public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Paul Howarth <paul@city-fan.org>
To: git-commits@fedoraproject.org
Subject: [rpms/perl-IO-Socket-SSL] rawhide: Update to 2.099
Date: Fri, 26 Jun 2026 12:45:02 GMT [thread overview]
Message-ID: <178247790294.1.6016756243266717923.rpms-perl-IO-Socket-SSL-dc374f75998c@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/perl-IO-Socket-SSL
Branch : rawhide
Commit : dc374f75998cd1a8227190049fe8d681b1c21e6e
Author : Paul Howarth <paul@city-fan.org>
Date : 2026-06-26T13:42:09+01:00
Stats : +209/-203 in 8 file(s)
URL : https://src.fedoraproject.org/rpms/perl-IO-Socket-SSL/c/dc374f75998cd1a8227190049fe8d681b1c21e6e?branch=rawhide
Log:
Update to 2.099
- New upstream release 2.099
- Close socket by default on failed SSL handshake when created with new, but
keep open when upgrading from existing socket with start_SSL; this restores
old behavior that was accidentally broken
---
diff --git a/IO-Socket-SSL-2.087-Test-client-performs-Post-Handshake-Authentication.patch b/IO-Socket-SSL-2.087-Test-client-performs-Post-Handshake-Authentication.patch
deleted file mode 100644
index e3dfedc..0000000
--- a/IO-Socket-SSL-2.087-Test-client-performs-Post-Handshake-Authentication.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 6b05dc28e94e90ab4852c9977d7fbe66fec6cd48 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Fri, 8 Feb 2019 14:50:32 +0100
-Subject: [PATCH] Test client performs Post-Handshake-Authentication
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This test uses openssl tool because PHA is not yet supported by
-IO::Socket::SSL's server implementation. The openssl tool uses a fixed
-port. So the test can fail.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- MANIFEST | 1 +
- t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 91 insertions(+)
- create mode 100755 t/pha_client.t
-
-diff --git a/MANIFEST b/MANIFEST
-index 20cddb6..2b8328d 100644
---- a/MANIFEST
-+++ b/MANIFEST
-@@ -56,6 +56,7 @@ t/mitm.t
- t/multiple-cert-rsa-ecc.t
- t/nonblock.t
- t/npn.t
-+t/pha_client.t
- t/plain_upgrade_downgrade.t
- t/protocol_version.t
- t/psk.t
-diff --git a/t/pha_client.t b/t/pha_client.t
-new file mode 100755
-index 0000000..2413588
---- /dev/null
-+++ b/t/pha_client.t
-@@ -0,0 +1,90 @@
-+#!/usr/bin/perl
-+use strict;
-+use warnings;
-+use Test::More;
-+use IPC::Run ();
-+use IO::Socket::SSL ();
-+use Net::SSLeay ();
-+use IO::Select ();
-+
-+if (system('openssl', 'version')) {
-+ plan skip_all => 'openssl tool is not available';
-+} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) {
-+ plan skip_all => 'Net::SSLeay does not expose PHA';
-+} else {
-+ plan tests => 5;
-+}
-+
-+my $port = 2000;
-+my $ca_cert = 't/certs/test-ca.pem';
-+
-+diag 'Starting a server';
-+my ($server, $input, $stdout, $stderr);
-+eval {
-+ $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
-+ '-Verify', '1',
-+ '-cert', 't/certs/server-wildcard.pem',
-+ '-key', 't/certs/server-wildcard.pem', '-CAfile', $ca_cert],
-+ \$input, \$stdout, \$stderr);
-+ # subsequent \undef does not work
-+ # <https://github.com/toddr/IPC-Run/issues/124>
-+};
-+if (!$server or $@) {
-+ BAIL_OUT("Could not start a server: $@");
-+}
-+# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
-+while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
-+if ($stderr =~ /unable to bind socket/) {
-+ $server->kill_kill;
-+ BAIL_OUT("Could not start a server: $stderr");
-+}
-+ok($server, 'Server started');
-+
-+my $client = IO::Socket::SSL->new(
-+ PeerHost => 'localhost',
-+ PeerPort => $port,
-+ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
-+ SSL_verifycn_scheme => 'www',
-+ SSL_verifycn_name => 'www.server.local',
-+ SSL_ca_file => $ca_cert,
-+ SSL_key_file => 't/certs/client-key.pem',
-+ SSL_cert_file => 't/certs/client-cert.pem'
-+);
-+ok($client, 'Client connected');
-+
-+SKIP: {
-+ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
-+ unless $client;
-+ $client->blocking(0);
-+
-+ SKIP: {
-+ # Ask openssl s_server for PHA request and wait for the result.
-+ $input .= "c\n";
-+ while ($server->pumpable &&
-+ $stderr !~ /SSL_verify_client_post_handshake/ &&
-+ $stdout !~ /SSL_do_handshake -> 1/
-+ ) {
-+ # Push the PHA command to the server and read outputs.
-+ $server->pump;
-+
-+ # Client also must perform I/O to process the PHA request.
-+ my $select = IO::Select->new($client);
-+ while ($select->can_read(1)) { # 1 second time-out because of
-+ # blocking IPC::Run
-+ my $retval = $client->read(my $buf, 1);
-+ if (defined $buf and $buf eq 'c') {
-+ skip 'openssl tool does not support PHA command', 1;
-+ }
-+ }
-+ }
-+ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
-+ }
-+
-+ ok($client->close, 'Client disconnected');
-+}
-+
-+eval {
-+ $server->kill_kill;
-+};
-+ok(!$@, 'Server terminated');
-+
---
-2.20.1
-
diff --git a/IO-Socket-SSL-2.096-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.096-use-system-default-cipher-list.patch
deleted file mode 100644
index a107e13..0000000
--- a/IO-Socket-SSL-2.096-use-system-default-cipher-list.patch
+++ /dev/null
@@ -1,29 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -206,8 +206,10 @@ my %DEFAULT_SSL_ARGS = (
- SSL_npn_protocols => undef, # meaning depends whether on server or client side
- SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
-
-- # rely on system default but be sure to disable some definitely bad ones
-- SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP',
-+ # Use system-wide default cipher list to support use of system-wide
-+ # crypto policy (#1076390, #1127577, CPAN RT#97816)
-+ # https://fedoraproject.org/wiki/Changes/CryptoPolicy
-+ SSL_cipher_list => 'PROFILE=SYSTEM',
- );
-
- my %DEFAULT_SSL_CLIENT_ARGS = (
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -1087,9 +1087,8 @@ ciphers for TLS 1.2 and lower. See the O
- for more details.
-
- Unless you fail to contact your peer because of no shared ciphers it is
--recommended to leave this option at the default setting, which uses the system
--default but disables some insecure ciphers which might still be enabled on older
--systems.
-+recommended to leave this option at the default setting, which honors the
-+system-wide PROFILE=SYSTEM cipher list.
-
- In case different cipher lists are needed for different SNI hosts a hash can be
- given with the host as key and the cipher suite as value, similar to
diff --git a/IO-Socket-SSL-2.098-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.098-use-system-default-SSL-version.patch
deleted file mode 100644
index e47faa1..0000000
--- a/IO-Socket-SSL-2.098-use-system-default-SSL-version.patch
+++ /dev/null
@@ -1,37 +0,0 @@
---- lib/IO/Socket/SSL.pm
-+++ lib/IO/Socket/SSL.pm
-@@ -197,8 +197,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
- # global defaults
- my %DEFAULT_SSL_ARGS = (
- SSL_check_crl => 0,
-- # TLS 1.1 and lower are deprecated with RFC 8996
-- SSL_version => 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2',
-+ SSL_version => '',
- SSL_verify_callback => undef,
- SSL_verifycn_scheme => undef, # fallback cn verification
- SSL_verifycn_publicsuffix => undef, # fallback default list verification
-@@ -2785,7 +2786,7 @@ sub new {
-
- my $ssl_op = $DEFAULT_SSL_OP;
-
-- my $ver;
-+ my $ver = '';
- for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
- m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
- or croak("invalid SSL_version specified");
---- lib/IO/Socket/SSL.pod
-+++ lib/IO/Socket/SSL.pod
-@@ -1060,11 +1060,12 @@ All values are case-insensitive. Instea
- versions are actually supported depend on the versions of OpenSSL and
- Net::SSLeay installed, but modern protocols like TLS 1.3 are supported by these
- for many years now.
-+The default SSL_version is defined by the underlying cryptographic library.
-
- Independent from the handshake format you can limit to set of accepted SSL
- versions by adding !version separated by ':'.
-
--The default SSL_version is 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2'. This means,
-+For example, 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2' means
- that the handshake format is compatible to SSL2.0 and higher, but that the
- successful handshake is limited to TLS1.2 and higher, that is no SSL2.0, SSL3.0,
- TLS 1.0 or TLS 1.1 because these versions have serious security issues and
diff --git a/IO-Socket-SSL-2.099-Test-client-performs-Post-Handshake-Authentication.patch b/IO-Socket-SSL-2.099-Test-client-performs-Post-Handshake-Authentication.patch
new file mode 100644
index 0000000..46ba4ae
--- /dev/null
+++ b/IO-Socket-SSL-2.099-Test-client-performs-Post-Handshake-Authentication.patch
@@ -0,0 +1,130 @@
+From 6b05dc28e94e90ab4852c9977d7fbe66fec6cd48 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Feb 2019 14:50:32 +0100
+Subject: [PATCH] Test client performs Post-Handshake-Authentication
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This test uses openssl tool because PHA is not yet supported by
+IO::Socket::SSL's server implementation. The openssl tool uses a fixed
+port. So the test can fail.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ MANIFEST | 1 +
+ t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 91 insertions(+)
+ create mode 100755 t/pha_client.t
+
+diff --git a/MANIFEST b/MANIFEST
+index 20cddb6..2b8328d 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -57,6 +57,7 @@ t/mitm.t
+ t/multiple-cert-rsa-ecc.t
+ t/nonblock.t
+ t/npn.t
++t/pha_client.t
+ t/plain_upgrade_downgrade.t
+ t/protocol_version.t
+ t/psk.t
+diff --git a/t/pha_client.t b/t/pha_client.t
+new file mode 100755
+index 0000000..2413588
+--- /dev/null
++++ b/t/pha_client.t
+@@ -0,0 +1,90 @@
++#!/usr/bin/perl
++use strict;
++use warnings;
++use Test::More;
++use IPC::Run ();
++use IO::Socket::SSL ();
++use Net::SSLeay ();
++use IO::Select ();
++
++if (system('openssl', 'version')) {
++ plan skip_all => 'openssl tool is not available';
++} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) {
++ plan skip_all => 'Net::SSLeay does not expose PHA';
++} else {
++ plan tests => 5;
++}
++
++my $port = 2000;
++my $ca_cert = 't/certs/test-ca.pem';
++
++diag 'Starting a server';
++my ($server, $input, $stdout, $stderr);
++eval {
++ $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
++ '-Verify', '1',
++ '-cert', 't/certs/server-wildcard.pem',
++ '-key', 't/certs/server-wildcard.pem', '-CAfile', $ca_cert],
++ \$input, \$stdout, \$stderr);
++ # subsequent \undef does not work
++ # <https://github.com/toddr/IPC-Run/issues/124>
++};
++if (!$server or $@) {
++ BAIL_OUT("Could not start a server: $@");
++}
++# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
++while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
++if ($stderr =~ /unable to bind socket/) {
++ $server->kill_kill;
++ BAIL_OUT("Could not start a server: $stderr");
++}
++ok($server, 'Server started');
++
++my $client = IO::Socket::SSL->new(
++ PeerHost => 'localhost',
++ PeerPort => $port,
++ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
++ SSL_verifycn_scheme => 'www',
++ SSL_verifycn_name => 'www.server.local',
++ SSL_ca_file => $ca_cert,
++ SSL_key_file => 't/certs/client-key.pem',
++ SSL_cert_file => 't/certs/client-cert.pem'
++);
++ok($client, 'Client connected');
++
++SKIP: {
++ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
++ unless $client;
++ $client->blocking(0);
++
++ SKIP: {
++ # Ask openssl s_server for PHA request and wait for the result.
++ $input .= "c\n";
++ while ($server->pumpable &&
++ $stderr !~ /SSL_verify_client_post_handshake/ &&
++ $stdout !~ /SSL_do_handshake -> 1/
++ ) {
++ # Push the PHA command to the server and read outputs.
++ $server->pump;
++
++ # Client also must perform I/O to process the PHA request.
++ my $select = IO::Select->new($client);
++ while ($select->can_read(1)) { # 1 second time-out because of
++ # blocking IPC::Run
++ my $retval = $client->read(my $buf, 1);
++ if (defined $buf and $buf eq 'c') {
++ skip 'openssl tool does not support PHA command', 1;
++ }
++ }
++ }
++ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
++ }
++
++ ok($client->close, 'Client disconnected');
++}
++
++eval {
++ $server->kill_kill;
++};
++ok(!$@, 'Server terminated');
++
+--
+2.20.1
+
diff --git a/IO-Socket-SSL-2.099-use-system-default-SSL-version.patch b/IO-Socket-SSL-2.099-use-system-default-SSL-version.patch
new file mode 100644
index 0000000..80cadf5
--- /dev/null
+++ b/IO-Socket-SSL-2.099-use-system-default-SSL-version.patch
@@ -0,0 +1,37 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -197,8 +197,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+ # global defaults
+ my %DEFAULT_SSL_ARGS = (
+ SSL_check_crl => 0,
+- # TLS 1.1 and lower are deprecated with RFC 8996
+- SSL_version => 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2',
++ SSL_version => '',
+ SSL_verify_callback => undef,
+ SSL_verifycn_scheme => undef, # fallback cn verification
+ SSL_verifycn_publicsuffix => undef, # fallback default list verification
+@@ -2793,7 +2794,7 @@ sub new {
+
+ my $ssl_op = $DEFAULT_SSL_OP;
+
+- my $ver;
++ my $ver = '';
+ for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
+ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
+ or croak("invalid SSL_version specified");
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -1068,11 +1068,12 @@ All values are case-insensitive. Instea
+ versions are actually supported depend on the versions of OpenSSL and
+ Net::SSLeay installed, but modern protocols like TLS 1.3 are supported by these
+ for many years now.
++The default SSL_version is defined by the underlying cryptographic library.
+
+ Independent from the handshake format you can limit to set of accepted SSL
+ versions by adding !version separated by ':'.
+
+-The default SSL_version is 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2'. This means,
++For example, 'SSLv23:!TLSv1:!TLSv1_1:!SSLv3:!SSLv2' means
+ that the handshake format is compatible to SSL2.0 and higher, but that the
+ successful handshake is limited to TLS1.2 and higher, that is no SSL2.0, SSL3.0,
+ TLS 1.0 or TLS 1.1 because these versions have serious security issues and
diff --git a/IO-Socket-SSL-2.099-use-system-default-cipher-list.patch b/IO-Socket-SSL-2.099-use-system-default-cipher-list.patch
new file mode 100644
index 0000000..a949884
--- /dev/null
+++ b/IO-Socket-SSL-2.099-use-system-default-cipher-list.patch
@@ -0,0 +1,29 @@
+--- lib/IO/Socket/SSL.pm
++++ lib/IO/Socket/SSL.pm
+@@ -206,8 +206,10 @@ my %DEFAULT_SSL_ARGS = (
+ SSL_npn_protocols => undef, # meaning depends whether on server or client side
+ SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
+
+- # rely on system default but be sure to disable some definitely bad ones
+- SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP',
++ # Use system-wide default cipher list to support use of system-wide
++ # crypto policy (#1076390, #1127577, CPAN RT#97816)
++ # https://fedoraproject.org/wiki/Changes/CryptoPolicy
++ SSL_cipher_list => 'PROFILE=SYSTEM',
+ );
+
+ my %DEFAULT_SSL_CLIENT_ARGS = (
+--- lib/IO/Socket/SSL.pod
++++ lib/IO/Socket/SSL.pod
+@@ -1095,9 +1095,8 @@ ciphers for TLS 1.2 and lower. See the O
+ for more details.
+
+ Unless you fail to contact your peer because of no shared ciphers it is
+-recommended to leave this option at the default setting, which uses the system
+-default but disables some insecure ciphers which might still be enabled on older
+-systems.
++recommended to leave this option at the default setting, which honors the
++system-wide PROFILE=SYSTEM cipher list.
+
+ In case different cipher lists are needed for different SNI hosts a hash can be
+ given with the host as key and the cipher suite as value, similar to
diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec
index ad98978..b367410 100644
--- a/perl-IO-Socket-SSL.spec
+++ b/perl-IO-Socket-SSL.spec
@@ -7,17 +7,17 @@
%endif
Name: perl-IO-Socket-SSL
-Version: 2.098
-Release: 4%{?dist}
+Version: 2.099
+Release: 1%{?dist}
Summary: Perl library for transparent SSL
License: (GPL-1.0-or-later OR Artistic-1.0-Perl) AND MPL-2.0
URL: https://metacpan.org/release/IO-Socket-SSL
Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
-Patch0: IO-Socket-SSL-2.096-use-system-default-cipher-list.patch
-Patch1: IO-Socket-SSL-2.098-use-system-default-SSL-version.patch
+Patch0: IO-Socket-SSL-2.099-use-system-default-cipher-list.patch
+Patch1: IO-Socket-SSL-2.099-use-system-default-SSL-version.patch
# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
# bug #1632660, requires openssl tool
-Patch2: IO-Socket-SSL-2.087-Test-client-performs-Post-Handshake-Authentication.patch
+Patch2: IO-Socket-SSL-2.099-Test-client-performs-Post-Handshake-Authentication.patch
BuildArch: noarch
# Module Build
BuildRequires: coreutils
@@ -128,8 +128,14 @@ make test
%{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*
%changelog
+* Fri Jun 26 2026 Paul Howarth <paul@city-fan.org> - 2.099-1
+- Update to 2.099
+ - Close socket by default on failed SSL handshake when created with new, but
+ keep open when upgrading from existing socket with start_SSL; this restores
+ old behavior that was accidentally broken
+
* Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 2.098-4
-- Rebuilt for openssl 4.0
+- Rebuilt for OpenSSL 4.0
* Wed Jun 03 2026 Michal Josef Špaček <mspacek@redhat.com> - 2.098-3
- Fix procps-ng usage
diff --git a/sources b/sources
index d5b4da3..59f2b68 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (IO-Socket-SSL-2.098.tar.gz) = a0bf942073cd1fd08752694629f7c5552f3b9cc6a0db3d6473da734a79b37a444236f3a2ff48c92b4186774cc83cb53a9d695c53d27eacf49ad02874fdbc2cab
+SHA512 (IO-Socket-SSL-2.099.tar.gz) = 6e83451806ffdeb843099046ff13250fb1b66f5233f74d807b1a159f2387fab577928967f320d453507821a678bb8e87762f1cdb65aecba358ffa692d8993cfe
reply other threads:[~2026-06-26 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178247790294.1.6016756243266717923.rpms-perl-IO-Socket-SSL-dc374f75998c@fedoraproject.org \
--to=paul@city-fan.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox