : "0" - } - }, - "configure" : { - "requires" : { - "ExtUtils::MakeMaker" : "0" - } - }, - "runtime" : { - "requires" : { - "IO::Socket::SSL" : "1.54", - "LWP::UserAgent" : "6.04", - "Mozilla::CA" : "20110101", - "Net::HTTPS" : "6", - "perl" : "5.008001" - } - } - }, - "release_status" : "stable", - "resources" : { - "repository" : { - "url" : "http://github.com/libwww-perl/lwp-protocol-https" - }, - "x_MailingList" : "mailto:lib...@perl.org" - }, - "version" : "6.04" -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/META.yml new/LWP-Protocol-https-6.06/META.yml --- old/LWP-Protocol-https-6.04/META.yml 2013-04-29 23:23:13.000000000 +0200 +++ new/LWP-Protocol-https-6.06/META.yml 2014-04-18 19:00:39.000000000 +0200 @@ -1,29 +1,29 @@ ---- -abstract: 'Provide https support for LWP::UserAgent' +--- #YAML:1.0 +name: LWP-Protocol-https +version: 6.06 +abstract: Provide https support for LWP::UserAgent author: - - 'Gisle Aas <gi...@activestate.com>' -build_requires: - ExtUtils::MakeMaker: 0 + - Gisle Aas <gi...@activestate.com> +license: perl +distribution_type: module configure_requires: - ExtUtils::MakeMaker: 0 -dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 6.6501, CPAN::Meta::Converter version 2.120921' -license: perl -meta-spec: - url: http://module-build.sourceforge.net/META-spec-v1.4.html - version: 1.4 -name: LWP-Protocol-https -no_index: - directory: - - t - - inc + ExtUtils::MakeMaker: 0 +build_requires: + ExtUtils::MakeMaker: 0 requires: - IO::Socket::SSL: 1.54 - LWP::UserAgent: 6.04 - Mozilla::CA: 20110101 - Net::HTTPS: 6 - perl: 5.008001 + IO::Socket::SSL: 1.54 + LWP::UserAgent: 6.06 + Mozilla::CA: 20110101 + Net::HTTPS: 6 + perl: 5.008001 resources: - repository: http://github.com/libwww-perl/lwp-protocol-https - x_MailingList: mailto:lib...@perl.org -version: 6.04 + MailingList: mailto:lib...@perl.org + repository: http://github.com/libwww-perl/lwp-protocol-https +no_index: + directory: + - t + - inc +generated_by: ExtUtils::MakeMaker version 6.56 +meta-spec: + url: http://module-build.sourceforge.net/META-spec-v1.4.html + version: 1.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/Makefile.PL new/LWP-Protocol-https-6.06/Makefile.PL --- old/LWP-Protocol-https-6.04/Makefile.PL 2013-03-19 22:06:50.000000000 +0100 +++ new/LWP-Protocol-https-6.06/Makefile.PL 2014-04-18 18:27:06.000000000 +0200 @@ -3,7 +3,6 @@ require 5.008001; use strict; use ExtUtils::MakeMaker; -use Getopt::Long qw(GetOptions); WriteMakefile( NAME => 'LWP::Protocol::https', @@ -13,7 +12,7 @@ LICENSE => "perl", MIN_PERL_VERSION => 5.008001, PREREQ_PM => { - 'LWP::UserAgent' => '6.04', + 'LWP::UserAgent' => '6.06', 'Net::HTTPS' => 6, 'IO::Socket::SSL' => "1.54", 'Mozilla::CA' => "20110101", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/README new/LWP-Protocol-https-6.06/README --- old/LWP-Protocol-https-6.04/README 2013-03-19 22:06:50.000000000 +0100 +++ new/LWP-Protocol-https-6.06/README 2014-04-18 18:33:44.000000000 +0200 @@ -1,3 +1,7 @@ +###################################################################### + LWP::Protocol::https 6.06 +###################################################################### + NAME LWP::Protocol::https - Provide https support for LWP::UserAgent @@ -8,16 +12,16 @@ $res = $ua->get("https://www.example.com"); DESCRIPTION - The LWP::Protocol::https module provide support for using https schemed + The LWP::Protocol::https module provides support for using https schemed URLs with LWP. This module is a plug-in to the LWP protocol handling, so you don't use it directly. Once the module is installed LWP is able to access sites using HTTP over SSL/TLS. - If hostname verification is requested by LWP::UserAgent's `ssl_opts', - and neither `SSL_ca_file' nor `SSL_ca_path' is set, then `SSL_ca_file' + If hostname verification is requested by LWP::UserAgent's "ssl_opts", + and neither "SSL_ca_file" nor "SSL_ca_path" is set, then "SSL_ca_file" is implied to be the one provided by Mozilla::CA. If the Mozilla::CA module isn't available SSL requests will fail. Either install this - module, set up an alternative `SSL_ca_file' or disable hostname + module, set up an alternative "SSL_ca_file" or disable hostname verification. This module used to be bundled with the libwww-perl, but it was diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm new/LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm --- old/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm 2013-04-29 23:16:18.000000000 +0200 +++ new/LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm 2014-04-18 18:33:26.000000000 +0200 @@ -1,10 +1,11 @@ package LWP::Protocol::https; use strict; -our $VERSION = "6.04"; +our $VERSION = "6.06"; require LWP::Protocol::http; our @ISA = qw(LWP::Protocol::http); +require Net::HTTPS; sub socket_type { @@ -33,10 +34,10 @@ Can't verify SSL peers without knowing which Certificate Authorities to trust This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE -envirionment variable or by installing the Mozilla::CA module. +environment variable or by installing the Mozilla::CA module. To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME -envirionment variable to 0. If you do this you can't be sure that you +environment variable to 0. If you do this you can't be sure that you communicate with the expected peer. EOT } @@ -49,17 +50,78 @@ return (%ssl_opts, $self->SUPER::_extra_sock_opts); } +#------------------------------------------------------------ +# _cn_match($common_name, $san_name) +# common_name: an IA5String +# san_name: subjectAltName +# initially we were only concerned with the dNSName +# and the 'left-most' only wildcard as noted in +# https://tools.ietf.org/html/rfc6125#section-6.4.3 +# this method does not match any wildcarding in the +# domain name as listed in section-6.4.3.3 +# +sub _cn_match { + my( $me, $common_name, $san_name ) = @_; + + # /CN has a '*.' prefix + # MUST be an FQDN -- fishing? + return 0 if( $common_name =~ /^\*\./ ); + + my $re = q{}; # empty string + + # turn a leading "*." into a regex + if( $san_name =~ /^\*\./ ) { + $san_name =~ s/\*//; + $re = "[^.]+"; + } + + # quotemeta the rest and match anchored + if( $common_name =~ /^$re\Q$san_name\E$/ ) { + return 1; + } + return 0; +} + +#------------------------------------------------------- +# _in_san( cn, cert ) +# 'cn' of the form /CN=host_to_check ( "Common Name" form ) +# 'cert' any object that implements a peer_certificate('subjectAltNames') method +# which will return an array of ( type-id, value ) pairings per +# http://tools.ietf.org/html/rfc5280#section-4.2.1.6 +# if there is no subjectAltNames there is nothing more to do. +# currently we have a _cn_match() that will allow for simple compare. +sub _in_san +{ + my($me, $cn, $cert) = @_; + + # we can return early if there are no SAN options. + my @sans = $cert->peer_certificate('subjectAltNames'); + return unless scalar @sans; + + (my $common_name = $cn) =~ s/.*=//; # strip off the prefix. + + # get the ( type-id, value ) pairwise + # currently only the basic CN to san_name check + while( my ( $type_id, $value ) = splice( @sans, 0, 2 ) ) { + return 'ok' if $me->_cn_match($common_name,$value); + } + return; +} + sub _check_sock { my($self, $req, $sock) = @_; my $check = $req->header("If-SSL-Cert-Subject"); if (defined $check) { - my $cert = $sock->get_peer_certificate || - die "Missing SSL certificate"; - my $subject = $cert->subject_name; - die "Bad SSL certificate subject: '$subject' !~ /$check/" - unless $subject =~ /$check/; - $req->remove_header("If-SSL-Cert-Subject"); # don't pass it on + my $cert = $sock->get_peer_certificate || + die "Missing SSL certificate"; + my $subject = $cert->subject_name; + unless ( $subject =~ /$check/ ) { + my $ok = $self->_in_san( $check, $cert); + die "Bad SSL certificate subject: '$subject' !~ /$check/" + unless $ok; + } + $req->remove_header("If-SSL-Cert-Subject"); # don't pass it on } } @@ -83,10 +145,24 @@ $res->header("Client-SSL-Socket-Class" => $Net::HTTPS::SSL_SOCKET_CLASS); } +# upgrade plain socket to SSL, used for CONNECT tunnel when proxying https +# will only work if the underlying socket class of Net::HTTPS is +# IO::Socket::SSL, but code will only be called in this case +if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) { + *_upgrade_sock = sub { + my ($self,$sock,$url) = @_; + $sock = LWP::Protocol::https::Socket->start_SSL( $sock, + SSL_verifycn_name => $url->host, + $self->_extra_sock_opts, + ); + $@ = LWP::Protocol::https::Socket->errstr if ! $sock; + return $sock; + } +} + #----------------------------------------------------------- package LWP::Protocol::https::Socket; -require Net::HTTPS; our @ISA = qw(Net::HTTPS LWP::Protocol::http::SocketMethods); 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/t/apache.t new/LWP-Protocol-https-6.06/t/apache.t --- old/LWP-Protocol-https-6.04/t/apache.t 2013-04-29 23:15:29.000000000 +0200 +++ new/LWP-Protocol-https-6.06/t/apache.t 2014-04-18 18:21:26.000000000 +0200 @@ -8,11 +8,13 @@ my $ua = LWP::UserAgent->new(); plan skip_all => "Not online" unless $ua->is_online; -plan tests => 4; +plan tests => 5; my $res = $ua->simple_request(HTTP::Request->new(GET => "https://www.apache.org")); ok($res->is_success); +my $h = $res->header( 'X-Died' ); +is($h, undef, "no X-Died header"); like($res->content, qr/Apache Software Foundation/); # test for RT #81948 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/LWP-Protocol-https-6.04/t/https_proxy.t new/LWP-Protocol-https-6.06/t/https_proxy.t --- old/LWP-Protocol-https-6.04/t/https_proxy.t 1970-01-01 01:00:00.000000000 +0100 +++ new/LWP-Protocol-https-6.06/t/https_proxy.t 2014-04-18 18:21:26.000000000 +0200 @@ -0,0 +1,308 @@ +#!/usr/bin/perl + +# to run test with Net::SSL as backend set environment +# PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL + +use strict; +use warnings; +use Test::More; +use File::Temp 'tempfile'; +use IO::Socket::INET; +use IO::Select; +use Socket 'MSG_PEEK'; +use LWP::UserAgent; +use LWP::Protocol::https; + +plan skip_all => "fork not implemented on this platform" if + grep { $^O =~m{$_} } qw( MacOS VOS vmesa riscos amigaos ); + +eval { require IO::Socket::SSL } + and $IO::Socket::SSL::VERSION >= 1.953 + and eval { require IO::Socket::SSL::Utils } + or plan skip_all => "no recent version of IO::Socket::SSL::Utils"; +IO::Socket::SSL::Utils->import; + +# create CA ------------------------------------------------------------- +my ($cacert,$cakey) = CERT_create( CA => 1 ); +my $cafile = do { + my ($fh,$fname) = tempfile( CLEANUP => 1 ); + print $fh PEM_cert2string($cacert); + $fname +}; + +# create two web servers ------------------------------------------------ +my (@server,@saddr); +for my $i (0,1) { + my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, # let system pick port + Listen => 10 + ) or die "failed to create INET listener"; + my $saddr = $server->sockhost.':'.$server->sockport; + $server[$i] = $server; + $saddr[$i] = $saddr; +} + +my @childs; +END { kill 9,@childs if @childs }; +defined( my $pid = fork()) or die "fork failed: $!"; + +# child process runs _server and exits +if ( ! $pid ) { + @childs = (); + exit( _server()); +} + +# parent continues with closed server sockets +push @childs,$pid; +@server = (); + +# check which SSL implementation Net::HTTPS uses +# Net::SSL behaves different than the default IO::Socket::SSL +my $netssl = $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL'; + +# do some tests ---------------------------------------------------------- +my %ua; +$ua{noproxy} = LWP::UserAgent->new( + keep_alive => 10, # size of connection cache + # server does not know the expected name and returns generic certificate + ssl_opts => { verify_hostname => 0 } +); + +$ua{proxy} = LWP::UserAgent->new( + keep_alive => 10, # size of connection cache + ssl_opts => { + # Net::SSL cannot verify hostnames :( + verify_hostname => $netssl ? 0: 1, + SSL_ca_file => $cafile + } +); +$ua{proxy_nokeepalive} = LWP::UserAgent->new( + keep_alive => 0, + ssl_opts => { + # Net::SSL cannot verify hostnames :( + verify_hostname => $netssl ? 0: 1, + SSL_ca_file => $cafile + } +); +$ENV{http_proxy} = $ENV{https_proxy} = "http://foo:bar\@$saddr[0]"; +$ua{proxy}->env_proxy; +$ua{proxy_nokeepalive}->env_proxy; +if ($netssl) { + # Net::SSL cannot get user/pass from proxy url + $ENV{HTTPS_PROXY_USERNAME} = 'foo'; + $ENV{HTTPS_PROXY_PASSWORD} = 'bar'; +} + +my @tests = ( + # the expected ids are connid.reqid[tunnel_auth][req_auth]@sslhost + # because we run different sets of test depending on the SSL class + # used by Net::HTTPS we replace connid with a letter and later + # match it to a number + + # keep-alive for non-proxy http + # requests to same target use same connection, even if intermixed + [ 'noproxy', "http://$saddr[0]/foo",'A.1@nossl' ], + [ 'noproxy', "http://$saddr[0]/bar",'A.2@nossl' ], # reuse conn#1 + [ 'noproxy', "http://$saddr[1]/foo",'B.1@nossl' ], + [ 'noproxy', "http://$saddr[1]/bar",'B.2@nossl' ], # reuse conn#2 + [ 'noproxy', "http://$saddr[0]/tor",'A.3@nossl' ], # reuse conn#1 again + [ 'noproxy', "http://$saddr[1]/tor",'B.3@nossl' ], # reuse conn#2 again + # keep-alive for proxy http + # use the same proxy connection for all even if the target host differs + [ 'proxy', "http://foo/foo",'C.1.auth@nossl' ], + [ 'proxy', "http://foo/bar",'C.2.auth@nossl' ], + [ 'proxy', "http://bar/foo",'C.3.auth@nossl' ], + [ 'proxy', "http://bar/bar",'C.4.auth@nossl' ], + [ 'proxy', "http://foo/tor",'C.5.auth@nossl' ], + [ 'proxy', "http://bar/tor",'C.6.auth@nossl' ], + # keep-alive for non-proxy https + # requests to same target use same connection, even if intermixed + [ 'noproxy', "https://$saddr[0]/foo",'d...@direct.ssl.access' ], + [ 'noproxy', "https://$saddr[0]/bar",'d...@direct.ssl.access' ], + [ 'noproxy', "https://$saddr[1]/foo",'e...@direct.ssl.access' ], + [ 'noproxy', "https://$saddr[1]/bar",'e...@direct.ssl.access' ], + [ 'noproxy', "https://$saddr[0]/tor",'d...@direct.ssl.access' ], + [ 'noproxy', "https://$saddr[1]/tor",'e...@direct.ssl.access' ], + # keep-alive for proxy https + ! $netssl ? ( + # note that we reuse proxy conn#C in first request. Although the last id + # from this conn was C.6 the new one is C.8, because request C.7 was the + # socket upgrade via CONNECT request + [ 'proxy', "https://foo/foo",'C.8.Tauth@foo' ], + [ 'proxy', "https://foo/bar",'C.9.Tauth@foo' ], + # if the target of the tunnel is different we need another connection + # note that it starts with F.2, because F.1 is the CONNECT request which + # established the tunnel + [ 'proxy', "https://bar/foo",'F.2.Tauth@bar' ], + [ 'proxy', "https://bar/bar",'F.3.Tauth@bar' ], + [ 'proxy', "https://foo/tor",'C.10.Tauth@foo' ], + [ 'proxy', "https://bar/tor",'F.4.Tauth@bar' ], + ):( + # Net::SSL will cannot reuse socket for CONNECT, but once inside tunnel + # keep-alive is possible + [ 'proxy', "https://foo/foo",'G.2.Tauth@foo' ], + [ 'proxy', "https://foo/bar",'G.3.Tauth@foo' ], + [ 'proxy', "https://bar/foo",'F.2.Tauth@bar' ], + [ 'proxy', "https://bar/bar",'F.3.Tauth@bar' ], + [ 'proxy', "https://foo/tor",'G.4.Tauth@foo' ], + [ 'proxy', "https://bar/tor",'F.4.Tauth@bar' ], + ), + # non-keep alive for proxy https + [ 'proxy_nokeepalive', "https://foo/foo",'H.2.Tauth@foo' ], + [ 'proxy_nokeepalive', "https://foo/bar",'I.2.Tauth@foo' ], + [ 'proxy_nokeepalive', "https://bar/foo",'J.2.Tauth@bar' ], + [ 'proxy_nokeepalive', "https://bar/bar",'K.2.Tauth@bar' ], +); +plan tests => 2*@tests; + +my (%conn2id,%id2conn); +for my $test (@tests) { + my ($uatype,$url,$expect_id) = @$test; + my $ua = $ua{$uatype} or die "no such ua: $uatype"; + + # Net::SSL uses only the environment to decide about proxy, so we need the + # proxy/non-proxy environment for each request + if ( $netssl && $url =~m{^https://} ) { + $ENV{https_proxy} = $uatype =~m{^proxy} ? "http://$saddr[0]":"" + } + + my $response = $ua->get($url) or die "no response"; + if ( $response->is_success + and ( my $body = $response->content()) =~m{^ID: *(\d+)\.(\S+)}m ) { + my $id = [ $1,$2 ]; + my $xid = [ $expect_id =~m{(\w+)\.(\S+)} ]; + if ( my $x = $id2conn{$id->[0]} ) { + $id->[0] = $x; + } elsif ( ! $conn2id{$xid->[0]} ) { + $conn2id{ $xid->[0] } = $id->[0]; + $id2conn{ $id->[0] } = $xid->[0]; + $id->[0] = $xid->[0]; + } + is("$id->[0].$id->[1]",$expect_id,"$uatype $url -> $expect_id") + or diag($response->as_string); + # inside proxy tunnel and for non-proxy there should be only absolute + # URI in request w/o scheme + my $expect_rqurl = $url; + $expect_rqurl =~s{^\w+://[^/]+}{} + if $uatype eq 'noproxy' or $url =~m{^https://}; + my ($rqurl) = $body =~m{^GET (\S+) HTTP/}m; + is($rqurl,$expect_rqurl,"URL in request -> $expect_rqurl"); + } else { + die "unexpected response: ".$response->as_string + } +} + +# ------------------------------------------------------------------------ +# simple web server with keep alive and SSL, which can also simulate proxy +# ------------------------------------------------------------------------ +sub _server { + my $connid = 0; + my %certs; # generated certificates + + ACCEPT: + my ($server) = IO::Select->new(@server)->can_read(); + my $cl = $server->accept or goto ACCEPT; + + # peek into socket to determine if this is direct SSL or not + # minimal request is "GET / HTTP/1.1\n\n" + my $buf = ''; + while (length($buf)<15) { + my $lbuf; + if ( ! IO::Select->new($cl)->can_read(30) + or ! defined recv($cl,$lbuf,20,MSG_PEEK)) { + warn "not enough data for request ($buf): $!"; + goto ACCEPT; + } + $buf .= $lbuf; + } + my $ssl_host = ''; + if ( $buf !~m{\A[A-Z]{3,} } ) { + # does not look like HTTP, assume direct SSL + $ssl_host = "direct.ssl.access"; + } + + $connid++; + + defined( my $pid = fork()) or die "failed to fork: $!"; + if ( $pid ) { + push @childs,$pid; + goto ACCEPT; # wait for next connection + } + + # child handles requests + @server = (); + my $reqid = 0; + my $tunnel_auth = ''; + + SSL_UPGRADE: + if ( $ssl_host ) { + my ($cert,$key) = @{ + $certs{$ssl_host} ||= do { + diag("creating cert for $ssl_host"); + my ($c,$k) = CERT_create( + subject => { commonName => $ssl_host }, + issuer_cert => $cacert, + issuer_key => $cakey, + # just reuse cakey as key for certificate + key => $cakey, + ); + [ $c,$k ]; + }; + }; + + IO::Socket::SSL->start_SSL( $cl, + SSL_server => 1, + SSL_cert => $cert, + SSL_key => $key, + ) or do { + diag("SSL handshake failed: ".IO::Socket::SSL->errstr); + exit(1); + }; + } + + REQUEST: + # read header + my $req = ''; + while (<$cl>) { + $_ eq "\r\n" and last; + $req .= $_; + } + $reqid++; + my $req_auth = $req =~m{^Proxy-Authorization:}mi ? '.auth':''; + + if ( $req =~m{\ACONNECT ([^\s:]+)} ) { + if ( $ssl_host ) { + diag("CONNECT inside SSL tunnel"); + exit(1); + } + $ssl_host = $1; + $tunnel_auth = $req_auth ? '.Tauth':''; + #diag($req); + + # simulate proxy and establish SSL tunnel + print $cl "HTTP/1.0 200 ok\r\n\r\n"; + goto SSL_UPGRADE; + } + + if ( $req =~m{^Content-length: *(\d+)}mi ) { + read($cl,my $buf,$1) or die "eof while reading request body"; + } + my $keep_alive = + $req =~m{^(?:Proxy-)?Connection: *(?:(keep-alive)|close)}mi ? $1 : + $req =~m{\A.*HTTP/1\.1} ? 1 : + 0; + + # just echo request back, including connid and reqid + my $body = "ID: $connid.$reqid$tunnel_auth$req_auth\@" + . ( $ssl_host || 'nossl' )."\n" + . "---------\n$req"; + print $cl "HTTP/1.1 200 ok\r\nContent-type: text/plain\r\n" + . "Connection: ".( $keep_alive ? 'keep-alive':'close' )."\r\n" + . "Content-length: ".length($body)."\r\n" + . "\r\n" + . $body; + + goto REQUEST if $keep_alive; + exit(0); # done handling requests +} ++++++ cpanspec.yml ++++++ --- #description_paragraphs: 3 #no_testing: broken upstream #sources: # - source1 # - source2 patches: # patch for using system certificates "%{cpan_name}-6.04-systemca.diff": -p1 # see https://github.com/libwww-perl/lwp-protocol-https/pull/14 CVE-2014-3230.patch: -p1 #preamble: |- # BuildRequires: gcc-c++ #post_prep: |- # hunspell=`pkg-config --libs hunspell | sed -e 's,-l,,; s, *,,g'` # sed -i -e "s,hunspell-X,$hunspell," t/00-prereq.t Makefile.PL #post_install: |- # sed on %{name}.files #license: SUSE-NonFree #skip_noarch: 1 #custom_build: - #./Build build flags=%{?_smp_mflags} --myflag ignore_requires: Mozilla::CA