| Changelog |
* Thu Jun 27 2019 Paul Howarth <paul@city-fan.org> - 2.066-5
- Runtime openssl dependency should be on openssl-libs
- Always require preferred IPv6 back-end: IO::Socket::IP ≥ 0.31
- Always require preferred IDN back-end: URI::_idna
- Modernize spec using %{make_build} and %{make_install}
* Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-4
- PublicSuffix.pm is licensed MPLv2.0 (#1724169)
* Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-3
- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1632660)
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.066-2
- Perl 5.30 rebuild
* Wed Mar 06 2019 Paul Howarth <paul@city-fan.org> - 2.066-1
- Update to 2.066
- Make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first (CPAN RT#128716)
- Prefer AES for server side cipher default since it is usually
hardware-accelerated
- Fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
* Mon Mar 04 2019 Paul Howarth <paul@city-fan.org> - 2.064-1
- Update to 2.064
- Make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint (CPAN RT#127773)
- Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
- Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
set
- Update fingerprints for live tests
* Sat Mar 02 2019 Paul Howarth <paul@city-fan.org> - 2.063-1
- Update to 2.063
- Support for both RSA and ECDSA certificate on same domain
- Update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (i.e. more than just
the patchlevel differs)
* Mon Feb 25 2019 Paul Howarth <paul@city-fan.org> - 2.062-1
- Update to 2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
in the trust store be usable as full trust anchors too
* Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 2.061-1
- Update to 2.061
- Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
the previous (and undocumented) API for the session cache has been changed
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client (needs Net::SSLeay ≥ 1.86)
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided (needs Net::SSLeay ≥ 1.86)
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
- Client sends a post-handshake-authentication extension if a client key and
a certificate are available (bug #1632660)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Sep 24 2018 Petr Pisar <ppisar@redhat.com> - 2.060-2
- Prevent tests from dying on SIGPIPE (CPAN RT#126899)
* Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1
- Update to 2.060
- Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay ≥ 1.86); see
also CPAN RT#126899
- TLS 1.3 support is not complete yet for session reuse
* Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2
- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)
* Thu Aug 16 2018 Paul Howarth <paul@city-fan.org> - 2.059-1
- Update to 2.059
- Fix memory leak when CRLs are used (CPAN RT#125867)
- Fix memory leak when using stop_SSL and threads
(https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)
* Thu Jul 19 2018 Paul Howarth <paul@city-fan.org> - 2.058-1
- Update to 2.058
- Fix memory leak that occurred with explicit stop_SSL in connection with
non-blocking sockets or timeout (CPAN RT#125867)
- Fix redefine warnings in case Socket6 is installed but neither
IO::Socket::IP nor IO::Socket::INET6 (CPAN RT#124963)
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting
number or callback to create serial number based on the original certificate
- New function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct
value
- Fix t/session_ticket.t: It failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.056-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.056-2
- Perl 5.28 rebuild
* Mon Feb 19 2018 Paul Howarth <paul@city-fan.org> - 2.056-1
- Update to 2.056
- Intercept: Fix creation of serial number (basing it on binary digest
instead of treating hex fingerprint as binary), allow use of own serial
numbers again
- t/io-socket-ip.t: Skip test if no IPv6 support on system (CPAN RT#124464)
- Update PublicSuffix
* Thu Feb 15 2018 Paul Howarth <paul@city-fan.org> - 2.055-1
- Update to 2.055
- Use SNI also if hostname was given all-uppercase
- Utils::CERT_create: Don't add authority key for issuer since Chrome does
not like this
- Intercept:
- Change behavior of code-based cache to better support synchronizing
within multiprocess/threaded set-ups
- Don't use counter for serial number but somehow base it on original
certificate in order to avoid conflicts with reuse of serial numbers
after restart
- Better support platforms without IPv6 (CPAN RT#124431)
- Spelling fixes in documentation (CPAN RT#124306)
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.054-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jan 22 2018 Paul Howarth <paul@city-fan.org> - 2.054-1
- Update to 2.054
- Small behavior fixes
- If SSL_fingerprint is used and matches, don't check for OCSP
- Utils::CERT_create: Small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- Update PublicSuffix
- Updates for documentation, especially regarding pitfalls with forking or
using non-blocking sockets, spelling fixes
- Test fixes and improvements
- Stability improvements for live tests
- Regenerate certificates in certs/ and make sure they are limited to the
correct purpose; check in program used to generate certificates
- Adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
* Mon Oct 23 2017 Paul Howarth <paul@city-fan.org> - 2.052-1
- Update to 2.052
- Disable NPN support if LibreSSL ≥ 2.6.1 is detected since they've replaced
the functions with dummies instead of removing NPN completly or setting
OPENSSL_NO_NEXTPROTONEG
- t/01loadmodule.t shows more output helpful in debugging problems
- Update fingerprints for external tests
- Update documentation to make behavior of syswrite more clear
* Tue Sep 05 2017 Paul Howarth <paul@city-fan.org> - 2.051-1
- Update to 2.051
- syswrite: If SSL_write sets SSL_ERROR_SYSCALL but not $! (as seen with
OpenSSL 1.1.0 on Windows), set $! to EPIPE to propagate a useful error up
(GH#62)
* Fri Aug 18 2017 Paul Howarth <paul@city-fan.org> - 2.050-1
- Update to 2.050
- Removed unnecessary settings of SSL_version and SSL_cipher_list from tests
- protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not
supported, as is the case with openssl versions in latest Debian (buster)
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.049-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
