From 90171d5ffcaf28d7bf27b0b364b442861a6b0f34 Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul@city-fan.org>
Date: Nov 11 2013 20:24:58 +0000
Subject: Update to 1.958


- New upstream release 1.958
  Lots of behavior changes for more secure defaults:
  - BEHAVIOR CHANGE: make default cipher list more secure, especially:
    - No longer support MD5 by default (broken)
    - No longer support anonymous authentication by default (vulnerable to
      man in the middle attacks)
    - Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
      that it uses by default forward secrecy, if underlying
      Net::SSLeay/openssl supports it
    - Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
      hopefully have been fixed and now RC4 is considered less safe than 3DES)
    - Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
      to get the best cipher even if the client prefers other ciphers; PLEASE
      NOTE that this might break connections with older, less secure
      implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
  - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
    and thus gets reused if context gets reused; PLEASE NOTE that using
    SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
    the ciphers of the context
  - Rework hostname verification schemes:
    - Add RFC names as scheme (e.g. 'rfc2818', ...)
    - Add SIP, SNMP, syslog, netconf, GIST
    - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
    - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
  - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
    'www2' etc.  but not 'www'
  - Anywhere wildcards like x* are no longer applied to IDNA names (which start
    with 'xn--')
  - Fix crash of Utils::CERT_free
  - Support TLSv11, TLSv12 as handshake protocols
  - Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
    authorization; with the DH param given by default since 1.956, old versions
    of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
    authorization) instead of AES256-SHA and thus the check for the peer
    certificate failed (because ADH does not exchange certificates) - fixed by
    explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
  - Cleaned up tests:
    - Remove ssl_settings.req and 02settings.t, because all tests now create a
      simple socket at 127.0.0.1 and thus global settings are no longer needed
    - Some tests did not have use strict(!); fixed it
    - Removed special handling for older Net::SSLeay versions that are less
      than our minimum requirement
    - Some syntax enhancements: removed some SSL_version and SSL_cipher_list
      options where they were not really needed
  - Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
    least version 2.55 which is now 5 years old
  - Fix t/session.t to work with older openssl versions (CPAN RT#90240)

---

diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index f2e843b..e9c1af7 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -1,6 +1,6 @@
 # Work around Perl/RPM versioning inconsistencies
-%global rpmversion 1.95.5
-%global cpanversion 1.955
+%global rpmversion 1.95.8
+%global cpanversion 1.958
 
 Name:		perl-IO-Socket-SSL
 Version:	%{rpmversion}
@@ -20,7 +20,7 @@ BuildRequires:	perl(ExtUtils::MakeMaker) >= 6.46
 BuildRequires:	perl(IO::Select)
 BuildRequires:	perl(IO::Socket)
 BuildRequires:	perl(IO::Socket::INET)
-BuildRequires:	perl(IO::Socket::INET6)
+BuildRequires:	perl(IO::Socket::INET6) >= 2.55
 BuildRequires:	perl(Net::LibIDN)
 BuildRequires:	perl(Net::SSLeay) >= 1.46
 BuildRequires:	perl(Scalar::Util)
@@ -32,7 +32,7 @@ BuildRequires:	procps
 BuildRequires:	perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
 Requires:	perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
 %else
-Requires:	perl(IO::Socket::INET6), perl(Socket6)
+Requires:	perl(IO::Socket::INET6) >= 2.55, perl(Socket6)
 %endif
 Requires:	perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:	perl(Net::LibIDN)
@@ -74,6 +74,55 @@ rm -rf %{buildroot}
 %{_mandir}/man3/IO::Socket::SSL::Utils.3pm*
 
 %changelog
+* Mon Nov 11 2013 Paul Howarth <paul@city-fan.org> - 1.95.8-1
+- Update to 1.958
+  Lots of behavior changes for more secure defaults:
+  - BEHAVIOR CHANGE: make default cipher list more secure, especially:
+    - No longer support MD5 by default (broken)
+    - No longer support anonymous authentication by default (vulnerable to
+      man in the middle attacks)
+    - Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
+      that it uses by default forward secrecy, if underlying
+      Net::SSLeay/openssl supports it
+    - Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
+      hopefully have been fixed and now RC4 is considered less safe than 3DES)
+    - Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
+      to get the best cipher even if the client prefers other ciphers; PLEASE
+      NOTE that this might break connections with older, less secure
+      implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
+  - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
+    and thus gets reused if context gets reused; PLEASE NOTE that using
+    SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
+    the ciphers of the context
+  - Rework hostname verification schemes:
+    - Add RFC names as scheme (e.g. 'rfc2818', ...)
+    - Add SIP, SNMP, syslog, netconf, GIST
+    - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
+    - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
+  - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
+    'www2' etc.  but not 'www'
+  - Anywhere wildcards like x* are no longer applied to IDNA names (which start
+    with 'xn--')
+  - Fix crash of Utils::CERT_free
+  - Support TLSv11, TLSv12 as handshake protocols
+  - Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
+    authorization; with the DH param given by default since 1.956, old versions
+    of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
+    authorization) instead of AES256-SHA and thus the check for the peer
+    certificate failed (because ADH does not exchange certificates) - fixed by
+    explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
+  - Cleaned up tests:
+    - Remove ssl_settings.req and 02settings.t, because all tests now create a
+      simple socket at 127.0.0.1 and thus global settings are no longer needed
+    - Some tests did not have use strict(!); fixed it
+    - Removed special handling for older Net::SSLeay versions that are less
+      than our minimum requirement
+    - Some syntax enhancements: removed some SSL_version and SSL_cipher_list
+      options where they were not really needed
+  - Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
+    least version 2.55 which is now 5 years old
+  - Fix t/session.t to work with older openssl versions (CPAN RT#90240)
+
 * Fri Oct 11 2013 Paul Howarth <paul@city-fan.org> - 1.95.5-1
 - Update to 1.955
   - Support for perfect forward secrecy using ECDH, if the Net::SSLeay version
diff --git a/sources b/sources
index fffa9cd..75dd8ce 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-4f975bc3932a273c46206fa926f20b08  IO-Socket-SSL-1.955.tar.gz
+d1960d7324a26d72c2d055db79a59c5d  IO-Socket-SSL-1.958.tar.gz