rpms / perl-IO-Socket-SSL

Clone
Source Code
GIT

90171d5 Update to 1.958

Authored and Committed by pghmcfc 10 years ago
raw patch tree parent
2 files changed. 54 lines added. 5 lines removed.
perl-IO-Socket-SSL.spec
file modified
+53 -4
sources
file modified
+1 -1 
    Update to 1.958
    
    - New upstream release 1.958
      Lots of behavior changes for more secure defaults:
      - BEHAVIOR CHANGE: make default cipher list more secure, especially:
        - No longer support MD5 by default (broken)
        - No longer support anonymous authentication by default (vulnerable to
          man in the middle attacks)
        - Prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so
          that it uses by default forward secrecy, if underlying
          Net::SSLeay/openssl supports it
        - Move RC4 to the end, i.e. 3DES is preferred (BEAST attack should
          hopefully have been fixed and now RC4 is considered less safe than 3DES)
        - Default SSL_honor_cipher_order to 1, e.g. when used as server it tries
          to get the best cipher even if the client prefers other ciphers; PLEASE
          NOTE that this might break connections with older, less secure
          implementations, in which case revert to 'ALL:!LOW:!EXP:!aNULL' or so
      - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context, not SSL object,
        and thus gets reused if context gets reused; PLEASE NOTE that using
        SSL_cipher_list together with SSL_reuse_ctx no longer has any effect on
        the ciphers of the context
      - Rework hostname verification schemes:
        - Add RFC names as scheme (e.g. 'rfc2818', ...)
        - Add SIP, SNMP, syslog, netconf, GIST
        - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
        - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
      - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1',
        'www2' etc.  but not 'www'
      - Anywhere wildcards like x* are no longer applied to IDNA names (which start
        with 'xn--')
      - Fix crash of Utils::CERT_free
      - Support TLSv11, TLSv12 as handshake protocols
      - Fixed t/core.t: test used cipher_list of HIGH, which includes anonymous
        authorization; with the DH param given by default since 1.956, old versions
        of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
        authorization) instead of AES256-SHA and thus the check for the peer
        certificate failed (because ADH does not exchange certificates) - fixed by
        explicitly specifying HIGH:!aNULL as cipher (CPAN RT#90221)
      - Cleaned up tests:
        - Remove ssl_settings.req and 02settings.t, because all tests now create a
          simple socket at 127.0.0.1 and thus global settings are no longer needed
        - Some tests did not have use strict(!); fixed it
        - Removed special handling for older Net::SSLeay versions that are less
          than our minimum requirement
        - Some syntax enhancements: removed some SSL_version and SSL_cipher_list
          options where they were not really needed
      - Cleanup: remove workaround for old IO::Socket::INET6 but instead require at
        least version 2.55 which is now 5 years old
      - Fix t/session.t to work with older openssl versions (CPAN RT#90240)
file modified
+53 -4
file modified
+1 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.