Subject: CVS commit: pkgsrc/security/p5-IO-Socket-SSL
From: Jens Rehsack
Date: 2014-02-16 13:13:00
Message id: 20140216121300.26C2C96@cvs.netbsd.org

Log Message:
Updating package for Perl5 module IO::Socket::SSL from CPAN in
security/p5-IO-Socket-SSL from 1.953 to 1.967.

Upstream changes:
1.967 2014/02/06
- verify the hostname inside a certificate by default with a superset of
  common verification schemes instead of not verifying identity at all.
  For now it will only complain if name verification failed, in the future
  it will fail certificate verification, forcing you to set the expected
  SSL_verifycn_name if you want to accept the certificate.
- new option SSL_fingerprint and new methods get_fingerprint and
  get_fingerprint_bin. Together they can be used to selectively accept
  specific certificates which would otherwise fail verification, like
  self-signed, outdated or from unknown CAs.
  This makes another reason to disable verification obsolete.
- Utils:
  - default RSA key length 2048
  - digest algorithm to sign certificate in CERT_create can be given,
    defaults to SHA-256
  - CERT_create can now issue non-CA selfsigned certificate
  - CERT_create add some more useful constraints to certificate
- spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi
1.966 2014/01/21
- fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with
  specifying !TLSv12, only !TLSv1_2 worked
- fixed leak of session objects in SessionCache, if another session
  replaced an existing session (introduced in 1.965)
1.965 2014/01/16
- new key SSL_session_key to influence how sessions are inserted and looked
  up in the clients session cache. This makes it possible to share sessions
  over different ip:host (like required with some FTPS servers)
- t/core.t - handle case, were default loopback source is not 127.0.0.1, like
  in FreeBSD jails
1.964 2014/01/15
- Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets
  the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc
- The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches
  the syntax from OpenSSL. The old syntax continues to work in SSL_version.
- New functions get_sslversion and get_sslversion_int which get the SSL version
  of the establish session as string or int.
- disable t/io-socket-inet6.t if Acme::Override::INET is installed
1.963 2014/01/13
- fix behavior of stop_SSL: for blocking sockets it now enough to call it
  once, for non-blocking it should be called again as long as EAGAIN and
  SSL_ERROR is set to SSL_WANT_(READ|WRITE).
- don't call blocking if start_SSL failed and downgraded socket has no
  blocking method, thanks to tokuhirom
- documentation enhancements:
  - special section for differences to IO::Socket
  - describe problem with blocking accept on non-blocking socket
  - describe arguments to new_from_fd and make clear, that for upgrading an
    existing IO::Socket start_SSL should be used directly
1.962 2013/11/27
- work around problems with older F5 BIG-IP by offering fewer ciphers on the
  client side by default, so that the client hello stays below 255 byte
1.961 2013/11/26
- IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
  are not self-signed (by giving issuer_*)
1.960 2013/11/12
only documentation enhancements:
- clarify with text and example code, that within event loops not only
  select/poll should be used, but also pending has to be called.
- better introduction into SSL, at least mention anonymous authentication as
  something you don't want and should take care with the right cipher
- make it more clear, that user better does not change the cipher list, unless
  he really know what he is doing
1.959 2013/11/12
- bugfix test core.t windows only
1.958 2013/11/11
- cleanup: remove workaround for old IO::Socket::INET6 but instead require at
  least version 2.55 which is now 5 years old
- fix t/session.t #RT90240, thanks to  paul[AT]city-fan[DOT]org
1.957 2013/11/11
- fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous
  authorization. With the DH param given by default since 1.956 old versions of
  openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
  authorization) instead of AES256-SHA and thus the check for the peer
  certificate failed (because ADH does not exchanges certificates).
  Fixed by explicitly specifying HIGH:!aNULL as cipher
  RT#90221, thanks to  paul[AT]city-fan[DOT]org
- cleaned up tests:
  - remove ssl_settings.req and 02settings.t, because all tests now create a
    simple socket at 127.0.0.1 and thus global settings are no longer needed.
  - some tests did not have use strict(!), fixed it.
  - removed special handling for older Net::SSLeay versions, which are less than
    our minimum requirement
  - some syntax enhancements, removed some SSL_version and SSL_cipher_list
    options where they were not really needed
1.956 2013/11/10
lots of behavior changes for more secure defaults:
- BEHAVIOR CHANGE: make default cipher list more secure, especially
  - no longer support MD5 by default (broken)
  - no longer support anonymous authentication by default (vulnerable to man in
    the middle attacks)
  - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
    it uses by default forward secrecy, if underlying Net::SSLeay/openssl
    supports it
  - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
    been fixed and now RC4 is considered less safe than 3DES)
  - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
    get the best cipher even if client prefers other ciphers
  PLEASE NOTE that this might break connections with older, less secure
  implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
- BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
  thus gets reused if context gets reused. PLEASE NOTE that using
  SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
  ciphers of the context.
- rework hostname verification schemes
  - add rfc names as scheme (e.g. 'rfc2818',...)
  - add SIP, SNMP, syslog, netconf, GIST
  - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
  - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
- BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'..
  but not 'www'
- anywhere wildcards like x* are no longer applied to IDNA names (which start
  with 'xn--')
- fix crash of Utils::CERT_free
- support TLSv11, TLSv12 as handshake protocols
1.955 2013/10/11
- support for forward secrecy using ECDH, if the Net::SSLeay/openssl version
  supports it.
1.954 2013/9/15
- accept older versions of ExtUtils::MakeMaker and add meta information
  like link to repository only for newer versions.

Files:
RevisionActionfile
1.67modifypkgsrc/security/p5-IO-Socket-SSL/Makefile
1.47modifypkgsrc/security/p5-IO-Socket-SSL/distinfo