Log message:
Update to 2.005:

2.005 2014/11/15
- next try to fix t/protocol_version.t for OpenSSL w/o SSLv3 support
2.004 2014/11/15
- only test fix: fix t/protocol_version.t to deal with OpenSSL installations
  which are compiled without SSLv3 support.
2.003 2014/11/14
- make SSLv3 available even if the SSL library disables it by default in
  SSL_CTX_new (like done in LibreSSL). Default will stay to disable SSLv3,
  so this will be only done when setting SSL_version explicitly.
- fix possible segmentation fault when trying to use an invalid certificate,
  reported by Nick Andrew.
- Use only the ICANN part of the default public suffix list and not the
  private domains. This makes existing exceptions for s3.amazonaws.com and
  googleapis.com obsolete. Thanks to Gervase Markham from mozilla.org.

Log message:
Update to 2.002:

2.002 2014/10/21
- fix check for (invalid) IPv4 when validating hostname against certificate. Do
  not use inet_aton any longer because it can cause DNS lookups for malformed
  IP. RT#99448, thanks to justincase[AT]yopmail[DOT]com.
- Update PublicSuffix with latest version from publicsuffix.org - lots of new
  top level domains.
- Add exception to PublicSuffix for s3.amazonaws.com - RT#99702, thanks to
  cpan[AT]cpanel[DOT]net.
2.001 2014/10/21
- Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security.
  Thanks to Heikki Vatiainen for suggesting.
- Update external tests with currently expected fingerprints of hosts.
- Some fixes to make it still work on 5.8.1.

Log message:
Update to 2.000:

2.000 2014/10/15
- consider SSL3.0 as broken because of POODLE and disable it by default.
- Skip live tests without asking if environment NO_NETWORK_TESTING is set.
  Thanks to ntyni[AT]debian[DOT]org for suggestion.
- skip tests which require fork on non-default windows setups without proper
  fork. Thanks to SHAY for https://github.com/noxxi/p5-io-socket-ssl/pull/18

Log message:
Update to 1.999:

1.999 2014/10/09
- make sure we don't use version 0.30 of IO::Socket::IP
- make sure that PeerHost is checked on all places where PeerAddr is
  checked, because these are synonyms and IO::Socket::IP prefers PeerHost
  while others prefer PeerAddr. Also accept PeerService additionally to
  PeerPort.
  See https://github.com/noxxi/p5-io-socket-ssl/issues/16 for details.
- add ability to use client certificates and to overwrite hostname with
  util/analyze-ssl.pl.

Log message:
Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles.

Log message:
Remove SVR4_PKGNAME, per discussion on tech-pkg.

Log message:
Update to 1.998:

1.998 2014/09/07
- make client authentication work at the server side when SNI is in by use
  having CA path and other settings in all SSL contexts instead of only the main
  one.  Based on code from lundstrom[DOT]jerry[AT]gmail[DOT]com,
  https://github.com/noxxi/p5-io-socket-ssl/pull/15

Log message:
Update to 1.997:

1.997 2014/07/12
- thanks to return code 1 from Net::SSLeay::library_init if the library needed
  initialization and 0 if not we can now clearly distinguish if initialization
  was needed and do not need any work-arounds for perlcc by the user.
1.996 2014/07/12
- move initialization of OpenSSL-internals out of INIT again because this
  breaks if module is used with require. Since there is no right place to
  work in all circumstances just document the work-arounds needed for
  perlcc. RT#97166
1.995 2014/07/11
- RT#95452 - move initialization and creation of OpenSSL-internals into INIT
  section, so they get executed after compilation and perlcc is happy.
- refresh option for peer_certificate, so that it checks if the certificate
  changed in the mean time (on renegotiation)
- fix fingerprint checking - now applies only to topmost certificate
- IO::Socket::SSL::Utils - accept extensions within CERT_create
- documentations fixes thanks to frioux
- fix documentation bug RT#96765, thanks to Salvatore Bonaccorso.
1.994 2014/06/22
- IO::Socket::SSL can now be used as dual-use socket, e.g. start plain, upgrade
  to SSL and downgrade again all with the same object. See documentation of
  SSL_startHandshake and chapter Advanced Usage.
- try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
  fails. This is needed if one wants to explicitly verify OCSP lookups even if
  verification is otherwise off, because otherwise the signature check would
  fail. This is mostly useful for testing.
- reorder documentation of attributes for new, so that the more important ones
  are at the top.
1.993 2014/06/13
- major rewrite of documentation, now in separate file
- rework error handling to distinguish between SSL errors and internal errors
  (like missing capabilities).
- fix handling of default_ca if given during the run of the program (Debian#750646)
- util/analyze-ssl.pl - fix hostname check if SNI does not work

Log message:
Update to 1.992. From the changelog:

1.992 2014/06/01
- set $! to undef before doing IO (accept, read..). On Winwdows a connection
  reset could cause SSL read error without setting $!, so make sure we don't
  keep the old value and maybe thus run into endless loop.

1.991 2014/05/27
- new option SSL_OCSP_TRY_STAPLE to enforce staple request even if
  VERIFY_NONE
- work around for RT#96013 in peer_certificates

1.990 2014/05/27
- added option SSL_ocsp_staple_callback to get the stapled OCSP response
  and verify it somewhere else
- try to fix warnings on Windows again (#95967)
- work around temporary OCSP error in t/external/ocsp.t

1.989 2014/05/24
- fix #95881 (warnings on windows), thanks to TMHALL

1.988 2014/05/17
- add transparent support for DER and PKCS#12 files to specify cert and key,
  e.g. it will autodetect the format
- if SSL_cert_file is PEM and no SSL_key_file is given it will check if
  the key is in SSL_cert_file too

1.987 2014/05/17
- fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6
  #95719, thanks srchulo
- enable IPv6 support only if we have a usable inet_pton
- remove stale entries from MANIFEST (thanks seen[AT]myfairpoint[DOT]net)

1.986 2014/05/16
- allow IPv4 in common name, because browsers allow this too. But only for
  scheme www/http, not for rfc2818 (because RC2818 does not allow this).
  In default scheme IPv6 and IPv4 are allowed in CN.
  Thanks to heiko[DOT]hund[AT]sophos[DOT]com for reporting the problem.
- Fix handling of public suffix. Add exemption for *.googleapis.com
  wildcard, which should be better not allowed according to public suffix
  list but actually is used.
- Add hostname verification test based on older test of chromium. But change
  some of the test expectations because we don't want to support IP as SAN
  DNS and because we enforce a public suffix list (and thus *.co.uk should
  not be allowed)

Log message:
Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.