Log message:
Update to 1.985:

1.985 2014/05/15
- make OCSP callback return 1 even if it was called on the server side
  because of bad setup of the socket. Otherwise we get an endless calling
  of the OCSP callback.
- consider an OCSP response which is not yet or no longer valid a soft error
  instead of an hard error
- fix skip in t/external/ocsp.t in case fingerprint does not match
- RT#95633 call EVP_PKEY_free not EVP_KEY_free in
  IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org
- util/analyze.pl - with --show-chain check if chain with SNI is different
  from chain w/o SNI.
1.984 2014/05/10
- added OCSP support:
  - needs Net::SSLeay >=1.59
  - for usage see documentation of IO::Socket::SSL (examples and anything with
    OCSP in the name)
- new tool util/analyze-ssl.pl which is intended to help in debugging of SSL
  problems and to get information about capabilities of server. Works also
  as en example of how to use various features (like OCSP, SNI..)
- fix peer_certificates (returns leaf certificate only once on client side)
- added timeout for stop_SSL (either with Timeout or with the default
  timeout for IO::Socket)
- fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local
  time is not GMT. Use Net::SSLeay::ASN1_TIME_timet if available.
- fix t/external/usable_ca.t for system with junk in CA files
1.983 2014/05/03
- fix public suffix handling: ajax.googleapis.com should be ok even if googleapis.com
  is in public suffix list (e.g. check one level less)
  #95317, thanks to purification[AT]ukr[DOT]net
- usable_ca.t - update fingerprints after heartbleed attack
- usable_ca.t - make sure we have usable CA for tested hosts in CA store
1.982 2014/04/24
- fix for using subroutine as argument to set_args_filter_hack
1.981 2014/04/08
- #95432 fix ecdhe Test for openssl1.0.1d, thanks to  paul[AT]city-fan[DOT]org
- fix detection of openssl1.0.1d (detected 1.0.1e instead)
- new function can_ecdh in IO::Socket::SSL
1.980 2014/04/08
- fixed incorrect calculation of certificate fingerprint in get_fingerprint*
  and comparison in SSL_fingerprint. Thanks to
  david[DT]palmer[AT]gradwell[DOT]com for reporting.
- disable elliptic curve support for openssl 1.0.1d on 64bit because of
  openssl rt#2975
1.979 2014/04/06
- hostname checking:
  - configuration of 'leftmost' is renamed to 'full_label', but the old
    version is kept for compatibility reasons.
  - documentation of predefined schemes fixed to match reality
1.978 2014/04/04
- RT#94424 again, fix test on older openssl version with no SNI support
1.977 2014/04/04
- fix publicsuffix for IDNA, more tests with various IDNA libs
  RT#94424. Thanks to paul[AT]city-fan[DOT]org
- reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm
- add more checks to external/usable_ca.t. Now it is enough that at least
  one of the hosts verifies against the builtin CA store
- add openssl and Net::SSleay version to diagnostics in load test
1.976 2014/04/03
- added public prefix checking to verification of wildcard certificates,
  e.g. accept *.foo.com but not *.co.uk.
  See documentation of SSL_verifycn_publicsuffix and
  IO::Socket::SSL::PublicSuffix
  Thanks to noloader for pointing out the problem.
1.975 2014/04/02
- BEHAVIOR CHANGE: work around TEA misfeature on OS X builtin openssl, e.g.
  guarantee that only the explicitly given CA or the openssl default CA will
  be used. This means that certificates inside the OS X keyring will no
  longer be used, because there is no way to control the use by openssl
  (e.g. certificate pinning etc)
- make external tests run by default to make sure default CA works on all
  platforms, it skips automatically on network problems like timeouts or ssl
  interception, can also use http(s)_proxy environment variables
1.974 2014/04/02
- new function peer_certificates to get the whole certificate chain, needs
  Net::SSLeay>=1.58
- extended IO::Socket::Utils::CERT_asHash to provide way more information,
  like issuer information, cert and pubkey digests, all extensions, CRL
  distributions points and OCSP uri
1.973 2014/03/25
- with SSL_ca certificate handles can now be used additionally to
  SSL_ca_file and SSL_ca_path
- do not complain longer if SSL_ca_file and SSL_ca_path are both given,
  instead add both as options to the CA store
- Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create.
1.972 2014/03/23
- make sure t/external/usable_ca.t works also with older openssl without
  support for SNI. RT#94117. Thanks to paul[AT]city-fan[DOT]org
1.971 2014/03/22
- try to use SSL_hostname for hostname verification if no SSL_verifycn_name
  is given. This way hostname for SNI and verification can be specified in
  one step.
- new test program example/simulate_proxy.pl
1.970 2014/03/19
- fix rt#93987 by making sure sub default_ca does use a local $_ and not a
  version of an outer scope which might be read-only.  Thanks to gshank
1.969 2014/03/13
- fix set_defaults to match documentation regarding short names
- new function set_args_filter_hack to make it possible to override bad SSL
  settings from other code at the last moment.
- determine default_ca on module load (and not on first use in each thread)
- don't try default hostname verification if verify_mode 0
- fix hostname verification when reusing context
1.968 2014/03/13
- BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
  for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file.
  These defaults were depreceated since 1.951 (2013/7/3).
- Usable CA verification path on Windows etc:
  Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
  system/build dependended default verification path, because there was no
  way to retrieve these default values and check if they contained usable
  CA. Instead re-implement the same algorithm and export the results with
  public function default_ca() and make it possible to overwrite it.
  Also check for usable verification path during build.
  If no usable path are detected require Mozilla::CA at build and try to
  use it at runtime.

Log message:
Updating package for Perl5 module IO::Socket::SSL from CPAN in
security/p5-IO-Socket-SSL from 1.953 to 1.967.

Upstream changes:
1.967 2014/02/06
- verify the hostname inside a certificate by default with a superset of
  common verification schemes instead of not verifying identity at all.
  For now it will only complain if name verification failed, in the future
  it will fail certificate verification, forcing you to set the expected
  SSL_verifycn_name if you want to accept the certificate.
- new option SSL_fingerprint and new methods get_fingerprint and
  get_fingerprint_bin. Together they can be used to selectively accept
  specific certificates which would otherwise fail verification, like
  self-signed, outdated or from unknown CAs.
  This makes another reason to disable verification obsolete.
- Utils:
  - default RSA key length 2048
  - digest algorithm to sign certificate in CERT_create can be given,
    defaults to SHA-256
  - CERT_create can now issue non-CA selfsigned certificate
  - CERT_create add some more useful constraints to certificate
- spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi
1.966 2014/01/21
- fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with
  specifying !TLSv12, only !TLSv1_2 worked
- fixed leak of session objects in SessionCache, if another session
  replaced an existing session (introduced in 1.965)
1.965 2014/01/16
- new key SSL_session_key to influence how sessions are inserted and looked
  up in the clients session cache. This makes it possible to share sessions
  over different ip:host (like required with some FTPS servers)
- t/core.t - handle case, were default loopback source is not 127.0.0.1, like
  in FreeBSD jails
1.964 2014/01/15
- Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets
  the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc
- The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches
  the syntax from OpenSSL. The old syntax continues to work in SSL_version.
- New functions get_sslversion and get_sslversion_int which get the SSL version
  of the establish session as string or int.
- disable t/io-socket-inet6.t if Acme::Override::INET is installed
1.963 2014/01/13
- fix behavior of stop_SSL: for blocking sockets it now enough to call it
  once, for non-blocking it should be called again as long as EAGAIN and
  SSL_ERROR is set to SSL_WANT_(READ|WRITE).
- don't call blocking if start_SSL failed and downgraded socket has no
  blocking method, thanks to tokuhirom
- documentation enhancements:
  - special section for differences to IO::Socket
  - describe problem with blocking accept on non-blocking socket
  - describe arguments to new_from_fd and make clear, that for upgrading an
    existing IO::Socket start_SSL should be used directly
1.962 2013/11/27
- work around problems with older F5 BIG-IP by offering fewer ciphers on the
  client side by default, so that the client hello stays below 255 byte
1.961 2013/11/26
- IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
  are not self-signed (by giving issuer_*)
1.960 2013/11/12
only documentation enhancements:
- clarify with text and example code, that within event loops not only
  select/poll should be used, but also pending has to be called.
- better introduction into SSL, at least mention anonymous authentication as
  something you don't want and should take care with the right cipher
- make it more clear, that user better does not change the cipher list, unless
  he really know what he is doing
1.959 2013/11/12
- bugfix test core.t windows only
1.958 2013/11/11
- cleanup: remove workaround for old IO::Socket::INET6 but instead require at
  least version 2.55 which is now 5 years old
- fix t/session.t #RT90240, thanks to  paul[AT]city-fan[DOT]org
1.957 2013/11/11
- fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous
  authorization. With the DH param given by default since 1.956 old versions of
  openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
  authorization) instead of AES256-SHA and thus the check for the peer
  certificate failed (because ADH does not exchanges certificates).
  Fixed by explicitly specifying HIGH:!aNULL as cipher
  RT#90221, thanks to  paul[AT]city-fan[DOT]org
- cleaned up tests:
  - remove ssl_settings.req and 02settings.t, because all tests now create a
    simple socket at 127.0.0.1 and thus global settings are no longer needed.
  - some tests did not have use strict(!), fixed it.
  - removed special handling for older Net::SSLeay versions, which are less than
    our minimum requirement
  - some syntax enhancements, removed some SSL_version and SSL_cipher_list
    options where they were not really needed
1.956 2013/11/10
lots of behavior changes for more secure defaults:
- BEHAVIOR CHANGE: make default cipher list more secure, especially
  - no longer support MD5 by default (broken)
  - no longer support anonymous authentication by default (vulnerable to man in
    the middle attacks)
  - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
    it uses by default forward secrecy, if underlying Net::SSLeay/openssl
    supports it
  - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
    been fixed and now RC4 is considered less safe than 3DES)
  - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
    get the best cipher even if client prefers other ciphers
  PLEASE NOTE that this might break connections with older, less secure
  implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
- BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
  thus gets reused if context gets reused. PLEASE NOTE that using
  SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
  ciphers of the context.
- rework hostname verification schemes
  - add rfc names as scheme (e.g. 'rfc2818',...)
  - add SIP, SNMP, syslog, netconf, GIST
  - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
  - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
- BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'..
  but not 'www'
- anywhere wildcards like x* are no longer applied to IDNA names (which start
  with 'xn--')
- fix crash of Utils::CERT_free
- support TLSv11, TLSv12 as handshake protocols
1.955 2013/10/11
- support for forward secrecy using ECDH, if the Net::SSLeay/openssl version
  supports it.
1.954 2013/9/15
- accept older versions of ExtUtils::MakeMaker and add meta information
  like link to repository only for newer versions.

Log message:
Lower the minimum required OpenSSL version to 0.9.7 for MirBSD.

The MirBSD version contains fixes so the comment in Makefile.PL does
not apply.

Log message:
Update to 1.953:

1.953 2013/7/22
- fixes to IO::Socket::SSL::Utils, thanks to rurban[AT]x-ray[DOT]at,
  RT#87052
1.952 2013/7/11
- fix t/acceptSSL-timeout.t on Win32, RT#86862
1.951 2013/7/3
- better document builtin defaults for key,cert,CA and how they are depreceated
- use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's builtin
  defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins
  used)
1.950 2013/7/3
- MAJOR BEHAVIOR CHANGE:
  ssl_verify_mode now defaults to verify_peer for client.
  Until now it used verify_none, but loudly complained since 1.79 about it.
  It will not complain any longer, but the connection might probably fail.
  Please don't simply disable ssl verification, but instead set SSL_ca_file
  etc so that verification succeeds!
- MAJOR BEHAVIOR CHANGE:
  it will now complain if the builtin defaults of certs/my-ca.pem or ca/
  for CA and certs/{server,client}-{key,cert}.pem for cert and key are used,
  e.g. no certificates are specified explicitly.
  In the future these insecure (relative path!) defaults will be removed
  and the CA replaced with the system defaults.
v1.94 2013.06.01
- Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
  installed instead of reporting missing dependency to Net::SSLeay.
v1.93 2013.05.31
- need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
  years ago. Remove code to work around older releases.
- changed AUTHOR in Makefile.PL from array back to string, because the
  array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
v1.92 2013.05.30
- Intercept: use sha1-fingerprint of original cert for id into cache unless
  otherwise given
- Fix pod error in IO::Socket::SSL::Utils RT#85733
v1.91 2013.05.30
- added IO::Socket::SSL::Utils for easier manipulation of certificates and keys
- moved SSL interception into IO::Socket::SSL::Intercept and simplified it
  using IO::Socket::SSL::Utils
- enhance meta information in Makefile.PL
v1.90 2013.05.27
- RT#85290, support more digest, especially SHA-2.
  Thanks to ujvari[AT]microsec[DOT]hu
- added support for easy SSL interception (man in the middle) based
  on ideas found in mojo-mitm proxy (which was written by Karel Miko)
- make 1.46 the minimal required version for Net::SSLeay, because it
  introduced lots of useful functions.
v1.89 2013.05.14
- if IO::Socket::IP is used it should be at least version 0.20, otherwise
  we get problems with HTTP::Daemon::SSL and maybe others (RT#81932)
- Spelling corrections, thanks to dsteinbrunner
v1.88 2013.05.02
- consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
  and SSL_cert* - some apps like Net::LDAP use it that way.
  Thanks to alexander[AT]kuehn[AT]nagilum[DOT]de for reporting the problem.
v1.87 2013.04.24
- RT#84829 - complain if given SSL_(key|cert|ca)_(file|path) do not exist or
  if they are not readable. Thanks to perl[AT]minty[DOT]org
- fix use of SSL_key|SSL_file objects instead of files, broken with 1.83

Log message:
Bump all packages for perl-5.18, that
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package

Like last time, where this caused no complaints.

Log message:
Update p5-IO-Socket-SSL to 1.86.

Changes from previous:
----------------------
v1.86 2013.04.17
- RT#84686 - don't complain about SSL_verify_mode is SSL_reuse_ctx,
  thanks to CLEACH
v1.85 2013.04.14
- probe for available modules with local __DIE__ and __WARN__handlers.
  fixes RT#84574, thanks to FRAZER
- fix warning, when IO::Socket::IP is installed and inet6 support gets explictly
  requested. RT#84619, thanks to Prashant[DOT]Tekriwal[AT]netapp[DOT]com
v1.84 2013.02.15
- disabled client side SNI for openssl version < 1.0.0 because of RT#83289
- added functions can_client_sni, can_server_sni, can_npn to check avaibility
  of SNI and NPN features. Added more documentation for SNI and NPN.
v1.83_1 2013.02.14
- seperated documention of non-blocking I/O from error handling
- changed and documented behavior of readline to return the read
  data on EAGAIN/EWOULDBLOCK in case of non-blocking socket.
  See https://github.com/noxxi/p5-io-socket-ssl/issues/1, thanks to
  mytram
v1.83 2013.02.03
- Server Name Indication (SNI) support on the server side, inspired by
  patch provided by karel[DOT]miko[AT]gmail[DOT]com.
  https://rt.cpan.org/Ticket/Display.html?id=82761
- reworked part of the documentation, like providing better examples.
v1.82 2013.01.28
- sub error sets $SSL_ERROR etc only if there really is an error,
  otherwise it will keep the latest error. This causes
  IO::Socket::SSL->new.. to report the correct problem, even if
  the problem is deeper in the code (like in connect)
- correct spelling, rt#8270. Thanks to ETHER
v1.81 2012.12.06
- deprecated set_ctx_defaults, new name ist set_defaults (but old name
  still available)
- changed handling of default path for SSL_(ca|cert|key)* keys: either
  if one of these keys is user defined don't add defaults for the
  others, e.g.  don't mix user settings and defaults
- cleaner handling of module defaults vs. global settings vs. socket
  specific settings. Global and socket specific settings are both
  provided by the user, while module defaults not.
- make IO::Socket::INET6 and IO::Socket::IP specific tests run both,
  even if both modules are installed by faking a failed load of the
  other module.
v1.80 2012.11.30
- removed some warnings in test (missing SSL_verify_mode => 0) which
  caused tests to hang on Windows.
  https://rt.cpan.org/Ticket/Display.html?id=81493
v1.79 2012.11.25
- prepare transition to a more secure default for SSL_verify_mode.
  The use of the current default SSL_VERIFY_NONE will cause a big warning
  for clients, unless SSL_verify_mode was explicitly set inside the
  application to this insecure value.
  In the near future the default will be SSL_VERIFY_PEER, and thus
  causing verification failures in unchanged applications.
v1.78 2012.11.25
- use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and
  PeerPort from sockaddr in _update_peer, because this provides scope
  too. Thanks to bluhm[AT]genua[DOT]de.
- work around systems which don't defined AF_INET6
  https://rt.cpan.org/Ticket/Display.html?id=81216
  Thanks to GAAS for reporting

Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Log message:
Update to 1.77:

v1.77 2012.10.05
- update_peer for IPv6 also, applied fix to
  https://rt.cpan.org/Ticket/Display.html?id=79916 by
  tlhackque[AT]yahoo[DOT]com

Log message:
Bump all packages that use perl, or depend on a p5-* package, or
are called p5-*.

I hope that's all of them.

Log message:
Updating package for Perl 5 module IO::Socket::SSL in
security/p5-IO-Socket-SSL from 1.74 to 1.76.

Upstream changes:
v1.76 2012.06.18
- no longer depend on Socket.pm 1.95 for inet_pton, but use Socket6.pm if
  no current Socket.pm is available. Thanks to paul[AT]city-fan[DOT]org
  for pointing out the problem and providing first patch
v1.75 2012.06.15
- made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version