-
Notifications
You must be signed in to change notification settings - Fork 45
/
Changes
2166 lines (2067 loc) · 106 KB
/
Changes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Revision history for Perl extension Net::SSLeay.
1.95_01 yyyy-mm-dd
- Skip NPN tests when NPN is disabled in OpenSSL instead o
assuming NPN is always enabled. Reported by GitHub user
dilyanpalauzov Дилян Палаузов.
1.94 2024-01-08
- New stable release incorporating all changes from developer releases 1.93_01
to 1.93_05.
- Summary of major changes since version 1.92:
- Net::SSLeay now officially supports all stable releases of OpenSSL 3.1 and
3.2, and LibreSSL 3.5 - 3.8.
- Many noisy compiler warnings have been silenced - if SSLeay.xs fails to
compile, it should now be much easier to identify the cause.
- libcrypto's OPENSSL_init_crypto() function and libssl's OPENSSL_init_ssl()
function are now exposed, enabling fine-grained control over the
initialisation and configuration of both libraries.
- libssl functions implementing TLS 1.3 PSK authentication are now exposed,
in particular SSL_CTX_set_psk_find_session_callback() (on the server side)
and SSL_CTX_set_psk_use_session_callback() (on the client side).
- libssl functions implementing server-side TLS 1.2 PSK authentication are
now exposed, in particular SSL_CTX_set_psk_server_callback().
- libssl's SSL_CTX_set_client_hello_cb() function is now exposed, allowing a
TLS server to set a callback function that is executed when the server
processes a ClientHello message.
- Many more libcrypto/libssl constants and functions are now exposed; see the
release notes for the 1.93 developer releases for a full list.
1.93_05 2024-01-06
- Remove support for automatic detection of libssl/libcrypto via pkg-config
with ExtUtils::PkgConfig if it is installed, due to the compiler and linker
options provided by pkg-config being used unconditionally (which is
incompatible with the OPENSSL_PREFIX detection method). The implementation of
this was merged in time for developer release 1.93_03 and therefore hasn't
been included in a stable release yet, so this doesn't represent a breaking
change to the way in which libssl/libcrypto are detected by Makefile.PL. This
is, however, a very useful feature, and we intend to bring it back in time
for Net-SSLeay 1.96 after ironing out the remaining bugs.
1.93_04 2024-01-05
- Use -DOPENSSL_API_COMPAT=908 when compiling SSLeay.xs to
suppress OpenSSL deprecation warnings.
- Expose a number of functions that were added in recent
LibreSSL releases or were not otherwise exposed before:
- SSL(_CTX)_get/set_security_level in LibreSSL 3.6.0
- SSL(_CTX)_get/set_num_tickets in LibreSSL 3.5.0
- SSL(_CTX)_set_ciphersuites in LibreSSL 3.4.0
- EVP_PKEY_security_bits in LibreSSL 3.6.0
- SSL_CTX_set_keylog_callback in LibreSSL 3.5.0
- SSL_is_dtls in LibreSSL 3.3.2
- Remove Tuure Vartiainen as an active contributor. Tuure's contributions were
instrumental in the transition from ad hoc testing to CI-based testing, which
has greatly improved Net-SSLeay's stability, reliability and compatibility.
Thanks for your contributions, Tuure!
1.93_03 2024-01-02
- Pass RAND_seed()'s sole argument to the underlying RAND_seed() function in
libcrypto, rather than passing the value of a non-existent second argument.
Fixes GH-427. Thanks to cgf1 for the report.
- Avoid explicit and implicit use of weak hash algorithms,
such as MD5 and SHA-1, in test suite. This allows tests
44_sess.t and 45_exporter.t to correctly work on systems
where crypto policies prohibit their direct use and TLS
versions that require them. An example of such a system is
Rocky Linux 9.2. Any Red Hat Enterprise Linux 9 and derived
system is likely to have similar behaviour. Thanks to Paul
Howarth for the investigation and patches.
- LibreSSL 3.8.0 release notes state: The POLICY_TREE and its
related structures and API were removed. The affected
Net::SSLeay functions are:
- X509_policy_level_get0_node
- X509_policy_level_node_count
- X509_policy_node_get0_parent
- X509_policy_node_get0_policy
- X509_policy_node_get0_qualifiers
- X509_policy_tree_free
- X509_policy_tree_get0_level
- X509_policy_tree_get0_policies
- X509_policy_tree_get0_user_policies
- X509_policy_tree_level_count
Patch by GitHub user orbea.
- Add OpenSSL 3.1 and LibreSSL 3.7 minor releases to GitHub CI testing.
Update the previous minor releases to their latest versions. Add
NetBSD to BSDs job and update the other BSDs and Alpine Linux jobs to
cover additional and latest releases. Use the latest MacOS runners.
- Expose SSL_CTX_set_client_hello_cb for setting a callback
the server calls when it processes a ClientHello. Expose the
following functions that can be called only from the
callback. None of these are available with LibreSSL.
- SSL_client_hello_isv2
- SSL_client_hello_get0_legacy_version
- SSL_client_hello_get0_random
- SSL_client_hello_get0_session_id
- SSL_client_hello_get0_ciphers
- SSL_client_hello_get0_compression_methods
- SSL_client_hello_get1_extensions_present
- SSL_client_hello_get_extension_order
- SSL_client_hello_get0_ext
- Expose constants used by SSL_CTX_set_client_hello_cb related
functions.
- AD_ prefixed constants naming TLS alert codes for
returning from a ClientHello callback or where alert types
are used
- CLIENT_HELLO_ERROR, CLIENT_HELLO_RETRY and
CLIENT_HELLO_SUCCESS for returning from a ClientHello
callback
- TLSEXT_TYPE_ prefixed contants for naming TLS extension
types
- Expose functions for setting up TLS PSK on the server
side. Only SSL_CIPHER_find is available with LibreSSL.
- SSL_use_psk_identity_hint
- SSL_CTX_use_psk_identity_hint
- SSL_set_psk_server_callback
- SSL_CTX_set_psk_server_callback
- SSL_set_psk_find_session_callback
- SSL_CTX_set_psk_find_session_callback
- SSL_SESSION_set1_master_key
- SSL_SESSION_set_cipher
- SSL_SESSION_set_protocol_version
- SSL_CIPHER_find
- Expose NID_shake128, NID_shake256 and the rest of NID_sha* constants.
- Expose functions for setting up TLS 1.3 PSK authentication
on the client side. Only SSL_SESSION_get0_cipher is
available with LibreSSL.
- SSL_set_psk_use_session_callback
- SSL_CTX_set_psk_use_session_callback
- SSL_CIPHER_get_handshake_digest
- SSL_SESSION_get0_cipher
- EVP_MD_get0_description
- EVP_MD_get0_name
- EVP_MD_get_type
- Major documentation cleanup. Thanks to John Jetmore.
- Add constants for specifying version field for certificates,
certificate requests and CRLs. Available in OpenSSL 3.0:
- X509_VERSION_1, X509_VERSION_2 and X509_VERSION_3
- X509_REQ_VERSION_1, X509_REQ_VERSION_2 and X509_REQ_VERSION_3
- X509_CRL_VERSION_1 and X509_CRL_VERSION_2
- Remove conditional compilation checks from SSLeay.xs and
compatilibty notes from SSLeay.pod for OpenSSL versions
earlier than 0.9.8. This includes all 0.9.7 and earlier
releases down to 0.9.3a. Update tests respectively.
- Add OpenSSL 3.2 and LibreSSL 3.8 minor releases to GitHub CI
testing. Update existing OpenSSL releases to 1.1.1w, 3.0.12
and 3.1.4.
- Support compiling SSLeay.xs with a C++ compiler. Thanks to
James E Keenan and GitHub user twata1 for suggesting this,
testing and providing detailed test reports. Tested with GCC
13 g++, Clang 17 clang++ and Visual Studio Community 2022
C++ compilers. Discussion in GH-425 and GH-438.
- Add constants for OPENSSL_init_crypto and related functions:
- CONF_MFLAGS_DEFAULT_SECTION
- CONF_MFLAGS_IGNORE_ERRORS
- CONF_MFLAGS_IGNORE_MISSING_FILE
- CONF_MFLAGS_IGNORE_RETURN_CODES
- CONF_MFLAGS_NO_DSO
- CONF_MFLAGS_SILENT
- OPENSSL_INIT_ADD_ALL_CIPHERS
- OPENSSL_INIT_ADD_ALL_DIGESTS
- OPENSSL_INIT_ASYNC
- OPENSSL_INIT_ATFORK
- OPENSSL_INIT_ENGINE_AFALG
- OPENSSL_INIT_ENGINE_CAPI
- OPENSSL_INIT_ENGINE_CRYPTODEV
- OPENSSL_INIT_ENGINE_DYNAMIC
- OPENSSL_INIT_ENGINE_OPENSSL
- OPENSSL_INIT_ENGINE_PADLOCK
- OPENSSL_INIT_ENGINE_RDRAND
- OPENSSL_INIT_LOAD_CONFIG
- OPENSSL_INIT_LOAD_CRYPTO_STRINGS
- OPENSSL_INIT_LOAD_SSL_STRINGS
- OPENSSL_INIT_NO_ADD_ALL_CIPHERS
- OPENSSL_INIT_NO_ADD_ALL_DIGESTS
- OPENSSL_INIT_NO_ATEXIT
- OPENSSL_INIT_NO_LOAD_CONFIG
- OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS
- OPENSSL_INIT_NO_LOAD_SSL_STRINGS
- Expose functions for OpenSSL libcrypto and libssl
initialisation, configuration and deinitialisation.
These are available in OpenSSL 1.1.0 and later:
- OPENSSL_init_ssl and OPENSSL_init_crypto
- OPENSSL_cleanup, also in LibreSSL 3.6.0
- OPENSSL_INIT_new and OPENSSL_INIT_free
- OPENSSL_INIT_set_config_filename
- OPENSSL_INIT_set_config_appname
- OPENSSL_INIT_set_config_file_flags
- Add new test file 23_openssl_init.t for OPENSSL_init_ssl and
related functions.
- Support finding OpenSSL libraries using
ExtUtils::PkgConfig. Thanks to Paul Howarth for the patch.
- Fix a number of cases where variables were declared after
code triggering Gcc and Clang warning
-Wdeclaration-after-statement. This is supported by C
language version C99 and used by Perl 5.35.5 and
later. SSLeay.xs is likely compiled with compilers that do
not support this, therefore such constructs are avoided in
SSLeay.xs. Thanks to GitHub user bulk88 for the patch.
- Fix _CRT_SECURE_NO_DEPRECATE warning on Windows. Fix OpenSSL
library file path detection loop in Makefile.PL. Both thanks
to bulk88.
- Update Shining Light OpenSSL detection to work with OpenSSL
1.1.1w, 3.0.12, 3.1.4 and 3.2.0 installers. Caveats: when
both 32bit and 64bit versions are installed, OpenSSL library
path detection may pick the wrong version. Static
compilation needs seems not to work with the these
versions. Thanks to bulk88 for the initial updates.
- Tone down Makefile.PL and README warning against mixing
compilers and flags when compiling OpenSSL, Perl and
Net::SSLeay. This may still be a requirement on some
platforms, but, for example, with Linux and macOS mixing
clang and gcc appears to work.
- Add general installation instructions in README. Thanks to
GitHub user viviparous. Update README and README.OSX.
1.93_02 2023-02-22
- Update ppport.h to version 3.68. This eliminates thousands of
compound-token-split-by-macro compiler warnings when building Net-SSLeay with
Clang 12 or greater. Partially fixes GH-383.
- Silence compound-token-split-by-macro warnings when building Net-SSLeay with
Clang 12 or greater. Fixes the remainder of GH-383.
- When building Net-SSLeay, search for the openssl binary in the same directory
in which Perl is installed (i.e. $Config{prefix}/bin/). Thanks to Henrik
Grimler for the patch.
- Expose EVP_PKEY_security_bits. Thanks to Felipe Gasper.
- Major update to Gihub Actions configuration. Thanks to Felipe Gasper.
New testing targets are:
- OpenSSL and LibreSSL on Alpine Linux on i386, x390x, arm32v6,
ar32v7 and arm64v8 architectures.
- OpenSSL and LibreSSL on Ubuntu on i386, x390x, ar32v7 and arm64v8
architectures.
- OpenSSL on FreeBSD 13.0, not enabled yet because of GH #272 and #394
- LibreSSL on FreeBSD 13.0
- LibreSSL on OpenBSD 6.9
- LibreSSL on OpenBSD 7.1
- Cygwin on x86_64
- Fix compilation failure using cl. Microsoft cl compiler do
not like when preprocessor directives are inside a
macro. Fixes GH-403. Thanks to Jean-Damien Durand.
- Update CTX_use_PKCS12_file() and CTX_use_PKCS12_file() to
use BIO functions for avoiding "no OPENSSL_Applink" runtime
errors. Fixes GH-281 and RT#101638. Thanks to Jean-Damien
Durand.
- Add to README.Win32 more information about OPENSSL_Applink
and how it may be needed with FILE pointers and POSIX/Unix
fds. Recommended method is to avoid them and use OpenSSL BIO
functions instead. Update SSLeay.pod with alternatives to
Net::SSLeay::SESSION_print_fp(). Closes GH-411.
- Refactor variable declarations in RSA_generate_key to allow SSLeay.xs to
compile under -Werror=declaration-after-statement. Fixes GH-407. Thanks to
dharanlinux for the report.
- Fix memory leaks after calls to X509_get_ext_d2i. Thanks to Anton Borowka.
- Documentation fix: Correct CRL revocation reasons in
P_X509_CRL_add_revoked_serial_hex(). Closes GH-397. Reported
by Marc Reisner.
- Support stable releases of LibreSSL 3.5 and 3.6.
- Update callback set by SSL_set_session_secret_cb to adjust
master secret's length. This is needed with OpenSSL 1.1.1
and later that provide buffer that is now longer than 48
octets. Fix Net::SSLeay::get_keyblock_size() size
calculation with AEAD ciphers. These functions were
originally added to OpenSSL and Net::SSLeay for
EAP-FAST. These changes allow EAP-FAST to work with AEAD
ciphers and with OpenSSL versions 1.1.1 and later.
- Remove code guarded by obsolete
SSL_F_SSL_SET_HELLO_EXTENSION #ifdef. This was used by the
initial EAP-FAST related OpenSSL patch which was never part
of the OpenSSL distribution.
- PEM_get_string_PrivateKey() currently uses DES-CBC as its
default encryption algorithm. Test 33_x509_create_cert.t now
skips testing the default algorithm on systems that support
providers but don't have the legacy provider available. One
such system is FreeBSD 13.0 with OpenSSL which was added as
disabled in GitHub actions by PR GH-402 but can now be
enabled. Long term fix is to replace DES-CBC with a modern
cipher. Allows closing GH-394.
1.93_01 2022-03-20
- LibreSSL 3.5.0 has removed access to internal data
structures: Use X509_get0_tbs_sigalg() and
OCSP_SINGLERESP_get0_id() like in OpenSSL 1.1. Also use
RSA_get0... with RSA_get_key_parameters(). Thanks to
Alexander Bluhm.
- Expose SSL_CTX_get_min_proto_version(),
SSL_CTX_get_max_proto_version(), SSL_get_min_proto_version()
and SSL_get_max_proto_version() with LibresSSL 3.4.0 and
later. Thanks to Alexander Bluhm.
- Update tests 07_sslecho.t and 44_sess.t to work around
failures seen on Windows with Perls earlier than 5.20. For
the details, see GH-356 and look for CloseHandle() in Perl
5.20.0 changelog. Thanks to GitHub user twata1 for the
report and additional help.
- Alexander's recent work with RSA_get_key_parameters(),
allows to make it available with all OpenSSL versions. It
was already available with versions earlier than 1.1.0.
- Expose BN_dup(), BN_clear(), BN_clear_free() and BN_free().
- Use PTR2IV instead of direct cast to IV to fix compilation
warning with SSLeay.xs internal function bn2sv().
- Expose X509_CRL_get0_lastUpdate(),
X509_CRL_get0_nextUpdate(), X509_CRL_set1_lastUpdate() and
X509_CRL_set1_nextUpdate() that became available with
OpenSSL 1.1.0 and LibreSSL 2.7.0. These, and the respective
deprecated _get/set_ aliases, are available with all OpenSSL
and LibreSSL versions. Fixes part of RT#124371.
- Note in documentation that the X509_CRL_get* functions
return a pointer to time structure that should be considered
read-only.
- Use ASN1_STRING_get0_data() instead of ASN1_STRING_data() to
avoid compile time deprecation warnings. Partly fixes
RT#124371.
- Add the following constants from Current OpenSSL master branch:
- SSL_ASYNC_PAUSED
- SSL_ASYNC_NO_JOBS
- SSL_CLIENT_HELLO_CB
- SSL_ERROR_WANT_ASYNC
- SSL_ERROR_WANT_ASYNC_JOB
- SSL_ERROR_WANT_CLIENT_HELLO_CB
- SSL_ERROR_WANT_RETRY_VERIFY
- SSL_MODE_ASYNC
- SSL_MODE_NO_AUTO_CHAIN
- SSL_OP_ALLOW_CLIENT_RENEGOTIATION
- SSL_OP_CLEANSE_PLAINTEXT
- SSL_OP_DISABLE_TLSEXT_CA_NAMES
- SSL_OP_ENABLE_KTLS
- SSL_OP_IGNORE_UNEXPECTED_EOF
- SSL_OP_NO_EXTENDED_MASTER_SECRET
- SSL_RETRY_VERIFY
- SSL_SESS_CACHE_UPDATE_TIME
- X509_TRUST_DEFAULT
- X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL
- X509_V_ERR_CA_BCONS_NOT_CRITICAL
- X509_V_ERR_CA_CERT_MISSING_KEY_USAGE
- X509_V_ERR_EC_KEY_EXPLICIT_PARAMS
- X509_V_ERR_EMPTY_SUBJECT_ALT_NAME
- X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL
- X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3
- X509_V_ERR_ISSUER_NAME_EMPTY
- X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA
- X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER
- X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER
- X509_V_ERR_NO_ISSUER_PUBLIC_KEY
- X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA
- X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN
- X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY
- X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH
- X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL
- X509_V_ERR_SUBJECT_NAME_EMPTY
- X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
- Expose X509_get0_notBefore(), X509_getm_notBefore()
X509_get0_nextAfter() and X509_getm_nextAfter() that became
available with OpenSSL 1.1.0 and LibreSSL 2.7.0. These, and
the deprecated _get functions, are available, as aliases
when needed, with all OpenSSL and LibreSSL versions. Fixes
GH-367.
- Only export the TLSv1*_method() functions when support for the respective TLS
version is available in the underlying libssl library. This allows
Net::SSLeay to be built against libssl libraries that were compiled without
support for old TLS versions.
1.92 2022-01-12
- New stable release incorporating all changes from developer releases 1.91_01
to 1.91_03.
- Summary of major changes since version 1.90:
- Net::SSLeay now supports stable releases of OpenSSL 3.0.
- OpenSSL 3.0.0 introduces the concept of "providers", which contain
cryptographic algorithm implementations. Many outdated, deprecated and/or
insecure algorithms have been moved to the "legacy" provider, which may
need to be loaded explicitly in order to use them with Net::SSLeay. See
"Low level API: OSSL_LIB_CTX and OSSL_PROVIDER related functions" in the
Net::SSLeay module documentation for details.
- Net::SSLeay's built-in PEM_get_string_PrivateKey() function depends on
algorithms that have moved to the legacy provider described above; if
OpenSSL has been compiled without the legacy provider, the tests
t/local/33_x509_create_cert.t and t/local/63_ec_key_generate_key.t will
fail when the test suite is run.
- TLS 1.1 and below may only be used at security level 0 as of OpenSSL
3.0.0; if a minimum required security level is imposed (e.g. in an
OpenSSL configuration file managed by the operating system), the tests
t/local/44_sess.t and t/local/45_exporter.t will fail when the test suite
is run.
- Net::SSLeay now supports stable releases of LibreSSL from the 3.2 - 3.4
series (with the exception of 3.2.2 and 3.2.3 - see "COMPATIBILITY" in the
Net::SSLeay module documentation for details).
- The TLS 1.3 implementation in LibreSSL 3.1 - 3.3, parts of which are
enabled by default, is not fully compatible with the libssl API and may
not function as expected with Net::SSLeay; see "KNOWN BUGS AND CAVEATS"
in the Net::SSLeay module documentation for details.
- A number of new libcrypto/libssl constants and functions are now exposed,
including SSL_CTX_set_keylog_callback() and SSL_CTX_set_msg_callback(),
which are helpful when debugging TLS handshakes. See the release notes for
the 1.91 developer releases below for a full list of newly-exposed
constants and functions.
1.91_03 2022-01-10
- Avoid misclassifying Clang as GCC in Test::Net::SSLeay's can_thread()
function. This fixes test failures in 61_threads-cb-crash.t and
62_threads-ctx_new-deadlock.t on OpenBSD and FreeBSD (and possibly other OSes
too). Fixes GH-350.
- Add the following constants for OpenSSL_version():
- OPENSSL_CPU_INFO
- OPENSSL_FULL_VERSION_STRING
- OPENSSL_MODULES_DIR
- OPENSSL_VERSION_STRING
These constants are new in OpenSSL 3.0.0 release.
- Update test 03_use.t to print information returned by the new constants.
- Add more information to 03_use.t print output, including printing
OPENSSL_VERSION_NUMBER as a 32bit hex number.
- Add the following constants for OPENSSL_info() added in OpenSSL 3.0.0.
- OPENSSL_INFO_CONFIG_DIR
- OPENSSL_INFO_CPU_SETTINGS
- OPENSSL_INFO_DIR_FILENAME_SEPARATOR
- OPENSSL_INFO_DSO_EXTENSION
- OPENSSL_INFO_ENGINES_DIR
- OPENSSL_INFO_LIST_SEPARATOR
- OPENSSL_INFO_MODULES_DIR
- OPENSSL_INFO_SEED_SOURCE
- Expose OPENSSL_info(), OPENSSL_version_major(),
OPENSSL_version_minor(), OPENSSL_version_patch(),
OPENSSL_version_pre_release() and
OPENSSL_version_build_metadata() added in OpenSSL
3.0.0. Update 03_use.t diagnostics and 04_basic.t tests to
use these functions.
- Clarify documentation of OpenSSL_version_num(), SSLeay(),
SSLeay_version() and OpenSSL_version().
- Add notes to OpenSSL_version_num() and SSLeay() on how to
determine if the library is OpenSSL or LibreSSL and how to
interpret the version number these functions return.
- Add constants OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR
and OPENSSL_VERSION_PATCH. Update
OPENSSL_version_major/minor/patch documentation to describe
how these library functions relate to Net-SSLeay compile
time constants. Add tests to verify the constants and
functions return equal values.
1.91_02 2021-12-29
- On OpenVMS, detect vendor SSL111 product based on OpenSSL 1.1.x.
- Cast the return value of OCSP_SINGLERESP_get0_id to fix a
const/non-const mismatch warning that broke the build on OpenVMS.
- Create SSL_CTXs with Test::Net::SSLeay's new_ctx() function for tests that
are broken with LibreSSL 3.2. Partially fixes GH-232.
- In 36_verify.t, account for the presence of the X509_V_FLAG_LEGACY_VERIFY
flag (signalling the use of the legacy X.509 verifier) in LibreSSL 3.2
versions from 3.2.4 onwards. Fixes the remainder of GH-232.
- Note in the Net::SSLeay documentation that the TLS 1.3 implementation in
LibreSSL 3.1 - 3.3, parts of which are enabled by default, is not
libssl-compatible. See the "KNOWN BUGS AND CAVEATS" section of
lib/Net/SSLeay.pod for details.
- Add constants for, but not limited to,
SSL_CTX_set_msg_callback and SSL_set_msg_callback functions:
SSL3_RT_* for record content types, SSL3_MT_* for Handshake
and ChangeCipherSpec message types, SSL2_VERSION to
complement the list of existing SSL and TLS version
constants and SSL2_MT_* for SSLv2 Handshake messages.
- Expose SSL_CTX_set_keylog_callback and
SSL_CTX_get_keylog_callback available with OpenSSL 1.1.1pre1
and later.
- Enhance 10_rand.t RAND_file_name tests: tests are no longer
affected by the runtime environment variables, HOME and
RANDFILE. These variables are insted controlled by the tests
with local %ENV. Problems related to RAND_file_name were
discussed in Github issue GH-152, and there might still be
cases when, for example, setuid is used because of OpenSSL's
use of glibc secure_getenv() and related functions. Address
RAND_file_name differences between OpenSSL versions. Note in
SSLeay.pod that RAND_file_name() can return undef with
LibreSSL and recent OpenSSL versions.
- Removed the following exportable symbols from SSLeay.pm:
- SESSION, clear_error and err have never been defined.
- add_session, flush_sessions and remove_session were
removed in Net::SSLeay 1.04
- Undocumented X509_STORE_CTX_set_flags() was removed in
Net::SSLeay 1.37 when X509_VERIFY_PARAM_* functions were
added. These are preferred over directly setting the flags.
- Clarified Changes entry for release 1.75 to state that
CTX_v2_new is not removed from Net::SSLeay. SSLv2 is
completely removed in OpenSSL 1.1.0.
- Beginning with OpenSSL 3.0.0-alpha17, SSL_CTX_get_options()
and related functions return uint64_t instead of long. For
this reason constant() in constant.c and Net::SSLeay must
also be able to return 64bit constants. Add uint64_t
definitions to typemap file and update constant() and
options functions to use uint64_t with OpenSSL 3.0.0 and
later when Perl is compiled with 64bit integers. With 32bit
integers, the functions remain as they are: constant()
functions return double and options functions return
long. This partially fixes GH-315, 32bit integer Perls need
to be handled separately.
- Work around macOS Monterey build failure during 'perl
Makefile.PL' that causes perl to exit with 'WARNING:
.../perl is loading libcrypto in an unsafe way' or similar
message. This fixes GH-329. Thanks to Daniel J. Luke for the
report and John Napiorkowski for additional help.
1.91_01 2021-10-24
- Correct X509_STORE_CTX_init() return value to integer. Previous
versions of Net::SSLeay return nothing.
- Update tests to call close() to avoid problems seen with
test 44_sess.t, and possibly other tests, running on older
Windows Perl versions. Also add some missing calls in tests
to shutdown and free ssl structures.
- Fix multiple formatting errors in the documentation for Net::SSLeay.
Thanks to John Jetmore.
- Check for presence of libssl headers in Makefile.PL, and exit with an
error instead of generating an invalid Makefile if they cannot be found.
Fixes RT#105189. Thanks to James E Keenan for the report.
- Added support for SSL_CTX_set_msg_callback/SSL_set_msg_callback
Thanks to Tim Aerts.
- Adjust time in ASN1_TIME_timet based on current offset to GMT to
address GH-148. Thanks to Steffen Ullrich.
- Multiple updates to tests to match OpenSSL 3.0 behaviour.
Thanks to Michal Josef Špaček.
- OpenSSL 3.0 related changes in tests include:
- TLSv1 and TLSv1.1 require security level 0 starting with 3.0 alpha 5.
- SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() ignore
unknown ciphersuites starting with 3.0 alpha 11.
- Error code and error string packing and formatting changes.
- PEM_get_string_PrivateKey default algorithm requires legacy provider.
- See OpenSSL manual page migration_guide(7) for more information about
changes in OpenSSL 3.0.
- Automatically detect OpenSSL installed via Homebrew on ARM-based macOS
systems. Thanks to Graham Knop for the patch.
- Account for the divergence in TLSv1.3 ciphersuite names between OpenSSL and
LibreSSL, which was causing failures of some TLSv1.3 tests with LibreSSL.
- In 36_verify.t, account for the presence of the X509_V_FLAG_LEGACY_VERIFY
flag (signalling the use of the legacy X.509 verifier) in LibreSSL 3.3.2 and
above.
- In 43_misc_functions.t, account for the fact that LibreSSL 3.2.0 and above
implement TLSv1.3 without exposing a TLS1_3_VERSION constant.
- Expose OpenSSL 3.0 functions
OSSL_LIB_CTX_get0_global_default, OSSL_PROVIDER_load,
OSSL_PROVIDER_try_load, OSSL_PROVIDER_unload,
OSSL_PROVIDER_available, OSSL_PROVIDER_do_all
OSSL_PROVIDER_get0_name and OSSL_PROVIDER_self_test.
Add test files 22_provider.t, 22_provider_try_load.t and
22_provider_try_load_zero_retain.t.
- With OpenSSL 3.0 and later, the legacy provider is loaded in
33_x509_create_cert.t to allow PEM_get_string_PrivateKey to
continue working until its default encryption method is
updated. Fixes GH-272 and closes GH-273.
- Remove the test suite's optional dependency on the non-core modules
Test::Exception, Test::NoWarnings and Test::Warn. Tests that verify
Net::SSLeay's behaviour when errors occur are now executed regardless of the
availability of these modules.
- Fully automate the process of changing the list of constants exported by
Net::SSLeay. Fixes GH-313.
- Perform function autoloading tests in the test suite. Fixes GH-311.
- In 36_verify.t, account for the fact that the X509_V_FLAG_LEGACY_VERIFY flag
(signalling the use of the legacy X.509 verifier) is no longer exposed as of
LibreSSL 3.4.1. Fixes GH-324.
1.90 2021-01-21
- New stable release incorporating all changes from developer releases
1.89_01 to 1.89_05.
- Summary of major changes since version 1.88:
- Formalised libssl version support policy: all stable versions of OpenSSL
in the 0.9.8 - 1.1.1 branches (with the exception of 0.9.8 - 0.9.8b) and
all stable releases of LibreSSL in the 2.0 - 3.1 series are supported.
The LibreSSL 3.2 series is not yet fully supported because its TLSv1.3
implementation is not currently libssl-compatible.
- Added support for LibreSSL on Windows when built with Visual C++.
- Exposed P_X509_CRL_add_extensions, several SSL_CIPHER functions, and
several stack functions.
- Fixed crashes in the callback functions CTX_set_next_proto_select_cb and
CTX_set_alpn_select_cb.
- The test suite is now compatible with OpenSSL 1.1.1e onwards, as well as
OpenSSL security level 2 (the default on many Linux distributions).
1.89_05 2021-01-21
- Expose SSL_get_ciphers. Thanks to github user dylc5190.
- Expose SSL_CIPHER_get_version and fix SSL_CIPHER_description
and SSL_CIPHER_get_bits. Also fixed and enhanced
documentation for these and related SSL_CIPHER functions.
- Clarify libssl version support policy: all stable versions of OpenSSL in
the 0.9.8 - 1.1.1 branches (with the exception of 0.9.8 - 0.9.8b) and all
stable releases of LibreSSL in the 2.0 - 3.1 series are supported.
- Direct bug reports to the GitHub repository, since rt.cpan.org will shut
down on 2021-03-01.
1.89_04 2021-01-13
- Fix crashes in the callback functions CTX_set_next_proto_select_cb() and
CTX_set_alpn_select_cb() caused by the use of a pointer returned by
SSL_select_next_proto() which may already have been freed under certain
circumstances. Fixes GH-222. Thanks to dylc5190 for the report.
- Remove the dependency on the AES128-SHA cipher suite in the test script
64_ticket_sharing.t. Fixes GH-231.
- Remove checks and warnings in Makefile.PL relating to the use of RSAref,
which was removed from OpenSSL in version 0.9.7.
1.89_03 2020-12-12
- Expose the following functions:
- X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain
- sk_X509_pop, sk_X509_shift, sk_X509_unshift,
- sk_X509_insert, sk_X509_delete, sk_x509_value, sk_X509_num
Thanks to Dan Freed.
- Correct the minimum OpenSSL version required for the following functions
to be made available (previously they were all declared to be present in
1.1.0-pre1, which caused Net::SSLeay to crash at run-time when built
against OpenSSL versions between 1.1.0-pre1 and 1.1.0-pre3):
- CTX_set_max_proto_version (added in 1.1.0-pre2)
- CTX_set_min_proto_version (added in 1.1.0-pre2)
- SESSION_up_ref (added in 1.1.0-pre4)
- set_max_proto_version (added in 1.1.0-pre2)
- set_min_proto_version (added in 1.1.0-pre2)
- Correct the minimum OpenSSL version required for get_SSL_CTX and SSL_ctrl
to be made available (previously they were declared to be present from
0.9.8f onwards, when in reality they are available in all 0.9.8 versions).
- Replace the PKI used by the test suite with one generated by the
generate-test-pki helper script. All entities in the new PKI have 2048-bit
RSA private keys and CSRs, certificates and CRLs with SHA-256 digests,
allowing the test suite to execute under OpenSSL security level 2 (now the
default security level for OpenSSL in many Linux distributions).
- Initialise libssl consistently in the test suite.
- Don't rely on the availability of specific SSL/TLS protocol versions or
cipher suites in the test suite; instead, dynamically select from any of
the available protocol versions and cipher suites permitted by libssl.
Fixes RT#132425. Thanks to Graham Ollis for the initial report of the test
suite failing on Ubuntu 20.04 with the Ubuntu-packaged OpenSSL, whose
configuration forbids the use of TLSv1.1 and below at run-time by default.
1.89_02 2020-08-07
- Add support for the P_X509_CRL_add_extensions function. Thanks to
Manuel Mausz for the patch.
- X509_get_subjectAltNames now knows how to return
GEN_RID. The returned value is an ASN OID in text format
with current maximum length of 2500 characters. Updated
t/local/33_x509_create_cert.t to use GEN_RID and all other
supported types with certificate request and signed
certificate. These relate to GitHub issue GH-149 opened by
s482dcaw.
- Support for 64-bit Windows versions of OpenSSL from 1.0.0-beta1
through to 1.0.0b has been withdrawn due to malfunctions occurring in
Perl programs that use fork(). This mainly affects users of Strawberry
Perl x64 5.12.3.20180709, which ships with OpenSSL 1.0.0-beta4.
Affected users should build Net-SSLeay against OpenSSL 1.0.0c or
above; users of Strawberry Perl x64 5.12.3.20180709 may instead find
it easier to upgrade to Strawberry Perl x64 5.14.4.1 or above. See
https://github.com/radiator-software/p5-net-ssleay/issues/189 for more
information.
1.89_01 2020-03-22
- Fix the repository URL in Makefile.PL (git:// rather than git@),
which was preventing it from being added to META.json. Thanks to
Dan Book.
- When building Net-SSLeay, exit if an OpenSSL executable cannot be
found in PATH. Fixes RT#131060. Thanks to Nigel Horne for the report.
- Remove non-OCSP external tests, many of which unnecessarily duplicate
local tests or fail for reasons outside of our control. Fixes
RT#129542. Thanks to Andreas Vögele for the bug report that
ultimately led to this change.
- Add support for LibreSSL on Windows when built with Visual C++.
Thanks to Graham Ollis for the patch.
- In SSL_CTX_free() and SSL_free(), clean callback-related data from
the global hash after freeing ctx, not before. This allows callbacks
to be executed during freeing. Thanks to Steffen Ullrich for the
patch.
- t/local/07_sslecho.t started failing with OpenSSL 1.1.1e. Updated
the test file with missing calls to Net::SSLeay::shutdown(). Also
added one call in SSLeay.pm sslcat() function. Enabling SSLeay trace
level 3 showed 'unexpected eof while reading' errors which were added
to OpenSSL with commit db943f43. This fixes GitHub issue GH-160
reported by Brett T. Warden.
- t/local/01_pod.t now requires Test::Pod 1.41 to work with Pod syntax
used with Net::SSLeay 1.88 and later. This fixes GitHub issue GH-147
reported by Ulrik Haugen.
1.88 2019-05-10
- New stable release incorporating all changes from developer
releases 1.86_01 to 1.86_11.
- From this release, Net-SSLeay is switching to an "odd/even"
developer/stable release version numbering system, like that of
many core modules (e.g. ExtUtils::MakeMaker): developer releases
will have an odd minor version number (and the usual "_xx" suffix),
and stable releases will have an even minor version number. This
means there is no Net-SSLeay 1.87.
- Summary of major changes since version 1.85:
- Mike McCauley has stepped down as maintainer. The new maintainers
are Chris Novakovic, Heikki Vatiainen and Tuure Vartiainen.
- The source code has moved from the now-defunct Debian Subversion
server (alioth.debian.org) to GitHub
(https://github.com/radiator-software/p5-net-ssleay).
- Net-SSLeay is provided under the terms of the Artistic License
2.0 - this has been the case since version 1.66, but references
to other licenses remained in the source code, causing ambiguity.
- Perl 5.8.1 or newer is now required to use Net-SSLeay. This has
already been the case for some time in practice, as the test
suite hasn't fully passed on Perl 5.6 for several years.
- Much-improved compatibility with OpenSSL 1.1.1, and improved
support for TLS 1.3.
- Fixed a long-standing bug in cb_data_advanced_put() that caused
memory leaks when callbacks were frequently added and removed.
- Support in the test suite for "hardened" OpenSSL configurations
that set a default security level of 2 or higher (e.g., in the
OpenSSL packages that ship with recent versions of Debian, Fedora
and Ubuntu).
1.86_11 2019-05-08
- Clarified Net-SSLeay's licensing terms: the module distribution has
been released under the terms of the Artistic License 2.0 since
version 1.66; references to other licenses have been removed. Fixes
RT#106314. Thanks to Kent Fredric for pointing out the ambiguity.
- Replace the HTTPS hosts in the external tests (some of which were
no longer online) with more resilient ones. Closes issue #26.
1.86_10 2019-05-04
- Use locally-generated certificate chain in local tests rather
than the Twitter one, which changes regularly and breaks the
test suite unnecessarily. Fixes RT#129201. Thanks to Petr Písař
for the report and patch, and Steffen Ullrich for an alternative
patch suggestion.
- In t/local/09_ctx_new.t, rather than checking that the functions
(CTX_)get_min_proto_version and (CTX_)get_max_proto_version return
0x0000 (indicating the lowest and highest versions supported by
libssl respectively, which is not the case if a run-time
configuration is enforcing a different minimum or maximum), just
check whether the returned value is one of those mentioned on the
SSL_CTX_set_min_proto_version(3) man page. Partially fixes
RT#128025. Thanks to Slaven Rezić and Dmytro Zagashev for the
downstream reports.
- Move from 1024-bit keys/certificates to 2048-bit keys/certificates
across the entire test suite. This removes the need to manually
set the security level to 1 in tests that used the old keys, and
fixes large numbers of test failures on modern Linux distributions
that set the minimum OpenSSL security level to 2. Fixes RT#126270
and the remainder of RT#128025. Thanks to Petr Písař and Slaven
Rezić for the downstream reports.
- In t/local/06_tcpecho.t and t/local/07_sslecho.t, connect to
127.0.0.1 instead of localhost. This fixes these tests when
executed inside a network sandbox that disrupts the behaviour of
gethostbyname(). Fixes RT#128207. Thanks to Kent Fredric for the
downstream report.
1.86_09 2019-03-12
- Add missing files to MANIFEST that prevented tests from passing
when installing from the 1.86_08 release tarball.
1.86_08 2019-03-12
- Add and fix functions needed to properly implement client
side session reuse for TLS 1.3 with using
CTX_sess_set_new_cb. Newly exposed functions:
SSL_SESSION_dup and SSL_SESSION_up_ref.
Fixed functions: i2d_SSL_SESSION and d2i_SSL_SESSION.
Thanks to Steffen Ullrich.
- Add functions functions to allow reading multiple pems from
file and creating untrusted chain: These functions allow you
to:
- Read in a PEM file with multiple certificates as a
STACK_OF(X509_INFO)
- Determine the size of the STACK_OF(X509_INFO) and value at
an index, which allows you to loop over the stack.
- Retrieve the X509 structure from each X509_INFO structure
in the stack.
Then you can create a new STACK_OF(X509) and push the X509
structures onto the new stack. You can then pass this
STACK_OF(X509) to X509_STORE_CTX_init which will allow you
to add additional untrusted certificates to the chain for
verification. Exposed functions are:
PEM_X509_INFO_read_bio
sk_X509_INFO_num
sk_X509_INFO_value
sk_X509_INFO_free
sk_X509_new_null
sk_X509_free
sk_X509_push
New function implemented by Net::SSLeay:
P_X509_INFO_get_x509
Thanks to Marc Reisner.
- Add functions and constants that are necessary to verify a
certificate using a hash directory outside of an SSL/TLS
connection. Newly exposed functions:
X509_STORE_CTX_init
X509_STORE_CTX_free
X509_STORE_new
X509_STORE_free
X509_STORE_add_lookup
X509_LOOKUP_hash_dir
X509_LOOKUP_add_dir
Newly exposed constants:
X509_FILETYPE_ASN1
X509_FILETYPE_DEFAULT
X509_FILETYPE_PEM
Thanks to Marc Reisner.
- Declare n_a in ssleay_set_psk_client_callback_invoke and
ssleay_ctx_set_psk_client_callback_invoke to avoid a compilation
error with Perl versions below 5.8.8. Fixes RT#128030. Thanks to
Graham Ollis for the report.
- Add X509_get0_serialNumber. Thanks to Marc Reisner.
- Enable Travis CI for LibreSSL 2.2.1, 2.7.5, 2.8.3 and 2.9.0
on Perl 5.20 and more recent.
- Expose the following functions for curve and group selection:
- CTX_set_ecdh_auto, set_ecdh_auto
- CTX_set1_curves_list, set1_curves_list
- CTX_set1_groups_list, set1_groups_list
Thanks to Steffen Ullrich.
1.86_07 2018-12-13
- Net::SSLeay::RSA_generate_key() now prefers using
RSA_generate_key_ex. This avois deprecated RSA_generate_key
and allows removing the only Android specific code in
SSLeay.xs. Fixes RT#127593. Thanks to Rouven Weiler.
- SSL_CTX_get0_param, SSL_CTX_get0_param,
X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host,
X509_VERIFY_PARAM_set_hostflags,
X509_VERIFY_PARAM_get0_peername,
X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip and
X509_VERIFY_PARAM_set1_ip_asc added in 1.83 for OpenSSL
1.0.2 and later are now available with LibreSSL 2.7.0 and
later.
- get_keyblock_size() now gets the MAC secret size from the
cipher on LibreSSL 2.7.0 and later, rather than reaching
into libssl internals. This effectively takes the OpenSSL
1.1 code path for LibreSSL 2.7.0 instead of the OpenSSL 1.0
code path. Thanks to Alexander Bluhm.
- get_client_random and get_server_random now use API
functions supported by LibreSSL 2.7.0 and later. Thanks to
Alexander Bluhm.
- Add X509_check_host(), X509_check_email(), X509_check_ip(),
and X509_check_ip_asc() for LibreSSL 2.5.0 and later. Thanks
to Alexander Bluhm.
- OpenSSL_version() and OpenSSL_version_num() are available
with LibreSSL 2.7.0 and later. Thanks to Alexander Bluhm.
- Use OPENSSL_cleanse() instead of memset(). Fixes
RT#116599. Thanks to A. Sinan Unur.
1.86_06 2018-09-29
- Net::SSLeay::read() and SSL_peek() now check SSL_get_error()
for SSL_ERROR_ZERO_RETURN for return values <= 0 to make
Net::SSLeay::read() behave more like underlying OpenSSL
function SSL_read().
Convenience function ssl_read_all() now does an automatic
retry when ERROR_WANT_READ or ERROR_WANT_WRITE is returned
with Net::SSLeay::read().
Convenience function ssl_read_until() now uses
Net::SSLeay::ssl_read_all() instead of
Net::SSLeay::read(). Tests 07_sslecho.t and 36_verify.t were
also updated to use ssl_read_all() and ssl_write_all(). The
tests now also disable TLSv1.3 session tickets and ignore
SIGPIPE to avoid this signal when the client has finished
before server has sent session tickets and called
Net::SSLeay::accept().
Thanks to Petr Pisar and Sebastian Andrzej Siewior for the
patches (in #RT125218).
- Fix a memory leak in cb_data_advanced_put. Fixes
RT#127131. Noticed, investigated and patched by Paul
Evans. Thanks!
- Enable OpenSSL 1.1.1-pre9 with Travis CI.
- Add SSL_CTX_set_num_tickets, SSL_CTX_get_num_tickets,
SSL_set_num_ticket and SSL_get_num_tickets for controlling
the number of TLSv1.3 session tickets that are issued. Add
tests in 44_sess.t. Parts taken from a larger patch by Petr
Pisar of RedHat.
- Add SSL_CTX_set_ciphersuites and SSL_set_ciphersuites for
configuring the available TLSv1.3 ciphersuites. Add tests in
43_misc_functions.t and clarify SSL_client_version tests.
- Add SSL_CTX_set_security_level, SSL_CTX_get_security_level,
SSL_set_security_level and SSL_get_security_level.
Add new test file 65_security_level.t.
All courtesy of Damyan Ivanov of Debian project.
- Fix export_keying_material return value check and context
handling. SSL_export_keying_material use_context is now
correctly set to non-zero value when context is an empty
string. This affects values exported with TLSv1.2 and earlier.
Update documentation in NetSSLeay.pod and add tests
in t/local/45_export.t.
- Add RAND_priv_bytes. Add new test file t/local/10_rand.t for
RAND_bytes, RAND_pseudo_bytes, RAND_priv_bytes, RAND_status,
RAND_poll, RAND_file_name and RAND_load_file.
- Update documentation for RAND_*bytes return values and
RAND_file_name behaviour with LibreSSL.
- Add SSL_SESSION_is_resumable. Add and update tests in 44_sess.t.
- Set OpenSSL security level to 1 in tests that use the test suite's
(1024-bit) RSA keys, which allows the test suite to pass when
Net-SSLeay is built against an OpenSSL with a higher default
security level. Fixes RT#126987. Thanks to Petr Pisar (in
RT#126270) and Damyan Ivanov (in RT#126987) for the reports and
patches, and to Damyan Ivanov for the preferred patch.
- Add SSL_CTX_sess_set_new_cb and SSL_CTX_sess_set_remove_cb.
Add new test file 44_sess.t for these and future session
related tests for which no specific test file is needed.
- Add SSL_get_version, SSL_client_version and SSL_is_dtls.
- Add SSL_peek_ex, SSL_read_ex, SSL_write_ex and SSL_has_pending.
Add tests in t/local/11_read.t
- Add SSL_CTX_set_post_handshake_auth contributed by Paul
Howarth. Add SSL_set_post_handshake_auth,
SSL_verify_client_post_handshake and constant
SSL_VERIFY_POST_HANDSHAKE.
- Applied a patch to set_cert_and_key() from Damyan Ivanov,
Debian Perl Group. This function now returns errors from
library's error stack only when an underlying routine
fails. Unrelated errors are now skipped. Fixes RT#126988.
- Add support for TLSv1.3 via $Net::SSLeay::ssl_version.
- Enhance t/local/43_misc_functions.t get_keyblock_size test
to work better with AEAD ciphers.
- Add constants SSL_OP_ENABLE_MIDDLEBOX_COMPAT and
SSL_OP_NO_ANTI_REPLAY for TLSv1.3
- Fix compile time DEFINE=-DSHOW_XS_DEBUG to work with
non-threaded Perls. Fixes RT#127027. Thanks to SREZIC for
the report. Also fix other minor compile warnings.
1.86_05 2018-08-22
- Net-SSLeay now requires at least Perl 5.8.1. This is a
formalisation of what has been the de facto case for some time,
as the distribution hasn't compiled and passed its tests on Perl
5.005 for several years.
- Increment Net::SSLeay::Handle's version number to keep it in sync
with Net::SSLeay's, thus satisfying Kwalitee's consistent_version
metric.
- Re-enable the d2i_X509_bio() test in t/local/33_x509_create_cert.t
for LibreSSL. Thanks to Alexander Bluhm.
- Automatically detect new library names on Windows for OpenSSL
1.1.0 onwards (libcrypto, libssl). Fixes part of RT#121084. Thanks
to Jean-Damien Durand.
- Fix a typo preventing OpenSSL libraries built with the VC compiler
(i.e. ones with a ".lib" suffix) from being automatically detected
on Windows. Fixes part of RT#121084. Thanks to Jean-Damien Durand.
- Add missing call to va_end() following va_start() in TRACE().
Fixes RT#126028. Thanks to Jitka Plesnikova.
- Added SSL_in_init() and the related functions for all
libraries and their versions. All return 0 or 1 as
documented by OpenSSL 1.1.1. Use of these functions is
recommended over using constants returned by get_state() and
state(). New constants TLS_ST_*, used by OpenSSL 1.1.0 and
later, will not be made available by Net::SSLeay.
1.86_04 2018-07-30
- Re-add SSLv3_method() for OpenSSL 1.0.2 and above. Fixes
RT#101484.
- Don't expose ENGINE-related functions when building against
OpenSSL builds without ENGINE support. Fixes RT#121538. Thanks to
Paul Green.
- Automatically detect OpenSSL 1.0.x on VMS, and update VMS
installation instructions to reflect removal of Module::Install
from the build system. Fixes RT#124388. Thanks to Craig A. Berry.
- Prevent memory leak in OCSP_cert2ids() and OCSP_response_verify().
Fixes RT#125273. Thanks to Steffen Ullrich.
1.86_03 2018-07-19
- Convert packaging to ExtUtils::MakeMaker. Thanks to mohawk2.
- Module::Install is no longer a prerequisite when building
from the reposistory.
- Re-apply patch from ETJ permitting configure and build in
places with a space in the name.
1.86_02 2018-07-06
- Removed inc/ from repository. Module::Install is now a
prerequisite when building from the repository. This allowed
also removing "." from Makefile.PL lib path which was added
in version 1.81. These updates require no changes when
building from release packages. They also help AppVeyor
builds to work better with old Perls.
- Added CONTRIBUTING.md, reformatted the previous Changes
entry to use CPAN::Changes::Spec guidelines and removed
unused version control tags from comments.
1.86_01 2018-07-04
- Net::SSLeay functionality was not changed in this release.
- Maintainer changes:
- Mike McCauley, maintainer of Net-SSLeay since November 2005,
has stepped down. Thanks to Mike for his 13 years of
stewardship.
- Net-SSLeay is now maintained by Chris Novakovic, Heikki
Vatiainen and Tuure Vartiainen.
- Version control system changes:
- The previous Debian-hosted SVN repository has been imported
into Git. The source code is now maintained on GitHub, at
https://github.com/radiator-software/p5-net-ssleay.
- Fixes to commit metadata, branches and tags that git-svn
couldn't handle or had no way of handling, were done
manually or semi-automatically afterwards. For instance, the
"git-svn-id:" lines that git-svn appends to commit messages
were kept because Mike used SVN revision numbers in RT
replies to indicate when bugs had been fixed/patches applied
(which may be useful for future reference).
- All commits were replayed onto a single master branch rather
than having separate dead-end branches for the old SVN
version tags (as this seems more "git-like").
- New lightweight tags were created for each public release
going back as far as the start of the SVN repository using
data from MetaCPAN (cross-referencing with the changelog
when it wasn't clear when a release was cut from the SVN
repo).
- Florian's and Mike's email addresses were mapped to git
author/committer IDs
- Continuous integration:
- Travis CI configuration was added for automated testing on
Linux using 64 bit Ubuntu Trusty. Build matrix dimensions
are: Perl 5.8 - 5.26 x OpenSSL 0.9.8zh - 1.1.0h. Only the
currently latest version for each major Perl and OpenSSL
release is chosen.
- AppVeyor configuration was added for automated testing on
Windows. Build matrix dimensions are: Perl 5.8 - 5.26 x
32bit and 64bit Perl environment x Windows Server 2012R2 and
Windows Server 2016. The Perl environment is Strawberry Perl