Subject: CVS commit: pkgsrc/security/p5-IO-Socket-SSL
From: Thomas Klausner
Date: 2014-05-15 12:01:43
Message id: 20140515100143.5729296@cvs.netbsd.org

Log Message:
Update to 1.985:

1.985 2014/05/15
- make OCSP callback return 1 even if it was called on the server side
  because of bad setup of the socket. Otherwise we get an endless calling
  of the OCSP callback.
- consider an OCSP response which is not yet or no longer valid a soft error
  instead of an hard error
- fix skip in t/external/ocsp.t in case fingerprint does not match
- RT#95633 call EVP_PKEY_free not EVP_KEY_free in
  IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org
- util/analyze.pl - with --show-chain check if chain with SNI is different
  from chain w/o SNI.
1.984 2014/05/10
- added OCSP support:
  - needs Net::SSLeay >=1.59
  - for usage see documentation of IO::Socket::SSL (examples and anything with
    OCSP in the name)
- new tool util/analyze-ssl.pl which is intended to help in debugging of SSL
  problems and to get information about capabilities of server. Works also
  as en example of how to use various features (like OCSP, SNI..)
- fix peer_certificates (returns leaf certificate only once on client side)
- added timeout for stop_SSL (either with Timeout or with the default
  timeout for IO::Socket)
- fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local
  time is not GMT. Use Net::SSLeay::ASN1_TIME_timet if available.
- fix t/external/usable_ca.t for system with junk in CA files
1.983 2014/05/03
- fix public suffix handling: ajax.googleapis.com should be ok even if googleapis.com
  is in public suffix list (e.g. check one level less)
  #95317, thanks to purification[AT]ukr[DOT]net
- usable_ca.t - update fingerprints after heartbleed attack
- usable_ca.t - make sure we have usable CA for tested hosts in CA store
1.982 2014/04/24
- fix for using subroutine as argument to set_args_filter_hack
1.981 2014/04/08
- #95432 fix ecdhe Test for openssl1.0.1d, thanks to  paul[AT]city-fan[DOT]org
- fix detection of openssl1.0.1d (detected 1.0.1e instead)
- new function can_ecdh in IO::Socket::SSL
1.980 2014/04/08
- fixed incorrect calculation of certificate fingerprint in get_fingerprint*
  and comparison in SSL_fingerprint. Thanks to
  david[DT]palmer[AT]gradwell[DOT]com for reporting.
- disable elliptic curve support for openssl 1.0.1d on 64bit because of
  openssl rt#2975
1.979 2014/04/06
- hostname checking:
  - configuration of 'leftmost' is renamed to 'full_label', but the old
    version is kept for compatibility reasons.
  - documentation of predefined schemes fixed to match reality
1.978 2014/04/04
- RT#94424 again, fix test on older openssl version with no SNI support
1.977 2014/04/04
- fix publicsuffix for IDNA, more tests with various IDNA libs
  RT#94424. Thanks to paul[AT]city-fan[DOT]org
- reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm
- add more checks to external/usable_ca.t. Now it is enough that at least
  one of the hosts verifies against the builtin CA store
- add openssl and Net::SSleay version to diagnostics in load test
1.976 2014/04/03
- added public prefix checking to verification of wildcard certificates,
  e.g. accept *.foo.com but not *.co.uk.
  See documentation of SSL_verifycn_publicsuffix and
  IO::Socket::SSL::PublicSuffix
  Thanks to noloader for pointing out the problem.
1.975 2014/04/02
- BEHAVIOR CHANGE: work around TEA misfeature on OS X builtin openssl, e.g.
  guarantee that only the explicitly given CA or the openssl default CA will
  be used. This means that certificates inside the OS X keyring will no
  longer be used, because there is no way to control the use by openssl
  (e.g. certificate pinning etc)
- make external tests run by default to make sure default CA works on all
  platforms, it skips automatically on network problems like timeouts or ssl
  interception, can also use http(s)_proxy environment variables
1.974 2014/04/02
- new function peer_certificates to get the whole certificate chain, needs
  Net::SSLeay>=1.58
- extended IO::Socket::Utils::CERT_asHash to provide way more information,
  like issuer information, cert and pubkey digests, all extensions, CRL
  distributions points and OCSP uri
1.973 2014/03/25
- with SSL_ca certificate handles can now be used additionally to
  SSL_ca_file and SSL_ca_path
- do not complain longer if SSL_ca_file and SSL_ca_path are both given,
  instead add both as options to the CA store
- Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create.
1.972 2014/03/23
- make sure t/external/usable_ca.t works also with older openssl without
  support for SNI. RT#94117. Thanks to paul[AT]city-fan[DOT]org
1.971 2014/03/22
- try to use SSL_hostname for hostname verification if no SSL_verifycn_name
  is given. This way hostname for SNI and verification can be specified in
  one step.
- new test program example/simulate_proxy.pl
1.970 2014/03/19
- fix rt#93987 by making sure sub default_ca does use a local $_ and not a
  version of an outer scope which might be read-only.  Thanks to gshank
1.969 2014/03/13
- fix set_defaults to match documentation regarding short names
- new function set_args_filter_hack to make it possible to override bad SSL
  settings from other code at the last moment.
- determine default_ca on module load (and not on first use in each thread)
- don't try default hostname verification if verify_mode 0
- fix hostname verification when reusing context
1.968 2014/03/13
- BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
  for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file.
  These defaults were depreceated since 1.951 (2013/7/3).
- Usable CA verification path on Windows etc:
  Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
  system/build dependended default verification path, because there was no
  way to retrieve these default values and check if they contained usable
  CA. Instead re-implement the same algorithm and export the results with
  public function default_ca() and make it possible to overwrite it.
  Also check for usable verification path during build.
  If no usable path are detected require Mozilla::CA at build and try to
  use it at runtime.

Files:
RevisionActionfile
1.68modifypkgsrc/security/p5-IO-Socket-SSL/Makefile
1.48modifypkgsrc/security/p5-IO-Socket-SSL/distinfo