Hello community,
here is the log from the commit of package perl-IO-Socket-SSL for openSUSE:Factory checked in at 2015-05-05 00:54:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old)
and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL"
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes 2015-04-22 01:12:31.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes 2015-05-05 00:54:35.000000000 +0200
@@ -1,0 +2,6 @@
+Sat May 2 05:55:10 UTC 2015 - coolo@suse.com
+
+- updated to 2.013
+ see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes
+
+-------------------------------------------------------------------
Old:
----
IO-Socket-SSL-2.012.tar.gz
New:
----
IO-Socket-SSL-2.013.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-IO-Socket-SSL.spec ++++++
--- /var/tmp/diff_new_pack.mLsmd6/_old 2015-05-05 00:54:36.000000000 +0200
+++ /var/tmp/diff_new_pack.mLsmd6/_new 2015-05-05 00:54:36.000000000 +0200
@@ -17,16 +17,16 @@
Name: perl-IO-Socket-SSL
-Version: 2.012
+Version: 2.013
Release: 0
%define cpan_name IO-Socket-SSL
Summary: Nearly transparent SSL encapsulation for IO::Socket::INET
License: Artistic-1.0 or GPL-1.0+
Group: Development/Libraries/Perl
Url: http://search.cpan.org/dist/IO-Socket-SSL/
-Source: http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
+Source0: http://www.cpan.org/authors/id/S/SU/SULLR/%{cpan_name}-%{version}.tar.gz
Source1: cpanspec.yml
-Patch: perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch
+Patch0: perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: perl
@@ -38,14 +38,14 @@
%description
IO::Socket::SSL makes using SSL/TLS much easier by wrapping the necessary
functionality into the familiar the IO::Socket manpage interface and
-providing secure defaults whenever possible. This way existing applications
-can be made SSL-aware without much effort, at least if you do blocking I/O
-and don't use select or poll.
-
-But, under the hood SSL is a complex beast. So there are lots of methods to
-make it do what you need if the default behavior is not adequate. Because
-it is easy to inadvertently introduce critical security bugs or just
-getting hard to debug problems, I would recommend to study the following
+providing secure defaults whenever possible. This way, existing
+applications can be made SSL-aware without much effort, at least if you do
+blocking I/O and don't use select or poll.
+
+But, under the hood, SSL is a complex beast. So there are lots of methods
+to make it do what you need if the default behavior is not adequate.
+Because it is easy to inadvertently introduce critical security bugs or
+just hard to debug problems, I would recommend studying the following
documentation carefully.
The documentation consists of the following parts:
@@ -78,7 +78,7 @@
%prep
%setup -q -n %{cpan_name}-%{version}
-%patch -p1
+%patch0 -p1
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -94,6 +94,6 @@
%files -f %{name}.files
%defattr(-,root,root,755)
-%doc BUGS Changes example README README.Win32
+%doc BUGS Changes docs example README README.Win32
%changelog
++++++ IO-Socket-SSL-2.012.tar.gz -> IO-Socket-SSL-2.013.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/Changes new/IO-Socket-SSL-2.013/Changes
--- old/IO-Socket-SSL-2.012/Changes 2015-02-02 08:44:52.000000000 +0100
+++ new/IO-Socket-SSL-2.013/Changes 2015-05-01 17:13:32.000000000 +0200
@@ -1,6 +1,13 @@
-2.012 2014/02/02
+2.013 2015/05/01
+- assign severities to internal error handling and make sure that follow-up
+ errors like "configuration failed" or "certificate verify error" don't
+ replace more specific "hostname verification failed" when reporting in
+ sub errstr/$SSL_ERROR. see also RT#103423
+- enhanced documentation thanks to Chase Whitener
+ https://github.com/noxxi/p5-io-socket-ssl/pull/26
+2.012 2015/02/02
- fix t/ocsp.t in case no HTTP::Tiny is installed
-2.011 2014/02/01
+2.011 2015/02/01
- fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling #101855
- added option 'purpose' to Utils::CERT_create to get better control of the
certificates purpose. Default is 'server,client' for non-CA (contrary to
@@ -9,12 +16,12 @@
https://github.com/noxxi/p5-io-socket-ssl/issues/22
- refactoring of some tests using Test::More thanks to Sweet-kid and the
2015 Pull Request Challenge
-2.010 2014/01/14
+2.010 2015/01/14
- new options SSL_client_ca_file and SSL_client_ca to let the server send
the list of acceptable CAs for the client certificate.
- t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay.
RT#101485, thanks to TEAM.
-2.009 2014/01/12
+2.009 2015/01/12
- remove util/analyze.pl. This tool is now together with other SSL tools in
https://github.com/noxxi/p5-ssl-tools
- added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) thanks to TEAM,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/META.json new/IO-Socket-SSL-2.013/META.json
--- old/IO-Socket-SSL-2.012/META.json 2015-02-02 08:46:05.000000000 +0100
+++ new/IO-Socket-SSL-2.013/META.json 2015-05-01 17:37:04.000000000 +0200
@@ -4,7 +4,7 @@
"Steffen Ullrich , Peter Behroozi, Marko Asplund"
],
"dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.120630",
+ "generated_by" : "ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921",
"license" : [
"perl_5"
],
@@ -50,5 +50,5 @@
"url" : "https://github.com/noxxi/p5-io-socket-ssl"
}
},
- "version" : "2.012"
+ "version" : "2.013"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/META.yml new/IO-Socket-SSL-2.013/META.yml
--- old/IO-Socket-SSL-2.012/META.yml 2015-02-02 08:46:05.000000000 +0100
+++ new/IO-Socket-SSL-2.013/META.yml 2015-05-01 17:37:04.000000000 +0200
@@ -3,26 +3,26 @@
author:
- 'Steffen Ullrich , Peter Behroozi, Marko Asplund'
build_requires:
- ExtUtils::MakeMaker: '0'
+ ExtUtils::MakeMaker: 0
configure_requires:
- ExtUtils::MakeMaker: '0'
+ ExtUtils::MakeMaker: 0
dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.120630'
+generated_by: 'ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921'
license: perl
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
- version: '1.4'
+ version: 1.4
name: IO-Socket-SSL
no_index:
directory:
- t
- inc
requires:
- Net::SSLeay: '1.46'
- Scalar::Util: '0'
+ Net::SSLeay: 1.46
+ Scalar::Util: 0
resources:
bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL
homepage: https://github.com/noxxi/p5-io-socket-ssl
license: http://dev.perl.org/licenses/
repository: https://github.com/noxxi/p5-io-socket-ssl
-version: '2.012'
+version: 2.013
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pm new/IO-Socket-SSL-2.013/lib/IO/Socket/SSL.pm
--- old/IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pm 2015-02-02 08:44:32.000000000 +0100
+++ new/IO-Socket-SSL-2.013/lib/IO/Socket/SSL.pm 2015-05-01 17:32:36.000000000 +0200
@@ -13,7 +13,7 @@
package IO::Socket::SSL;
-our $VERSION = '2.012';
+our $VERSION = '2.013';
use IO::Socket;
use Net::SSLeay 1.46;
@@ -276,11 +276,11 @@
# try IO::Socket::IP or IO::Socket::INET6 for IPv6 support
if ( $ip6 ) {
- # if we have IO::Socket::IP >= 0.20 we will use this in preference
+ # if we have IO::Socket::IP >= 0.31 we will use this in preference
# because it can handle both IPv4 and IPv6
if ( eval {
require IO::Socket::IP;
- IO::Socket::IP->VERSION(0.20) && IO::Socket::IP->VERSION != 0.30;
+ IO::Socket::IP->VERSION(0.31)
}) {
@ISA = qw(IO::Socket::IP);
constant->import( CAN_IPV6 => "IO::Socket::IP" );
@@ -437,6 +437,13 @@
my %CREATED_IN_THIS_THREAD;
sub CLONE { %CREATED_IN_THIS_THREAD = (); }
+
+# we have callbacks associated with contexts, but have no way to access the
+# current SSL object from these callbacks. To work around this
+# CURRENT_SSL_OBJECT will be set before calling Net::SSLeay::{connect,accept}
+# and reset afterwards, so we have access to it inside _internal_error.
+my $CURRENT_SSL_OBJECT;
+
# You might be expecting to find a new() subroutine here, but that is
# not how IO::Socket::INET works. All configuration gets performed in
# the calls to configure() and either connect() or accept().
@@ -461,8 +468,8 @@
$self->configure_SSL($arg_hash) || return;
- $self->SUPER::configure($arg_hash)
- || return $self->_internal_error("@ISA configuration failed");
+ return $self->_internal_error("@ISA configuration failed",0)
+ if ! $self->SUPER::configure($arg_hash);
$self->blocking(0) if defined $blocking && !$blocking;
return $self;
@@ -523,7 +530,7 @@
return $err;
}
$! ||= EWOULDBLOCK;
- ${*$self}{'_SSL_last_err'} = $SSL_ERROR if ref($self);
+ ${*$self}{_SSL_last_err} = [$SSL_ERROR,4] if ref($self);
Net::SSLeay::ERR_clear_error();
return 0;
}
@@ -568,7 +575,7 @@
my $arg_hash = ${*$self}{'_SSL_arguments'};
my $fileno = ${*$self}{'_SSL_fileno'} = fileno($self);
- return $self->_internal_error("Socket has no fileno")
+ return $self->_internal_error("Socket has no fileno",9)
if ! defined $fileno;
$ctx = ${*$self}{'_SSL_ctx'}; # Reference to real context
@@ -603,7 +610,7 @@
}
} elsif ( $arg_hash->{SSL_hostname} ) {
return $self->_internal_error(
- "Client side SNI not supported for this openssl");
+ "Client side SNI not supported for this openssl",9);
} else {
$DEBUG>=2 && DEBUG("not using SNI because openssl is too old");
}
@@ -663,7 +670,9 @@
{
#DEBUG( 'calling ssleay::connect' );
$SSL_ERROR = undef;
+ $CURRENT_SSL_OBJECT = $self;
my $rv = Net::SSLeay::connect($ssl);
+ $CURRENT_SSL_OBJECT = undef;
$DEBUG>=3 && DEBUG("Net::SSLeay::connect -> $rv" );
if ( $rv < 0 ) {
if ( my $err = $self->_skip_rw_error( $ssl,$rv )) {
@@ -745,11 +754,11 @@
# definitly revoked
$DEBUG>=3 && DEBUG("got OCSP revocation with stapling: %s",
$ocsp_result->[1]);
- $self->_internal_error($ocsp_result->[1]);
+ $self->_internal_error($ocsp_result->[1],5);
return $self->fatal_ssl_error();
}
} elsif ( $ctx->{ocsp_mode} & SSL_OCSP_MUST_STAPLE ) {
- $self->_internal_error("did not receive the required stapled OCSP response");
+ $self->_internal_error("did not receive the required stapled OCSP response",5);
return $self->fatal_ssl_error();
}
@@ -844,7 +853,7 @@
}
my $fileno = ${*$socket}{'_SSL_fileno'} = fileno($socket);
- return $socket->_internal_error("Socket has no fileno")
+ return $socket->_internal_error("Socket has no fileno",9)
if ! defined $fileno;
$ssl = ${*$socket}{_SSL_object} =
@@ -877,7 +886,9 @@
my $start = defined($timeout) && time();
{
$SSL_ERROR = undef;
+ $CURRENT_SSL_OBJECT = $self;
my $rv = Net::SSLeay::accept($ssl);
+ $CURRENT_SSL_OBJECT = undef;
$DEBUG>=3 && DEBUG( "Net::SSLeay::accept -> $rv" );
if ( $rv < 0 ) {
if ( my $err = $socket->_skip_rw_error( $ssl,$rv )) {
@@ -1012,7 +1023,7 @@
my $buf_len = length($$buffer);
$length ||= $buf_len;
$offset ||= 0;
- return $self->_internal_error("Invalid offset for SSL write")
+ return $self->_internal_error("Invalid offset for SSL write",9)
if $offset>$buf_len;
return 0 if ($offset == $buf_len);
@@ -1315,7 +1326,7 @@
sub _get_ssl_object {
my $self = shift;
return ${*$self}{'_SSL_object'} ||
- IO::Socket::SSL->_internal_error("Undefined SSL object");
+ IO::Socket::SSL->_internal_error("Undefined SSL object",9);
}
# _get_ctx_object is for internal use ONLY!
@@ -1327,7 +1338,7 @@
# default error for undefined arguments
sub _invalid_object {
- return IO::Socket::SSL->_internal_error("Undefined IO::Socket::SSL object");
+ return IO::Socket::SSL->_internal_error("Undefined IO::Socket::SSL object",9);
}
@@ -1338,18 +1349,18 @@
sub start_SSL {
my ($class,$socket) = (shift,shift);
- return $class->_internal_error("Not a socket") if ! ref($socket);
+ return $class->_internal_error("Not a socket",9) if ! ref($socket);
my $arg_hash = (ref($_[0]) eq 'HASH') ? $_[0] : {@_};
my %to = exists $arg_hash->{Timeout} ? ( Timeout => delete $arg_hash->{Timeout} ) :();
my $original_class = ref($socket);
if ( ! $original_class ) {
$socket = ($original_class = $ISA[0])->new_from_fd($socket,'<+')
or return $class->_internal_error(
- "creating $original_class from file handle failed");
+ "creating $original_class from file handle failed",9);
}
my $original_fileno = (UNIVERSAL::can($socket, "fileno"))
? $socket->fileno : CORE::fileno($socket);
- return $class->_internal_error("Socket has no fileno")
+ return $class->_internal_error("Socket has no fileno",9)
if ! defined $original_fileno;
bless $socket, $class;
@@ -1747,7 +1758,8 @@
sub errstr {
my $self = shift;
- return (ref($self) ? ${*$self}{'_SSL_last_err'} : $SSL_ERROR) || '';
+ my $oe = ref($self) && ${*$self}{_SSL_last_err};
+ return $oe ? $oe->[0] : $SSL_ERROR || '';
}
sub fatal_ssl_error {
@@ -1773,29 +1785,48 @@
return Net::SSLeay::print_errs('SSL error: ') || '';
}
-# internal errors, e.g unsupported features etc
+# internal errors, e.g unsupported features, hostname check failed etc
+# _SSL_last_err contains severity so that on error chains we can decide if one
+# error should replace the previous one or if this is just a less specific
+# follow-up error, e.g. configuration failed because certificate failed because
+# hostname check went wrong:
+# 0 - fallback errors
+# 4 - errors bubbled up from OpenSSL (sub error, r/w error)
+# 5 - hostname or OCSP verification failed
+# 9 - fatal problems, e.g. missing feature, no fileno...
+# _SSL_last_err and SSL_ERROR are only replaced if the error has a higher
+# severity than the previous one
+
sub _internal_error {
- my ($self, $error, $destroy_socket) = @_;
- $SSL_ERROR = dualvar( -1, $error );
- $DEBUG && DEBUG($error);
- ${*$self}{'_SSL_last_err'} = $SSL_ERROR if (ref($self));
+ my ($self, $error, $severity) = @_;
+ $error = dualvar( -1, $error );
+ $self = $CURRENT_SSL_OBJECT if !ref($self) && $CURRENT_SSL_OBJECT;
+ if (ref($self)) {
+ my $oe = ${*$self}{_SSL_last_err};
+ if (!$oe || $oe->[1] <= $severity) {
+ ${*$self}{_SSL_last_err} = [$error,$severity];
+ $SSL_ERROR = $error;
+ $DEBUG && DEBUG("local error: $error");
+ } else {
+ $DEBUG && DEBUG("ignoring less severe local error '$error', keep '$oe->[0]'");
+ }
+ } else {
+ $SSL_ERROR = $error;
+ $DEBUG && DEBUG("global error: $error");
+ }
return;
}
# OpenSSL errors
sub error {
- my ($self, $error, $destroy_socket) = @_;
+ my ($self, $error) = @_;
my @err;
while ( my $err = Net::SSLeay::ERR_get_error()) {
push @err, Net::SSLeay::ERR_error_string($err);
$DEBUG>=2 && DEBUG( $error."\n".$self->get_ssleay_error());
}
$error .= ' '.join(' ',@err) if @err;
- if ($error) {
- $SSL_ERROR = dualvar( -1, $error );
- $DEBUG && DEBUG($error);
- ${*$self}{'_SSL_last_err'} = $SSL_ERROR if (ref($self));
- }
+ return $self->_internal_error($error,4) if $error;
return;
}
@@ -1897,14 +1928,14 @@
sub next_proto_negotiated {
my $self = shift;
- return $self->_internal_error("NPN not supported in Net::SSLeay") if ! $can_npn;
+ return $self->_internal_error("NPN not supported in Net::SSLeay",9) if ! $can_npn;
my $ssl = $self->_get_ssl_object || return;
return Net::SSLeay::P_next_proto_negotiated($ssl);
}
sub alpn_selected {
my $self = shift;
- return $self->_internal_error("ALPN not supported in Net::SSLeay") if ! $can_alpn;
+ return $self->_internal_error("ALPN not supported in Net::SSLeay",9) if ! $can_alpn;
my $ssl = $self->_get_ssl_object || return;
return Net::SSLeay::P_alpn_selected($ssl);
}
@@ -2080,7 +2111,7 @@
if ( ! $host ) {
if ( $vcn_scheme ) {
IO::Socket::SSL->_internal_error(
- "Cannot determine peer hostname for verification" );
+ "Cannot determine peer hostname for verification",8);
return 0;
}
warn "Cannot determine hostname of peer for verification. ".
@@ -2116,7 +2147,7 @@
}
if ( ! $rv ) {
IO::Socket::SSL->_internal_error(
- "hostname verification failed" );
+ "hostname verification failed",5);
}
return $rv;
};
@@ -2150,7 +2181,7 @@
$ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' :
$ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' :
'CTX_new'
- ) or return IO::Socket::SSL->_internal_error("SSL Version $ver not supported");
+ ) or return IO::Socket::SSL->_internal_error("SSL Version $ver not supported",9);
# For SNI in server mode we need a separate context for each certificate.
my %ctx;
@@ -2205,7 +2236,7 @@
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|SSL_MODE_ENABLE_PARTIAL_WRITE);
if ( my $proto_list = $arg_hash->{SSL_npn_protocols} ) {
- return IO::Socket::SSL->_internal_error("NPN not supported in Net::SSLeay")
+ return IO::Socket::SSL->_internal_error("NPN not supported in Net::SSLeay",9)
if ! $can_npn;
if($arg_hash->{SSL_server}) {
# on server side SSL_npn_protocols means a list of advertised protocols
@@ -2218,7 +2249,7 @@
}
if ( my $proto_list = $arg_hash->{SSL_alpn_protocols} ) {
- return IO::Socket::SSL->_internal_error("ALPN not supported in Net::SSLeay")
+ return IO::Socket::SSL->_internal_error("ALPN not supported in Net::SSLeay",9)
if ! $can_alpn;
if($arg_hash->{SSL_server}) {
Net::SSLeay::CTX_set_alpn_select_cb($ctx, $proto_list);
@@ -2394,7 +2425,7 @@
if ( my $curve = $arg_hash->{SSL_ecdh_curve} ) {
return IO::Socket::SSL->_internal_error(
- "ECDH curve needs Net::SSLeay>=1.56 and OpenSSL>=1.0")
+ "ECDH curve needs Net::SSLeay>=1.56 and OpenSSL>=1.0",9)
if ! $can_ecdh;
if ( $curve !~ /^\d+$/ ) {
# name of curve, find NID
@@ -2419,7 +2450,7 @@
if ( my $fp = $arg_hash->{SSL_fingerprint} ) {
for( ref($fp) ? @$fp : $fp) {
my ($algo,$digest) = m{^([\w-]+)\$([a-f\d:]+)$}i;
- return IO::Socket::SSL->_internal_error("invalid fingerprint '$_'")
+ return IO::Socket::SSL->_internal_error("invalid fingerprint '$_'",9)
if ! $algo;
$algo = lc($algo);
( $digest = lc($digest) ) =~s{:}{}g;
@@ -2572,7 +2603,7 @@
my $ctx = $ctx{''} || (values %ctx)[0];
if (keys(%ctx) > 1 || ! exists $ctx{''}) {
$can_server_sni or return IO::Socket::SSL->_internal_error(
- "Server side SNI not supported for this openssl/Net::SSLeay");
+ "Server side SNI not supported for this openssl/Net::SSLeay",9);
Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, sub {
my $ssl = shift;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pod new/IO-Socket-SSL-2.013/lib/IO/Socket/SSL.pod
--- old/IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pod 2015-01-26 23:32:06.000000000 +0100
+++ new/IO-Socket-SSL-2.013/lib/IO/Socket/SSL.pod 2015-04-17 14:06:34.000000000 +0200
@@ -27,14 +27,14 @@
IO::Socket::SSL makes using SSL/TLS much easier by wrapping the necessary
functionality into the familiar LIO::Socket interface and providing secure
defaults whenever possible.
-This way existing applications can be made SSL-aware without much effort, at
+This way, existing applications can be made SSL-aware without much effort, at
least if you do blocking I/O and don't use select or poll.
-But, under the hood SSL is a complex beast.
+But, under the hood, SSL is a complex beast.
So there are lots of methods to make it do what you need if the default
behavior is not adequate.
Because it is easy to inadvertently introduce critical security bugs or just
-getting hard to debug problems, I would recommend to study the following
+hard to debug problems, I would recommend studying the following
documentation carefully.
The documentation consists of the following parts:
@@ -76,9 +76,9 @@
SSL (Secure Socket Layer) or its successor TLS (Transport Layer Security) are
protocols to facilitate end-to-end security. These protocols are used when
-accessing web sites (https), delivering or retrieving email and in lots of other
+accessing web sites (https), delivering or retrieving email, and in lots of other
use cases.
-In the following we will only talk use the name SSL, but means SSL and TLS.
+In the following documentation we will refer to both SSL and TLS as simply 'SSL'.
SSL enables end-to-end security by providing two essential functions:
@@ -93,7 +93,7 @@
=item Identification
This part makes sure that you talk to the right peer.
-If the identification is done wrong it is easy to mount man-in-the-middle
+If the identification is done incorrectly it is easy to mount man-in-the-middle
attacks, e.g. if Alice wants to talk to Bob it would be possible for Mallory to
put itself in the middle, so that Alice talks to Mallory and Mallory to Bob.
All the data would still be encrypted, but not end-to-end between Alice and Bob,
@@ -105,7 +105,7 @@
Identification is the part which is the hardest to understand and the easiest
to get wrong.
-With SSL the Identification is usually done with B<certificates> inside a B<PKI>
+With SSL, the Identification is usually done with B<certificates> inside a B<PKI>
(Public Key Infrastructure).
These Certificates are comparable to an identity card, which contains
information about the owner of the card. The card then is somehow B<signed> by
@@ -122,9 +122,9 @@
=item *
-Check if we trust the certificate, e.g. make sure its not a forgery.
+Check if we trust the certificate, e.g. make sure it's not a forgery.
-We believe that a certificate is not a fake, if we either know the certificate
+We believe that a certificate is not a fake if we either know the certificate
already or if we B<trust> the issuer (the CA) and can verify the issuers
signature on the certificate.
In reality there is often a hierarchy of certificate agencies and we only
@@ -133,9 +133,9 @@
B<intermediate certificates>.
Verification will be done by building a B<trust path> from the trusted root up
to the peers certificate and checking in each step if the we can verify the
-issuers signature.
+issuer's signature.
-This step often causes problems, because the client does not know the necessary
+This step often causes problems because the client does not know the necessary
trusted root certificates. These are usually stored in a system dependent
CA store, but often the browsers have their own CA store.
@@ -175,17 +175,17 @@
With OCSP (Online Certificate Status Protocol) the client can check a single
certificate directly by asking the issuer.
-Revocation is the hardest part of the verification and none of todays browsers
-gets it fully correct. But they are still better than most other implementations
+Revocation is the hardest part of the verification and none of today's browsers
+get it fully correct. But, they are still better than most other implementations
which don't implement revocation checks or leave the hard parts to the
developer.
=back
-When accessing a web site with SSL or delivering mail a secure way the
+When accessing a web site with SSL or delivering mail in a secure way the
identity is usually only checked one way, e.g. the client wants to make sure it
talks to the right server, but the server usually does not care which client it
-is.
+talks to.
But, sometimes the server wants to identify the client too and will request a
certificate from the client which the server must verify in a similar way.
@@ -199,13 +199,13 @@
This will take the OpenSSL default CA store as the store for the trusted CA.
This usually works on UNIX systems.
-If their are no certificates in the store it will try use LMozilla::CA which
+If there are no certificates in the store it will try use LMozilla::CA which
provides the default CAs of Firefox.
-In the default settings IO::Socket::SSL will use a safer cipher set and SSL
-version, do a proper hostname check against the certificate and uses SNI (server
+In the default settings, LIO::Socket::SSL will use a safer cipher set and SSL
+version, do a proper hostname check against the certificate, and use SNI (server
name indication) to send the hostname inside the SSL handshake. This is
-necessary to work with servers, which have different certificates behind the
+necessary to work with servers which have different certificates behind the
same IP address.
It will also check the revocation of the certificate with OCSP, but currently
only if the server provides OCSP stapling (for deeper checks see
@@ -260,7 +260,7 @@
print <$client>;
And to do revocation checks with OCSP (only available with OpenSSL 1.0.0 or
-higher and Net::SSLeay at least 1.59):
+higher and LNet::SSLeay 1.59 or higher):
# default will try OCSP stapling and check only leaf certificate
my $client = IO::Socket::SSL->new($dst);
@@ -322,10 +322,12 @@
This will automatically use a secure set of ciphers and SSL version and also
supports Forward Secrecy with (Elliptic-Curve) Diffie-Hellmann Key Exchange.
-If you do a forking a threading server it is recommended to do the SSL handshake
-inside the new process/thread, so that the master is free for new connections.
-Because a client with improper or slow SSL handshake could make the server
-block in the handshake which would be bad to do on the listening socket:
+If you are doing a forking or threading server, we recommend that you do the SSL
+handshake inside the new process/thread so that the master is free for new
+connections.
+We recommend this because a client with improper or slow SSL handshake could
+make the server block in the handshake which would be bad to do on the
+listening socket:
# inet server
my $server = IO::Socket::INET->new(
@@ -345,14 +347,14 @@
SSL_key_file => 'key.pem',
) or die "failed to ssl handshake: $SSL_ERROR";
-Like with normal sockets neither forking nor threading servers scale well.
+Like with normal sockets, neither forking nor threading servers scale well.
It is recommended to use non-blocking sockets instead, see
L"Using Non-Blocking Sockets">
=head1 Common Usage Errors
-This is a list of typical errors seen with the use of IO::Socket::SSL:
+This is a list of typical errors seen with the use of LIO::Socket::SSL:
=over 4
@@ -360,15 +362,15 @@
Disabling verification with C.
-As described in L"Essential Information About SSL/TLS"> a proper
+As described in L"Essential Information About SSL/TLS">, a proper
identification of the peer is essential and failing to verify makes
Man-In-The-Middle attacks possible.
Nevertheless, lots of scripts and even public modules or applications disable
-verification, because it is probably the easiest way to make the thing working
+verification, because it is probably the easiest way to make the thing work
and usually nobody notices any security problems anyway.
-If the verification does not succeed with the default settings one can do the
+If the verification does not succeed with the default settings, one can do the
following:
=over 8
@@ -394,9 +396,9 @@
A common error pattern is also to disable verification if they found no CA
store (different modules look at different "default" places).
-Because IO::Socket::SSL is now able to provide a usable CA store on most
+Because LIO::Socket::SSL is now able to provide a usable CA store on most
platforms (UNIX, Mac OSX and Windows) it is better to use the defaults provided
-by IO::Socket::SSL.
+by LIO::Socket::SSL.
If necessary these can be checked with the C method.
=item *
@@ -407,7 +409,7 @@
one byte. Thus, if more than one byte is available on the socket it will be kept
in the network stack of your OS and the next select or poll call will return the
socket as readable.
-But, with SSL you don't deliver single bytes. Multiple data bytes are packet
+But, with SSL you don't deliver single bytes. Multiple data bytes are packaged
and encrypted together in an SSL frame. Decryption can only be done on the whole
frame, so a sysread for one byte actually reads the complete SSL frame from the
socket, decrypts it and returns the first decrypted byte. Further sysreads will
@@ -420,7 +422,7 @@
socket with select or poll.
Another way might be if you try to sysread at least 16kByte all the time.
16kByte is the maximum size of an SSL frame and because sysread returns data
-from only a single SSL frame you guarantee this way, that there are no pending
+from only a single SSL frame you can guarantee that there are no pending
data.
See also L"Using Non-Blocking Sockets">.
@@ -429,25 +431,25 @@
Set 'SSL_version' or 'SSL_cipher_list' to a "better" value.
-IO::Socket::SSL tries to set these values to reasonable secure values, which
+LIO::Socket::SSL tries to set these values to reasonable, secure values which
are compatible with the rest of the world.
-But, there are some scripts or modules out there, which tried to be smart and
+But, there are some scripts or modules out there which tried to be smart and
get more secure or compatible settings.
Unfortunatly, they did this years ago and never updated these values, so they
are still forced to do only 'TLSv1' (instead of also using TLSv12 or TLSv11).
-Or they set 'HIGH' as the cipher list and thought they are secure, but did not
+Or they set 'HIGH' as the cipher list and thought they were secure, but did not
notice that 'HIGH' includes anonymous ciphers, e.g. without identification of
the peer.
So it is recommended to leave the settings at the secure defaults which
-IO::Socket::SSL sets and which get updated from time to time to
+LIO::Socket::SSL sets and which get updated from time to time to
better fit the real world.
=item *
Make SSL settings inacessible by the user, together with bad builtin settings.
-Some modules use IO::Socket::SSL, but don't make the SSL settings available
+Some modules use LIO::Socket::SSL, but don't make the SSL settings available
to the user. This is often combined with bad builtin settings or defaults (like
switching verification off).
@@ -468,15 +470,15 @@
=head1 Common Problems with SSL
SSL is a complex protocol with multiple implementations and each of these has
-their own quirks. While most of these implementations work together it often
-gets problems with older versions, minimal versions in load balancers or plain
+their own quirks. While most of these implementations work together, it often
+gets problematic with older versions, minimal versions in load balancers, or plain
wrong setups.
Unfortunatly these problems are hard to debug.
Helpful for debugging are a knowledge of SSL internals, wireshark and the use of
-the debug settings of IO::Socket::SSL and LNet::SSLeay, which can both be
+the debug settings of LIO::Socket::SSL and LNet::SSLeay, which can both be
set with C<$IO::Socket::SSL::DEBUG>.
-The following debugs levels are defined, but used not in a consistent way:
+The following debugs levels are defined, but used not in any consistent way:
=over 4
@@ -486,21 +488,21 @@
=item *
-1 - Print out errors from IO::Socket::SSL and ciphers from Net::SSLeay.
+1 - Print out errors from LIO::Socket::SSL and ciphers from LNet::SSLeay.
=item *
-2 - Print also information about call flow from IO::Socket::SSL and progress
-information from Net::SSLeay.
+2 - Print also information about call flow from LIO::Socket::SSL and progress
+information from LNet::SSLeay.
=item *
-3 - Print also some data dumps from IO::Socket::SSL and from Net::SSLeay.
+3 - Print also some data dumps from LIO::Socket::SSL and from LNet::SSLeay.
=back
Also, C from the ssl-tools repository at
-https://github.com/noxxi/p5-ssl-tools might be a helpful tool when debugging
+Lhttps://github.com/noxxi/p5-ssl-tools might be a helpful tool when debugging
SSL problems, as do the C<openssl> command line tool and a check with a
different SSL implementation (e.g. a web browser).
@@ -517,19 +519,19 @@
chain from the trusted root.
If they check the setup with the browser everything looks ok, because browsers
work around these problems by caching any intermediate certificates and apply
-them to new connections if there are certificates missing.
+them to new connections if certificates are missing.
-But, fresh browser profiles which never have seen these intermediates cannot
-fill in the missing certificates and fail to verify, and the same is with
-IO::Socket::SSL.
+But, fresh browser profiles which have never seen these intermediates cannot
+fill in the missing certificates and fail to verify; the same is true with
+LIO::Socket::SSL.
=item *
-Old version of server or load balancer, which do not understand specific TLS
+Old versions of servers or load balancers which do not understand specific TLS
versions or croak on specific data.
From time to time one encounters an SSL peer, which just closes the connection
-inside the SSL handshake. This can usually be workarounded by downgrading the
+inside the SSL handshake. This can usually be worked around by downgrading the
SSL version, e.g. by setting C. Modern Browsers usually deal with
such servers by automatically downgrading the SSL version and repeat the
connection attempt until they succeed.
@@ -547,13 +549,13 @@
Bad or old OpenSSL versions.
-IO::Socket::SSL uses OpenSSL with the help of the LNet::SSLeay library. It
+LIO::Socket::SSL uses OpenSSL with the help of the LNet::SSLeay library. It
is recommend to have a recent version of this library, because it has more
features and usually fewer known bugs.
=item *
-Validation of client certificates fails.
+Validation of client certificates fail.
Make sure that the purpose of the certificate allows use as ssl client (check
with C<< openssl x509 -purpose >>, that the necessary root certificate is in the
@@ -571,8 +573,8 @@
immediately. Note that EWOULDBLOCK is the same as EAGAIN on UNIX systems, but
is different on Windows.
-With SSL handshakes might occure at any time, even within an established
-connections. In this cases it is necessary to finish the handshake before
+With SSL, handshakes might occur at any time, even within an established
+connection. In these cases it is necessary to finish the handshake before
you can read or write data. This might result in situations where you want to
read but must first finish the write of a handshake or where you want to write
but must first finish a read.
@@ -588,13 +590,13 @@
instead of blocking, even if the line is not complete. If an unrecoverable error
occurs it will return nothing, even if it already received some data.
-Also, I would advise against using C<accept> with a non-blocking SSL object,
+Also, I would advise against using C<accept> with a non-blocking SSL object
because it might block and this is not what most would expect. The reason for
-this is that accept on a non-blocking TCP socket (e.g. IO::Socket::IP,
-IO::Socket::INET..) results in a new TCP socket, which does not inherit the
-non-blocking behavior of the master socket. And thus the initial SSL handshake
+this is that C<accept> on a non-blocking TCP socket (e.g. LIO::Socket::IP,
+LIO::Socket::INET..) results in a new TCP socket which does not inherit the
+non-blocking behavior of the master socket. And thus, the initial SSL handshake
on the new socket inside CIO::Socket::SSL::accept will be done in a blocking
-way. To work around this you are safer in doing a TCP accept and later upgrade the
+way. To work around this you are safer by doing a TCP accept and later upgrade the
TCP socket in a non-blocking way with C and C.
my $cl = IO::Socket::SSL->new($dst);
@@ -647,9 +649,9 @@
IP address using Server Name Indication (SNI).
Support for SNI on the client side was added somewhere in the OpenSSL 0.9.8
-series, but only with 1.0 a bug was fixed when the server could not decide about
+series, but with 1.0 a bug was fixed when the server could not decide about
its hostname. Therefore client side SNI is only supported with OpenSSL 1.0 or
-higher in IO::Socket::SSL.
+higher in LIO::Socket::SSL.
With a supported version, SNI is used automatically on the client side, if it
can determine the hostname from C<PeerAddr> or C<PeerHost> (which are synonyms
in the underlying IO::Socket:: classes and thus should never be set both or at
@@ -659,7 +661,7 @@
this case it will throw in error, if SNI is not supported.
To check for support you might call C<< IO::Socket::SSL->can_client_sni() >>.
-On the server side earlier versions of OpenSSL are supported, but only together
+On the server side, earlier versions of OpenSSL are supported, but only together
with LNet::SSLeay version >= 1.50.
To check for support you might call C<< IO::Socket::SSL->can_server_sni() >>.
If server side SNI is supported, you might specify different certificates per
@@ -672,7 +674,7 @@
socket to SSL after some kind of STARTTLS command. Protocols like FTPS even
need a way to downgrade the socket again back to plain.
-The common way to do this would be to create a normal socket and use start_SSL
+The common way to do this would be to create a normal socket and use C
to upgrade and stop_SSL to downgrade:
my $sock = IO::Socket::INET->new(...) or die $!;
@@ -683,14 +685,14 @@
$sock->stop_SSL or die $SSL_ERROR;
... now $sock is again a IO::Socket::INET object ...
-But, lots of modules just derive directly from IO::Socket::INET.
-While this base class can be replaced with IO::Socket::SSL these modules cannot
+But, lots of modules just derive directly from LIO::Socket::INET.
+While this base class can be replaced with LIO::Socket::SSL, these modules cannot
easily support different base classes for SSL and plain data and switch between
these classes on a starttls command.
-To help in this case, IO::Socket::SSL can be reduced to a plain socket on
+To help in this case, LIO::Socket::SSL can be reduced to a plain socket on
startup, and connect_SSL/accept_SSL/start_SSL can be used to enable SSL and
-stop_SSL to talk plain again:
+C to talk plain again:
my $sock = IO::Socket::SSL->new(
PeerAddr => ...
@@ -708,14 +710,14 @@
=head1 Integration Into Own Modules
-IO::Socket::SSL behaves similar to other LIO::Socket modules and thus could
+LIO::Socket::SSL behaves similarly to other LIO::Socket modules and thus could
be integrated in the same way, but you have to take special care when using
non-blocking I/O (like for handling timeouts) or using select or poll.
Please study the documentation on how to deal with these differences.
Also, it is recommended to not set or touch most of the C options, so
-that they keep there secure defaults. It is also recommended to let the user
-override this SSL specific settings without the need of global settings or hacks
+that they keep their secure defaults. It is also recommended to let the user
+override these SSL specific settings without the need of global settings or hacks
like C.
The notable exception is C.
@@ -727,79 +729,79 @@
=head1 Description Of Methods
-IO::Socket::SSL inherits from another IO::Socket module.
+LIO::Socket::SSL inherits from another LIO::Socket module.
The choice of the super class depends on the installed modules:
=over 4
=item *
-If IO::Socket::IP with at least version 0.20 is installed it will use this
+If LIO::Socket::IP with at least version 0.20 is installed it will use this
module as super class, transparently providing IPv6 and IPv4 support.
=item *
-If IO::Socket::INET6 is installed it will use this module as super class,
+If LIO::Socket::INET6 is installed it will use this module as super class,
transparently providing IPv6 and IPv4 support.
=item *
-Otherwise it will fall back to IO::Socket::INET, which is a perl core module.
-With IO::Socket::INET you only get IPv4 support.
+Otherwise it will fall back to LIO::Socket::INET, which is a perl core module.
+With LIO::Socket::INET you only get IPv4 support.
=back
-Please be aware, that with the IPv6 capable super classes, it will lookup first
+Please be aware that with the IPv6 capable super classes, it will look first
for the IPv6 address of a given hostname. If the resolver provides an IPv6
address, but the host cannot be reached by IPv6, there will be no automatic
fallback to IPv4.
To avoid these problems you can either force IPv4 by specifying and AF_INET
-as C<Domain> of the socket or globally enforce IPv4 by loading IO::Socket::SSL
+as C<Domain> of the socket or globally enforce IPv4 by loading LIO::Socket::SSL
with the option 'inet4'.
-IO::Socket::SSL will provide all of the methods of its super class, but
+LIO::Socket::SSL will provide all of the methods of its super class, but
sometimes it will override them to match the behavior expected from SSL or to
provide additional arguments.
-The new or changed methods are described below, but please read also the
+The new or changed methods are described below, but please also read the
section about SSL specific error handling.
=over 4
=item Error Handling
-If an SSL specific error occurs the global variable C<$SSL_ERROR> will be set.
-If the error occurred on an existing SSL socket the method C<errstr> will
+If an SSL specific error occurs, the global variable C<$SSL_ERROR> will be set.
+If the error occurred on an existing SSL socket, the method C<errstr> will
give access to the latest socket specific error.
-Both C<$SSL_ERROR> and C<errstr> method give a dualvar similar to C<$!>, e.g.
+Both C<$SSL_ERROR> and the C<errstr> method give a dualvar similar to C<$!>, e.g.
providing an error number in numeric context or an error description in string
context.
=item B
-Creates a new IO::Socket::SSL object. You may use all the friendly options
-that came bundled with the super class (e.g. IO::Socket::IP,
-IO::Socket::INET, ...) plus (optionally) the ones described below.
-If you don't specify any SSL related options it will do it's best in using
-secure defaults, e.g. chosing good ciphers, enabling proper verification etc.
+Creates a new LIO::Socket::SSL object. You may use all the friendly options
+that came bundled with the super class (e.g. LIO::Socket::IP,
+LIO::Socket::INET, ...) plus (optionally) the ones described below.
+If you don't specify any SSL related options it will do its best in using
+secure defaults, e.g. choosing good ciphers, enabling proper verification, etc.
=over 2
=item SSL_server
-Set this option to a true value, if the socket should be used as a server.
-If this is not explicitly set it is assumed, if the Listen parameter is given
+Set this option to a true value if the socket should be used as a server.
+If this is not explicitly set it is assumed if the C<Listen> parameter is given
when creating the socket.
=item SSL_hostname
This can be given to specify the hostname used for SNI, which is needed if you
have multiple SSL hostnames on the same IP address. If not given it will try to
-determine hostname from PeerAddr, which will fail if only IP was given or if
-this argument is used within start_SSL.
+determine the hostname from C<PeerAddr>, which will fail if only an IP was given or if
+this argument is used within C.
-If you want to disable SNI set this argument to ''.
+If you want to disable SNI, set this argument to ''.
Currently only supported for the client side and will be ignored for the server
side.
@@ -808,9 +810,9 @@
=item SSL_startHandshake
-If this option is set to false (defaults to true) it will no start the SSL
+If this option is set to false (defaults to true) it will not start the SSL
handshake yet. This has to be done later with C or C.
-Before the handshake is started read/write etc can be used to exchange plain
+Before the handshake is started read/write/etcc can be used to exchange plain
data.
=item SSL_ca | SSL_ca_file | SSL_ca_path
@@ -826,7 +828,7 @@
C to determine the user-set or system defaults.
If you really don't want to set a CA set SSL_ca_file or SSL_ca_path to
C<\undef> or SSL_ca to an empty list. (unfortunatly C<''> is used by some
-modules using IO::Socket::SSL when CA is not exlicitly given).
+modules using LIO::Socket::SSL when CA is not exlicitly given).
=item SSL_client_ca | SSL_client_ca_file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/t/alpn.t new/IO-Socket-SSL-2.013/t/alpn.t
--- old/IO-Socket-SSL-2.012/t/alpn.t 2015-01-26 23:33:57.000000000 +0100
+++ new/IO-Socket-SSL-2.013/t/alpn.t 2015-04-17 14:06:34.000000000 +0200
@@ -29,7 +29,7 @@
SSL_key_file => 'certs/server-key.pem',
SSL_alpn_protocols => [qw(one two)],
) || do {
- fail("server creation failed: $!");
+ ok(0,"server creation failed: $!");
exit;
};
ok(1,"Server Initialization at $addr");
@@ -51,7 +51,7 @@
SSL_verify_mode => 0,
SSL_alpn_protocols => [qw(two three)],
) or do {
- fail("connect failed: ".IO::Socket::SSL->errstr());
+ ok(0,"connect failed: ".IO::Socket::SSL->errstr());
exit;
};
ok(1,"client connected" );
@@ -59,6 +59,7 @@
ok($proto eq "two","negotiated $proto");
} else { ###### Server
my $to_client = $server->accept or do {
+ ok(0,"accept failed: ".$server->errstr());
kill(9,$pid);
exit;
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/t/io-socket-ip.t new/IO-Socket-SSL-2.013/t/io-socket-ip.t
--- old/IO-Socket-SSL-2.012/t/io-socket-ip.t 2014-12-31 09:34:05.000000000 +0100
+++ new/IO-Socket-SSL-2.013/t/io-socket-ip.t 2015-05-01 17:15:15.000000000 +0200
@@ -18,7 +18,7 @@
# not available or IO::Socket::SSL forgot to load it
if ( ! eval {
require IO::Socket::IP;
- IO::Socket::IP->VERSION(0.20) && IO::Socket::IP->VERSION != 0.30;
+ IO::Socket::IP->VERSION(0.31)
}) {
print "1..0 # Skipped: usuable IO::Socket::IP is not available\n";
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/t/startssl-failed.t new/IO-Socket-SSL-2.013/t/startssl-failed.t
--- old/IO-Socket-SSL-2.012/t/startssl-failed.t 2014-12-31 09:34:05.000000000 +0100
+++ new/IO-Socket-SSL-2.013/t/startssl-failed.t 2015-05-01 17:16:25.000000000 +0200
@@ -52,7 +52,6 @@
if ( $l =~m{bar\n} ) {
return ok('client receive non-ssl data');
}
- #warn "XXXXXXXX $l";
}
fail("receive non-ssl data");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.012/t/verify_hostname.t new/IO-Socket-SSL-2.013/t/verify_hostname.t
--- old/IO-Socket-SSL-2.012/t/verify_hostname.t 2014-12-31 09:34:05.000000000 +0100
+++ new/IO-Socket-SSL-2.013/t/verify_hostname.t 2015-05-01 17:13:41.000000000 +0200
@@ -15,7 +15,7 @@
);
$|=1;
-my $max = 40;
+my $max = 42;
$max+=3 if $can_idn;
print "1..$max\n";
@@ -97,12 +97,50 @@
ok( "$want $host $typ" );
}
}
-
exit;
}
my $csock = $server->accept;
wait;
+# try with implicit checking
+# Should succeed
+defined( $pid = fork() ) || die $!;
+if ( $pid == 0 ) {
+ IO::Socket::SSL->new(
+ PeerAddr => $saddr,
+ SSL_ca_file => "certs/test-ca.pem",
+ SSL_verify_mode => 1,
+ SSL_verifycn_scheme => 'www',
+ SSL_verifycn_name => 'www.server.local'
+ ) || print "not ";
+ ok("implicit hostname check www.server.local");
+ exit;
+}
+$csock = $server->accept;
+wait;
+
+# Should fail
+defined( $pid = fork() ) || die $!;
+if ( $pid == 0 ) {
+ if (IO::Socket::SSL->new(
+ PeerAddr => $saddr,
+ SSL_ca_file => "certs/test-ca.pem",
+ SSL_verify_mode => 1,
+ SSL_verifycn_scheme => 'www',
+ SSL_verifycn_name => 'does.not.match.server.local'
+ )) {
+ print "not ";
+ } elsif ($SSL_ERROR !~ /hostname verification failed/) {
+ print "# wrong error(should be hostname verification failed): $SSL_ERROR\n";
+ print "not ";
+ }
+ ok("implicit hostname check does.not.match.server.local");
+ exit;
+}
+$csock = $server->accept;
+wait;
+
+
sub ok { print "ok #$_[0]\n"; }