开源软件构建与测试

_service:tar_scm:perl-IO-Socket-SSL.spec Changed

_service Changed

_service:tar_scm:IO-Socket-SSL-2.083.tar.gz/Changes -> _service:tar_scm:IO-Socket-SSL-2.084.tar.gz/Changes Changed

_service:tar_scm:IO-Socket-SSL-2.083.tar.gz/META.json -> _service:tar_scm:IO-Socket-SSL-2.084.tar.gz/META.json Changed

_service:tar_scm:IO-Socket-SSL-2.083.tar.gz/META.yml -> _service:tar_scm:IO-Socket-SSL-2.084.tar.gz/META.yml Changed

_service:tar_scm:IO-Socket-SSL-2.083.tar.gz/Makefile.PL -> _service:tar_scm:IO-Socket-SSL-2.084.tar.gz/Makefile.PL Changed

@@ -64,16 +64,27 @@
 	$compiled) if $compiled < 0x00908000;
 
     my $linked = Net::SSLeay::SSLeay();
-    if (($compiled ^ $linked) >= 0x00001000) {
-	die sprintf("API-different OpenSSL versions compiled in (0x%08x) vs linked (0x%08x)",
-	    $compiled,$linked);
-    }
 
     # OpenSSL 1.1.1e introduced behavior changes breaking various code
     # will likely be reverted  in 1.1.1f - enforce to not use this version
     if ($linked == 0x1010105f) {
 	die "detected OpenSSL 1.1.1e - please use a different version\n";
     }
+
+    # For old versions we need to be rather strict, however OpenSSL explicitly
+    # declares that from 3.0 on x.y versions are for all y ABI-compatible.
+    # https://www.openssl.org/policies/releasestrat.html
+    if ($linked <  0x30000000) {
+	if (($compiled ^ $linked) >= 0x00001000) {
+	    die sprintf("API-different OpenSSL versions compiled in (0x%08x) vs linked (0x%08x)",
+		$compiled,$linked);
+	}
+    } else {
+	if (($compiled ^ $linked) >= 0x10000000) {
+	    die sprintf("API-different OpenSSL versions compiled in (0x%08x) vs linked (0x%08x)",
+		$compiled,$linked);
+	}
+    }
 }
 
 # make sure that we have dualvar from the XS Version of Scalar::Util

_service:tar_scm:IO-Socket-SSL-2.083.tar.gz/lib/IO/Socket/SSL.pm -> _service:tar_scm:IO-Socket-SSL-2.084.tar.gz/lib/IO/Socket/SSL.pm Changed

@@ -13,7 +13,7 @@
 
 package IO::Socket::SSL;
 
-our $VERSION = '2.083';
+our $VERSION = '2.084';
 
 use IO::Socket;
 use Net::SSLeay 1.46;
@@ -1182,6 +1182,8 @@
 	    if (not $! and $err == $Net_SSLeay_ERROR_SSL || $err == $Net_SSLeay_ERROR_SYSCALL) {
 		# treat as EOF
 		$data = '';
+		# clear the "unexpected eof while reading" error (OpenSSL 3.0+)
+		Net::SSLeay::ERR_clear_error();
 		last;
 	    }
 	    $self->error("SSL read error");
@@ -1501,9 +1503,14 @@
 		    my $err = Net::SSLeay::get_error($ssl,$rv);
 		    if ( $err == $Net_SSLeay_ERROR_WANT_READ) {
 			select($vec,undef,undef,$wait)
-		    } elsif ( $err == $Net_SSLeay_ERROR_WANT_READ) {
+		    } elsif ( $err == $Net_SSLeay_ERROR_WANT_WRITE) {
 			select(undef,$vec,undef,$wait)
 		    } else {
+			if ($err) {
+			    # if $! is not set with ERROR_SYSCALL then report as EPIPE
+			    $! ||= EPIPE if $err == $Net_SSLeay_ERROR_SYSCALL;
+			    $self->error("SSL shutdown error ($err)");
+			}
 			last;
 		    }
 		}
@@ -1959,7 +1966,7 @@
 
 sub get_fingerprint_bin {
     my ($self,$algo,$cert,$key_only) = @_;
-    $cert ||= $self->peer_certificate;
+    $cert ||= $self->peer_certificate or return;
     return $key_only
 	? Net::SSLeay::X509_pubkey_digest($cert, $algo2digest->($algo || 'sha256'))
 	: Net::SSLeay::X509_digest($cert, $algo2digest->($algo || 'sha256'));
@@ -3652,6 +3659,9 @@
     $DEBUG>=2 or return;
     my ($direction, $ssl_ver, $content_type, $buf, $len, $ssl) = @_;
 
+    # Restore original $! value on return
+    local $!;
+
     my $verstr = $tc_ver2s{$ssl_ver} || "(version=$ssl_ver)";
 
     # Log progress for interesting records only (like Handshake or Alert), skip

_service:tar_scm:IO-Socket-SSL-2.083.tar.gz/lib/IO/Socket/SSL.pod -> _service:tar_scm:IO-Socket-SSL-2.084.tar.gz/lib/IO/Socket/SSL.pod Changed

@@ -1040,25 +1040,26 @@
 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1', 'TLSv1_2', or 'TLSv1_3' restrict
 handshake and protocol to the specified version.
 All values are case-insensitive.  Instead of 'TLSv1_1', 'TLSv1_2', and
-'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
-'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
-and openssl.
+'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Which protocol
+versions are actually supported depend on the versions of OpenSSL and
+Net::SSLeay installed, but modern protocols like TLS 1.3 are supported by these
+for many years now.
 
 Independent from the handshake format you can limit to set of accepted SSL
 versions by adding !version separated by ':'.
 
-The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
-handshake format is compatible to SSL2.0 and higher, but that the successful
-handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because
-both of these versions have serious security issues and should not be used
-anymore.
+The default SSL_version is 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2'. This means,
+that the handshake format is compatible to SSL2.0 and higher, but that the
+successful handshake is limited to TLS1.2 and higher, that is no SSL2.0, SSL3.0,
+TLS 1.0 or TLS 1.1 because these versions have serious security issues and
+should not be used anymore.
+
 You can also use !TLSv1_1 and !TLSv1_2 to disable TLS versions 1.1 and 1.2 while
 still allowing TLS version 1.0.
-
-Setting the version instead to 'TLSv1' might break interaction with older
-clients, which need and SSL2.0 compatible handshake. On the other
-side some clients just close the connection when they receive a TLS version 1.1
-request. In this case setting the version to
+Setting the version instead to 'TLSv1' might break interaction with very old or
+broken clients, which expect a SSL2.0 compatible handshake. On the other
+side some broken clients just close the connection when they receive a TLS
+version 1.1 request. In this case setting the version to
 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help.
 
 =item SSL_cipher_list
@@ -1082,7 +1083,7 @@
 
 If this option is set the TLS 1.3 ciphersuites for the connection will be
 set to the given value. This is similar to SSL_cipher_list, but only for TLS 1.3
-ciphers. See argument C<-ciphersuits> in the OpenSSL documentation
+ciphers. See argument C<-ciphersuites> in the OpenSSL documentation
 (L<https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html>) for
 details.
 
@@ -1756,7 +1757,7 @@
 =item gist (rfc5971)
 
 Simple wildcards are allowed in subjectAltNames and common name, but common name
-will only be checked if their are no DNS names in subjectAltNames.
+will only be checked if there are no DNS names in subjectAltNames.
 
 =item default

Changes of Revision 3