---
- branch: MAIN
  date: Sun Feb 16 12:13:00 UTC 2014
  files:
  - new: '1.67'
    old: '1.66'
    path: pkgsrc/security/p5-IO-Socket-SSL/Makefile
    pathrev: pkgsrc/security/p5-IO-Socket-SSL/Makefile@1.67
    type: modified
  - new: '1.47'
    old: '1.46'
    path: pkgsrc/security/p5-IO-Socket-SSL/distinfo
    pathrev: pkgsrc/security/p5-IO-Socket-SSL/distinfo@1.47
    type: modified
  id: 20140216T121300Z.d094a922988e4b85f4882d35962ba3ba5f147a76
  log: |
    Updating package for Perl5 module IO::Socket::SSL from CPAN in
    security/p5-IO-Socket-SSL from 1.953 to 1.967.

    Upstream changes:
    1.967 2014/02/06
    - verify the hostname inside a certificate by default with a superset of
      common verification schemes instead of not verifying identity at all.
      For now it will only complain if name verification failed, in the future
      it will fail certificate verification, forcing you to set the expected
      SSL_verifycn_name if you want to accept the certificate.
    - new option SSL_fingerprint and new methods get_fingerprint and
      get_fingerprint_bin. Together they can be used to selectively accept
      specific certificates which would otherwise fail verification, like
      self-signed, outdated or from unknown CAs.
      This makes another reason to disable verification obsolete.
    - Utils:
      - default RSA key length 2048
      - digest algorithm to sign certificate in CERT_create can be given,
        defaults to SHA-256
      - CERT_create can now issue non-CA selfsigned certificate
      - CERT_create add some more useful constraints to certificate
    - spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi
    1.966 2014/01/21
    - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with
      specifying !TLSv12, only !TLSv1_2 worked
    - fixed leak of session objects in SessionCache, if another session
      replaced an existing session (introduced in 1.965)
    1.965 2014/01/16
    - new key SSL_session_key to influence how sessions are inserted and looked
      up in the clients session cache. This makes it possible to share sessions
      over different ip:host (like required with some FTPS servers)
    - t/core.t - handle case, were default loopback source is not 127.0.0.1, like
      in FreeBSD jails
    1.964 2014/01/15
    - Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets
      the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc
    - The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches
      the syntax from OpenSSL. The old syntax continues to work in SSL_version.
    - New functions get_sslversion and get_sslversion_int which get the SSL version
      of the establish session as string or int.
    - disable t/io-socket-inet6.t if Acme::Override::INET is installed
    1.963 2014/01/13
    - fix behavior of stop_SSL: for blocking sockets it now enough to call it
      once, for non-blocking it should be called again as long as EAGAIN and
      SSL_ERROR is set to SSL_WANT_(READ|WRITE).
    - don't call blocking if start_SSL failed and downgraded socket has no
      blocking method, thanks to tokuhirom
    - documentation enhancements:
      - special section for differences to IO::Socket
      - describe problem with blocking accept on non-blocking socket
      - describe arguments to new_from_fd and make clear, that for upgrading an
        existing IO::Socket start_SSL should be used directly
    1.962 2013/11/27
    - work around problems with older F5 BIG-IP by offering fewer ciphers on the
      client side by default, so that the client hello stays below 255 byte
    1.961 2013/11/26
    - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
      are not self-signed (by giving issuer_*)
    1.960 2013/11/12
    only documentation enhancements:
    - clarify with text and example code, that within event loops not only
      select/poll should be used, but also pending has to be called.
    - better introduction into SSL, at least mention anonymous authentication as
      something you don't want and should take care with the right cipher
    - make it more clear, that user better does not change the cipher list, unless
      he really know what he is doing
    1.959 2013/11/12
    - bugfix test core.t windows only
    1.958 2013/11/11
    - cleanup: remove workaround for old IO::Socket::INET6 but instead require at
      least version 2.55 which is now 5 years old
    - fix t/session.t #RT90240, thanks to  paul[AT]city-fan[DOT]org
    1.957 2013/11/11
    - fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous
      authorization. With the DH param given by default since 1.956 old versions of
      openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
      authorization) instead of AES256-SHA and thus the check for the peer
      certificate failed (because ADH does not exchanges certificates).
      Fixed by explicitly specifying HIGH:!aNULL as cipher
      RT#90221, thanks to  paul[AT]city-fan[DOT]org
    - cleaned up tests:
      - remove ssl_settings.req and 02settings.t, because all tests now create a
        simple socket at 127.0.0.1 and thus global settings are no longer needed.
      - some tests did not have use strict(!), fixed it.
      - removed special handling for older Net::SSLeay versions, which are less than
        our minimum requirement
      - some syntax enhancements, removed some SSL_version and SSL_cipher_list
        options where they were not really needed
    1.956 2013/11/10
    lots of behavior changes for more secure defaults:
    - BEHAVIOR CHANGE: make default cipher list more secure, especially
      - no longer support MD5 by default (broken)
      - no longer support anonymous authentication by default (vulnerable to man in
        the middle attacks)
      - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
        it uses by default forward secrecy, if underlying Net::SSLeay/openssl
        supports it
      - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
        been fixed and now RC4 is considered less safe than 3DES)
      - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
        get the best cipher even if client prefers other ciphers
      PLEASE NOTE that this might break connections with older, less secure
      implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
    - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
      thus gets reused if context gets reused. PLEASE NOTE that using
      SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
      ciphers of the context.
    - rework hostname verification schemes
      - add rfc names as scheme (e.g. 'rfc2818',...)
      - add SIP, SNMP, syslog, netconf, GIST
      - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
      - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
    - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'..
      but not 'www'
    - anywhere wildcards like x* are no longer applied to IDNA names (which start
      with 'xn--')
    - fix crash of Utils::CERT_free
    - support TLSv11, TLSv12 as handshake protocols
    1.955 2013/10/11
    - support for forward secrecy using ECDH, if the Net::SSLeay/openssl version
      supports it.
    1.954 2013/9/15
    - accept older versions of ExtUtils::MakeMaker and add meta information
      like link to repository only for newer versions.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/p5-IO-Socket-SSL'
  unixtime: '1392552780'
  user: sno