1v1.76 2012.06.18 2- no longer depend on Socket.pm 1.95 for inet_pton, but use Socket6.pm if 3 no current Socket.pm is available. Thanks to paul[AT]city-fan[DOT]org 4 for pointing out the problem and providing first patch 5v1.75 2012.06.15 6- made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version 7v1.74_2 2012.06.07 8- fixed documentation errors, reported by MARSCHAP 9 https://rt.cpan.org/Ticket/Display.html?id=77690 10v1.74_1 2012.06.07 11- add support to IO::Socket::IP which support inet6 and inet4 by 12 integrating patch from PEVANS 13 for https://rt.cpan.org/Ticket/Display.html?id=75218 14v1.74 2012.05.13 15- accept a version of SSLv2/3 as SSLv23, because older documentation 16 could be interpreted like this 17v1.73 2012.05.11 18- make test t/dhe.t hopefully work for more version of openssl 19 Thanks to paul[AT]city-fan[DOT]org for providing bug reports and 20 testing environment 21v1.72 2012.05.10 22- set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW 23 Thanks to dcostas[AT]gmail[DOT]com for problem report 24v1.71 2012.05.09 25- 1.70 done right. Also don't disable SSLv2 ciphers, SSLv2 support is better 26 disabled by the default SSL_version of 'SSLv23:!SSLv2' 27v1.70 2012.05.08 28- make it possible to disable protols using SSL_version, make SSL_version 29 default to 'SSLv23:!SSLv2' 30v1.69 2012.05.08 31- re-added workaround in t/dhe.t 32v1.68 2012.05.07 33- remove SSLv2 from default cipher list, which makes failed tests after last 34 change work again, fix behvior for empty cipher list (use default) 35v1.67 2012.05.07 36- https://rt.cpan.org/Ticket/Display.html?id=76929 37 thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting 38 - if no explicit cipher list is given it will now default to ALL:!LOW instead 39 of the openssl default, which usually includes weak ciphers like DES. 40 - new config key SSL_honor_cipher_order and documented how to use it to fight 41 BEAST attack. 42v1.66 2012.04.16 43- make it thread safer, thanks to bug report from vega[DOT]james[AT]gmail 44 [DOT]com, https://rt.cpan.org/Ticket/Display.html?id=76538 45v1.65 2012.04.16 46- added NPN (Next Protocol Negotiation) support based on patch from kmx 47 https://rt.cpan.org/Ticket/Display.html?id=76223 48v1.64 2012.04.06 49- clarify some behavior regarding hostname verfication. 50 Thanks to DOHERTY for reporting. 51v1.63 2012.04.06 52- applied patch of DOUGDUDE to ignore die from within eval to make tests 53 more stable on Win32, https://rt.cpan.org/Ticket/Display.html?id=76147 54v1.62 2012.03.28 55- small fix to last version 56v1.61 2012.03.27 57- call CTX_set_session_id_context so that servers session caching works with 58 client certificates too. 59 https://rt.cpan.org/Ticket/Display.html?id=76053 60v1.60 2012.03.20 61- don't make blocking readline if socket was set nonblocking, but return as 62 soon no more data are available 63 https://rt.cpan.org/Ticket/Display.html?id=75910 64- fix BUG section about threading so that it shows package as thread safe 65 as long as Net::SSLeay >= 1.43 is used 66 https://rt.cpan.org/Ticket/Display.html?id=75749 67v1.59 2012.03.08 68- if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful 69 message when attempting to use it. 70- modify constant declarations so that 5.6.1 should work again 71v1.58 2012.02.26 72- fix t/dhe.t again to enable the workaround only for newer openssl 73 versions, because this would cause failures on older versions 74v1.57 2012.02.26 75- fix t/dhe.t for openssl 1.0.1 beta by forcing tlsv1, so that it does 76 not complain about the too small rsa key which it should not use anyway. 77 Thanks to paul[AT]city-fan[DOT]org for reporting. 78 https://rt.cpan.org/Ticket/Display.html?id=75165 79v1.56 2012.02.22 80- add automatic or explicit (via SSL_hostname) SNI support, needed for 81 multiple SSL hostnames with same IP. Currently only supported for the 82 client. 83v1.55 2012.02.20 84- work around IO::Sockets work around for systems returning EISCONN etc 85 on connect retry for non-blocking sockets by clearing $! if SUPER::connect 86 returned true. 87 https://rt.cpan.org/Ticket/Display.html?id=75101 88 Thanks for Manoj Kumar for reporting. 89v1.54 2012.01.11 90- return 0 instead of undef in SSL_verify_callback to fix unitialized 91 warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for 92 reporting the bug and MIKEM for the fix. 93 https://rt.cpan.org/Ticket/Display.html?id=73629 94v1.53 2011.12.11 95- kill child in t/memleak_bad_hanshake.t if test fails 96 https://rt.cpan.org/Ticket/Display.html?id=73146 97 Thanks to CLEACH ofr reporting 98v1.52 2011.12.07 99- fix syntax error in t/memleak_bad_handshake.t 100 thanks to cazzaniga[DOT]sandro[AT]gmail[DOT]com for reporting 101v1.51 2011.12.06 102- disable t/memleak_bad_handshake.t on AIX, because it might hang 103 https://rt.cpan.org/Ticket/Display.html?id=72170 104v1.50 2011.12.06 105 Thanks to HMBRAND for reporting and Rainer Tammer tammer[AT]tammer[DOT]net for 106 providing access to AIX system 107v1.49 2011.10.28 108- another regression for readline fix, this time it failed to return lines 109 at eof which don't end with newline. Extended t/readline.t to catch this 110 case and the fix for 1.48 111 Thanks to christoph[DOT]mallon[AT]gmx[DOT]de for reporting 112v1.48 2011.10.26 113- bugfix for readline fix in 1.45. If the pending data where false 114 (like '0') it failed to read rest of line. 115 Thanks to Victor Popov for reporting 116 https://rt.cpan.org/Ticket/Display.html?id=71953 117v1.47 2011.10.21 118- fix for 1.46 - check for mswin32 needs to be /i. Thanks to 119 Alexandr Ciornii for reporting 120v1.46 2011.10.18 121- disable test t/signal-readline.t on windows, because signals are 122 not relevant for this platform and test does not work. 123 https://rt.cpan.org/Ticket/Display.html?id=71699 124v1.45 2011.10.12 125- fix readline to continue when getting interrupt waiting for more 126 data. Thanks to kgc[AT]corp[DOT]sonic[DOT]net for reporting problem 127v1.44 2011.05.27 128- fix invalid call to inet_pton in verify_hostname_of_cert when 129 identity should be verified as ipv6 address, because it contains 130 colon. 131v1.43_1 2011.05.12 132- try to make t/nonblock.t more stable, especially on Mac OS X 133v1.43 2011.05.11 134- fix t/nonblock.t 135- stability improvements t/inet6.t 136v1.42 2011.05.10 137- add SSL_create_ctx_callback to have a way to adjust context on 138 creation. https://rt.cpan.org/Ticket/Display.html?id=67799 139- describe problem of fake memory leak because of big session cache 140 and how to fix it, see https://rt.cpan.org/Ticket/Display.html?id=68073 141v1.41 2011.05.09 142- fix issue in stop_SSL where it did not issue a shutdown of the 143 SSL connection if it first received the shutdown from the other 144 side. Thanks to fencingleo[AT]gmail[DOT]com for reporting 145- try to make t/nonblock.t more reliable, at least report the real 146 cause of ssl connection errors 147v1.40 2011.05.02 148- integrated patch from GAAS to get IDN support from URI. 149 https://rt.cpan.org/Ticket/Display.html?id=67676 150v1.39_1 2011.05.02 151- fix in exampel/async_https_server. 152 Thanks to DetlefPilzecker[AT]web[DOT]de for reporting 153v1.39 2011.03.03 154- fixed documentation of http verification: wildcards in cn is allowed 155v1.38_1 2011.01.24 156- close should undef _SSL_fileno, because the fileno is no longer 157 valid (SSL connection and socket are closed) 158v1.38 2011.01.18 159- fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1 160 instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for 161 reporting 162 https://rt.cpan.org/Ticket/Display.html?id=64864 163v1.37 2010.12.09 164- don't complain about invalid certificate locations if user explicitly 165 set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what 166 he is doing and will work around the problems by itself. 167 http://rt.cpan.org/Ticket/Display.html?id=63741 168v1.36 2010.12.08 169- update documentation for SSL_verify_callback based on 170 https://rt.cpan.org/Ticket/Display.html?id=63743 171 https://rt.cpan.org/Ticket/Display.html?id=63740 172v1.35 2010.12.06 173- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be 174 verified as valid it will no longer fall back to VERIFY_NONE but throw 175 an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for 176 pointing out the problem, see also 177 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 178v1.34 2010.11.01 179- schema http for certificate verification changed to 180 wildcards_in_cn=1, because according to rfc2818 this is valid and 181 also seen in the wild 182- if upgrading socket from inet to ssl fails due to handshake problems 183 the socket gets downgraded, but is still open. 184 See https://rt.cpan.org/Ticket/Display.html?id=61466 185- depreceate kill_socket, just use close() 186v1.33 2010.03.17 187- attempt to make t/memleak_bad_handshake.t more stable, it fails 188 for unknown reason on various systems 189- fix hostname checking: an IP should only be checked against 190 subjectAltName GEN_IPADD, never against GEN_DNS or CN. 191 Thanks to rusch[AT]genua[DOT]de for bug report 192v1.32 2010.02.22 193- Makefile.PL: die if Scalar::Util has no dualvar support instead of 194 only complaining. Thanks to w[DOT]phillip[DOT]moore[AT]gmail[DOT]com 195 for reporting. 196v1.31 2009.09.25 197- add and export constants for SSL_VERIFY_* 198- set SSL_use_cert if cert is given and not SSL_server 199- support alternative CRL file with SSL_crl_file thanks to patch of 200 w[DOT]phillip[DOT]moore[AT]gmail[DOT]com 201v1.30_3 2009.09.03 202- make t/memleak_bad_handshake.t more stable (increase listen queue, 203 ignore errors on connect, don't run on windows..) 204v1.30_2 2009.09.01 205- t/memleak_bad_handshake.t don't write errors with ps to stderr, 206 -o vsize argument is not supported on all platforms, just skip 207 test then 208v1.30_1 2009.08.31 209- make sure that idn_to_ascii gets no \0 bytes from identity, because 210 it simply cuts the string their (using C semantics). Not really a 211 security problem because IDN like identity is provided by user in 212 hostname, not by certificate. 213 214v1.30 2009.08.19 215- fix test t/memleak_bad_handshake.t 216v1.29 2009.08.19 217- fixed thanks for version 1.28 218v1.28 2009.08.19 219- fix memleak when SSL handshake failed. 220 Thanks richardhundtu[AT]gmail[DOT]com 221 222v1.27 2009.07.24 223- changed possible local/utf-8 depended \w in some regex against more 224 explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service 225 names can't have '-' inside 226- fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131 227 where eli[AT]dvns[DOT]com reported warnings when perl -w was used. 228 While there made it more aware of errors in Net::ssl_write_all (return 229 undef not 0 in generic_write) 230v1.26 2009.07.03 231- SECURITY BUGFIX! 232 fix Bug in verify_hostname_of_cert where it matched only the prefix for 233 the hostname when no wildcard was given, e.g. www.example.org matched 234 against a certificate with name www.exam in it 235 Thanks to MLEHMANN for reporting 236 237v1.25 2009.07.02 238- t/nonblock.t: increase number of bytes written to fix bug with OS X 10.5 239 https://rt.cpan.org/Ticket/Display.html?id=47240 240 241v1.24 2009.04.01 242- add verify hostname scheme ftp, same as http 243- renew test certificates again (root CA expired, now valid for 10 years) 244 245v1.23 2009.02.23 246- if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the 247 default values have no existing file|path) disable checking of 248 certificates, but carp about the problem 249- new test certificates, the old ones expired and caused tests to fail 250 251v1.22 2009.01.24 252- Net::SSLeay stores verify callbacks inside hash and never clears them, so 253 set verify callback to NULL in destroy of context 254 255v1.21 2009.01.22 256- auto verification of name in certificate created circular reference between 257 SSL and CTX object with the verify_callback, which caused the objects to be 258 destroyed only at program end. Fix it be no longer access $self from inside 259 the callback. 260 Thanks to odenbach[AT]uni-paderborn[DOT]de for reporting 261 262v1.20 2009.01.15 263- only changes on test suite to make it ready for win32 264 (tested with strawberry perl 5.8.8) 265 266v1.19 2008.12.31 267- fix verifycn_name autodetection from PeerAddr/PeerHost 268 269v1.18 2008.11.17 270- fixed typo in argument: wildcars_in_cn -> wildcards_in_cn 271 http://rt.cpan.org/Ticket/Display.html?id=40997 272 thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting 273 274v1.17 2008.10.13 275- no code changes, publish v.16_3 as v.17 because it looks better 276 than v.16 277- document win32 behavior regarding non-blocking and timeouts 278 279v1.16_3 2008.09.25 280- fix t/nonblock.t with workaround for problems with 281 IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do 282 nonblocking connect and leaves socket blocked. 283- make some tests less verbose by fixing diag in t/testlib.t 284 (send output to STDOUT not STDERR and prefix with '#') 285 286v1.16_2 2008.09.24 287- work around Bug in IO::Socket::INET6 on BSD systems 288 http://rt.cpan.org/Ticket/Display.html?id=39550 289 by setting Domain based on PeerAddr 290 Thanks to srezic for report and support 291- remove tests of recv/send from t/core.t. Might badly interact 292 with SSL handshake and cause crashes as seen on OS X 10.4 293 294v1.16_1 2008.09.19 295- better support for IPv6: 296 - IPv6 is enabled by default if IO::Socket::INET6 is available 297 - t/inet6.t for basic tests 298 299v1.16 2008.09.19 300- change code for SSL_check_crl to use X509_STORE_set_flags instead of 301 X509_STORE_CTX_set_flags based on bug report from 302 <tjtoocool[AT]phreaker[DOT]net > 303- change opened() to report -1 if the IO::Handle is open, but the 304 SSL connection failed, needed with HTTP::Daemon::SSL which will send 305 an error mssage over the unencrypted socket 306 307v1.15 308- change internal behavior when SSL handshake failed (like when verify 309 callback returned an error) in the hope to fix spurios errors in 310 t/auto_verify_hostname.t 311 312v1.14 313- added support for verification of hostname from certificate 314 including subjectAltNames, support for IDN etc based on patch and 315 input from christopher[AT]odenbachs[DOT]de and 316 achim[AT]grolmsnet[DOT]de. 317 It is also possible to get more information from peer_certificate 318 based on this patch. See documentation for peer_certificate and 319 verify_hostname 320- automatic verification of hostnames with SSL_verifycn_scheme and 321 SSL_verifycn_name 322- global setting of default context options like SSL_verifycn_scheme, 323 SSL_verify_mode with set_ctx_defaults 324- fix import of inet4,inet6 which got broken within 1.13_X. 325 Thanks to <at[AT]altlinux[DOT]ru> for bugreport and patch 326- clarified and enhanced debugging supppport based on bugreport 327 http://rt.cpan.org/Ticket/Display.html?id=32960 328- put information into README regarding the supported and recommanded 329 version of Net::SSLeay 330 331v1.13 332- removed CLONE_SKIP which was added in 1.03 because this breaks 333 windows forking. Handled threads/windows forking better by making 334 sure that CTX from Net::SSLeay gets not freed multiple times from 335 different threads after cloning/forking 336- removed setting LocalPort to 0 in tests, instead leave it undef 337 if a random port should be allocated. This should fix build problems 338 with 5.6.1. Thanks to <andrew[DOT]benham[AT]thus[DOT]net> 339 340v1.12 341- treat timeouts of 0 for accept_SSL and connect_SSL like no timeout, 342 like IO::Socket does. 343 344v1.11 345- fixed errors in accept_SSL which would work when called from start_SSL 346 but not from accept 347 348v1.10 349- start_SSL, accept_SSL and connect_SSL have argument for Timeout 350 so that the SSL handshake will not block forever. Only used if the 351 socket is blocking. If not set the Timeout value from the underlying 352 IO::Socket is used 353 354v1.09 355- new method stop_SSL as opposite of start_SSL based on a idea 356 of Bron Gondwana <brong[AT]fastmail[DOT]fm> 357 To support this method the SSL_shutdown handling had to be 358 fixed, e.g. in close a proper unidirectional shutdown 359 should be done while in stop_SSL a bidirectional shutdown 360- try to make it clearer that thread support is buggy 361 362v1.08 363- make sure that Scalar::Util has support for dualvar 364 (Makefile.PL,SSL.pm) because the perl-only version has 365 has no dualvar 366 367v1.07 368- fix t/nonblock.t on systems which have by default a larger 369 socket buffer. Set SO_SNDBUF explicitly with setsockopt 370 to force smaller writes on the socket 371 372v1.06 373- instead of setting undef args to '' in configure_SSL drop 374 them. This makes Net::SMTP::SSL working again because it 375 does not give LocalPort of '' to IO::Socket::INET any more 376 377v1.05 378- make session cache working even if the IO::Socket::SSL object 379 was not created with IO::Socket::SSL->new but with 380 IO::Socket::SSL->start_SSL on an established socket 381 382v1.04 383- added way to create SSL object with predefined session 384 cache, thus making it possible to share the cache between 385 objects even if the rest of the context is not shared 386 key SSL_session_cache 387 Note that the arguments of IO::Socket::SSL::SessionCache::new 388 changed (but you should never have used this class directly 389 because it's internal to IO::Socket::SSL) 390 391v1.03 392- add CLONE_SKIP as proposed by 393 Jarrod Johnson jbjohnso at us dot ibm dot com 394 395v1.02 396- added some info to BUGS and to BUGS section of pod 397- added TELL and BINMODE to IO::Socket::SSL::SSL_HANDLE, even 398 if they do nothing useful. 399- all tests allocate now the ports dynamically, so there should 400 be no longer a conflict with open ports on the system where 401 the tests run 402 403v1.01 404- work around Bug in Net::HTTPS where it defines sub blocking 405 as {}, e.g. force scalar context when calling sub blocking 406 (in IO::Socket::SSL::write) 407 see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383106 408 409v1.0 410- fix depreciated and practically undocumented function 411 get_peer_certificate so that LWP Net::HTTPS works again 412- set arg 'Blocking' while calling SUPER::configure only 413 if it was set by the caller to work around Problem in LWP 414 Net::HTTPS 415 416v0.999 417- If SSL_cipher_list is not given it uses the openssl 418 default instead of setting it to 'ALL:!LOW:!EXP' like 419 before. The old value included ADH and this might be 420 a bad idea, see BUGS why. 421 422v0.998 423- declare socket as opened before calling fatal_ssl_error 424 because the SSL_error_trap set up from HTTP::Daemon 425 needs this 426- accept_SSL sets errors on $socket (the accepted socket) 427 not $self (the listening socket if called from accept) 428 so it can be queried from SSL_error_trap 429- note in BUGS section that IO::Socket::SSL is not thread-safe 430 431v0.997 432- fix readline (e.g. getline,getlines,<>) so that it behaves 433 regarding $/ like written in the $/ dokumentation. 434 435v0.996 436- removed links and comments to inofficial release of 437 Net::SSLeay, because there is a newer version already 438 439v0.995 440- add support for Diffie Hellman Key Exchange. 441 See parameter SSL_dh_file and SSL_dh. 442 443v0.994 444- hide DEBUG statements and remove test to load Debug.pm 445 because packets like Spamassisin cannot cope with it 446 (at least the OpenBSD port) 447 448v0.993 449- added SSL_cert and SSL_key parameter which do not take 450 a file name like SSL_cert_file and SSL_key_file but 451 an internal X509* resp. EVP_PKEY* value. Useful for 452 dynamically created certificates and keys. 453- added test for sysread/syswrite behavior (which was changed 454 in v0.991) 455 456v0.992 457- _set_rw_error does $!||=EAGAIN only if error is one of 458 SSL_WANT_READ|SSL_WANT_WRITE (patch from Mike Smith 459 <mike at mailchannels dot com>) 460- Fix Makefile.PL to allow detectection of failures in PREREQ_PM 461 (http://rt.cpan.org/Public/Bug/Display.html?id=20563, patch 462 by alexchorny at gmail dot com) 463 464v0.991 465- sysread and syswrite ar no longer the same as read and write, 466 but can return already if only parts of the data are read 467 or written (which is the usual semantic for sysread and syswrite) 468 This should fix problems with HTTP::Daemon::SSL 469 470v0.99 471- just upgrade Version number because I've screwed up upload 472 of v0.98 to cpan 473 474v0.98 475- Maintainer changed to <Steffen_Ullrich at genua dot de> 476- Better support for nonblocking sockets: 477 . exports $SSL_ERROR which contains the latest error from 478 the openssl library. Exports constants SSL_WANT_READ and 479 SSL_WANT_WRITE es special errors which will be set if 480 openssl wants to write or read during nonblocking connects, 481 accepts, reads or writes. 482 . accept,accept_SSL,connect and connect_SSL don't block 483 anymore if the socket is nonblocking. 484 Instead $! will be set from the underlying IO::Socket::INET 485 connect or accept if it failed there (usually EAGAIN or 486 EINPROGRESS) or if the underlying openssl needs to read or 487 write $! will be set to EAGAIN and $SSL_ERROR will be set 488 to SSL_WANT_READ or SSL_WANT_WRITE 489 . syswrite returns undef and sets $!,$SSL_ERROR if it fails 490 to write instead of returning 0. 491- Bugfixes (http://rt.cpan.org/Public/Bug/Display.html?id=Bugid) 492 . Bug 18439: fileno 0 should be valid 493 . Bug 15001: sysread interpretes buffer "0" as "" 494- peer_certifcate returns X509 struct string if no field 495 for extraction was specified 496- get_peer_certificate returns the certificate instead of the 497 IO::Socket::SSL object 498 499 500v0.97 501- Writes now correctly return errors. (Problem noted by 502 Dominique Quatravaux <dom at idealx.com>). 503- CA paths now work without passing an empty SSL_ca_file 504 argument. (Problem found by Phil Pennock, <phil.pennock 505 at globnix.org>). 506- IO::Socket::SSL now automatically passes Proto => tcp (if 507 not already specified) to IO::Socket::INET to work around 508 /etc/services files with udp entries listed first. (Fix 509 suggested by Phil Pennock). 510- $socket->accept() now returns the peer address in array 511 context for better conformance with IO::Socket::INET. 512 However, if you were doing "map { $_->accept } (@sockets)", 513 or similar tricks, you will need to use "scalar" to get the 514 old behavior back. (Problem noted by Nils Sowen, <n.sowen 515 at kon.de>). 516- IO::Socket::SSL should now properly block on reads larger 517 than the buffer size of Net::SSLeay. (Problem found by Eric 518 Jergensen, <eric at dvns.com>). 519- IO::Socket::SSL should now send CA Certs (if necessary) 520 along with certificates. (Problem found by <roy at 521 momentous.ca>). 522- Timeouts should now work, but be aware that if multiple 523 reads/writes are necessary to complete a connection, then 524 each one may have a separate timeout. (Request from 525 Dominique Quatravaux <dom at idealx.com>). 526- In certain cases, start_SSL() would misplace a socket's 527 fileno, causing problems with starting SSL. This should now 528 be fixed. (Problem found by <russ at zerotech.net>). 529- IO::Socket::SSL now requires a minimum of Net::SSLeay 1.21. 530 531--- Old Versions -------------------------------------------------- 532 533v0.96 2004.4.30 534- Makefile's error messages now correct if output is 535 redirected (patch from Ilya Zakharevich <ilya at 536 math.berkeley.edu>). 537- Non-blocking connects/accepts now work (Problem found by 538 Uri Guttman <uri at stemsystems.com>). 539- new_from_fd() now works. 540- getline() and <> in scalar context now return undef 541 instead of '' if the read failed. (Problem found by 542 Christian Gilmore <cag at us.ibm.com>). 543- Broken pipe signals are now ignored during socket close 544 to prevent a SSL shutdown message from killing the parent 545 program. (Problem found by Christian Gilmore). 546- Tests should proceed much more quickly, and a semi-race was 547 fixed, meaning that on slow machines the tests should be 548 more reliable. 549- Check for Scalar::Util and Weakref now uses default 550 $SIG{__DIE__} instead of a potentially user-altered one 551 (suggestion from Olaf Schneider <Olaf.Schneider at 552 iwr.fzk.de>). This only applies to Perl 5.6.0 & above. 553- Session caching support (patch from Marko Asplund 554 <marko.asplund at kronodoc.fi>). 555- set_default_context() added to alter the behavior of 556 modules that use IO::Socket::SSL from the main program. 557- get_ssl_object() renamed to _get_ssl_object() to reflect 558 the fact that it's only supposed to be used internally 559 (not that you should have cared, of course). 560- Added patch for Net::SSLeay to take advantage of 561 client-side session caching. 562 563v0.95 2003.8.25 564- Changed PeerAddr in example/ssl_client.pl back to localhost. 565- Update of examples to automatically switch to the proper 566 directory if they cannot find the necessary SSL certificates. 567- Minor documentation update with more INET6 info. 568- Corrected some error messages for IO::Socket::INET6. 569- Better opened() behavior when sockets close unexpectedly. 570- Added note about random number generators for Solaris users 571 (Problem found by Christian Gilmore <cag at us.ibm.com>). 572- Added support for WeakRef and Scalar::Util to allow 573 IO::Socket::SSL objects to auto-destroy themselves when 574 they go out of scope. 575- Added croak()ing for unimplemented send() and recv() methods 576 so they are not accidentally used to transmit unencrypted 577 data. The Perl builtin functions cannot be reliably trapped 578 and are still dangerous, a fact that the POD now reflects 579 (Problem noted by Michal Ludvig <michal at logix.cx>). 580 581v0.94 2003.6.26 582- Changed accept() to use inherited accept() instead of 583 IO::Socket::accept, so that IPv6 inheritance is possible. 584- Added options to import() so that a user could specify 585 IPv6 or IPv4 mode of operation. 586- Documentation fixes, esp. e-mail address. 587 588v0.93 2003.6.24 589- Fixed error-checking slip in connect_SSL() (Problem found by 590 Uri Guttman <uri at stemsystems.com>). 591- All functions now return the empty list () on errors. 592- Added note about the above change to appease Graham Barr 593 <gbarr at pobox.com>. 594- Fixed Net::SSLeay giving warnings when arguments are undef; 595 in all cases, undef arguments may be set to '' without any 596 change in behavior except for removing the warnings. 597 (Problem found by Dominique Quatravaux <dom at idealx.com>) 598- If accept() or connect() fails in SSL negotiation, the user 599 now has the option to print something to the failed socket 600 before it is closed. (error_trap option in new()) 601- Added support for CRLs (SSL_check_crl option in new()) for 602 versions of OpenSSL >= 0.9.7b (Original patch from 603 Brian Lindauer <jbl at sysd.com>) 604- Finally added decent support for certificate callbacks. 605 (SSL_verify_callback option in new(), suggestion from 606 Dariush Pietrzak <eyck at ghost.anime.pl>). 607- accept()/connect()/socket_to_SSL() now fail immediately if 608 the socket in question does not have a fileno. 609- Added the kill_socket() method to guarantee that a socket dies. 610- Fixed extra warning when printing errors in debug mode. 611- Deprecated socket_to_SSL() in favor of the class method 612 start_SSL() (Class method suggestion from Graham Barr 613 <gbarr at pobox.com>). 614- Added the class method start_SSL() to allow for cases when 615 the desired class of the socket is not IO::Socket::SSL 616 (Request from Dariush Pietrzak <eyck at ghost.anime.pl>) 617- Changed socket_to_SSL to rebless socket to original class 618 if SSL negotiation failed (Request from Graham Barr 619 <gbarr at pobox.com>) 620- Removed the daemon.pl example, as it did not work with the 621 standard distribution of HTTP::Daemon (use HTTP::Daemon::SSL 622 instead). 623 624v0.92 2002.10.22 625- Changed the fileno() function to support returning the fileno 626 of server sockets. (Problem found by Roland Giersig 627 <RGiersig at cpan.org>). 628- Fixed SSL_version incorrectly defaulting to SSLv2 (patch from 629 Roland Alder <roland.alder at celeris.ch>). 630 631v0.91 2002.08.31 632- Added support for SSL_peek and SSL_pending (peek() and 633 pending()). Updated documentation, tests, etc. to reflect 634 this. 635 636v0.901 2002.08.19 637- Fixed the warning that happens when sockets are not explicitly 638 closed() before the program terminates. 639 640 641v0.90 2002.08.13 642- This version is a complete rewrite of IO::Socket::SSL. It now 643 has about half the lines of code, twice the amount of documentation, 644 and a slightly more polished interface. 645- IO::Socket::SSL now works properly with mod_perl and taint mode. 646- Major documentation update. 647- Update of the BUGS file to reflect changes made in the rewrite. 648- Update of the test suite for Perl v5.8.0 (or, more precisely, 649 for Scalar::Util). 650- Update of the test suite for Perl v5.00503 (or, more precisely, 651 for the lack of several nice features added in v5.6.0) (Marko 652 Asplund <aspa at kronodoc.fi>). 653- New test suite that does not need the Internet to function. 654- Update of all the files in example/ to use more current features 655 of IO::Socket::SSL. 656- Removal of SSL_SSL and X509_Certificate classes. 657- There have been a few name changes (like socketToSSL -> 658 socket_to_SSL) for better consistency. 659- The functionality of get_peer_certificate() and friends is deprecated. 660- The functionality of want_write() and want_read() is deprecated. 661- The functionality of context_init() is deprecated for normal use. 662- Support for all SSL context options in the new() call. 663- SSL contexts are no longer global. The SSL_reuse_ctx option 664 is provided for those who want to re-use a context. 665- The default verify mode is now VERIFY_NONE. 666- IO::Socket::SSL::DEBUG is now linked to Net::SSLeay::trace to 667 provide different levels of debugging information. 668- There is a uniform interface for error reporting, so on error 669 all functions will return undef and the error will be available 670 by calling errstr(). 671- The dump_peer_certificate() and peer_certificate() functions 672 have been added. 673- sysread() will now behave correctly if the offset argument is 674 greater than the length of the read buffer. It also will truncate 675 the read buffer properly, according to the Perl documentation for 676 sysread(). 677- getline(), getlines(), and getc() have been added. 678- syswrite() now uses references to avoid copying large amounts of data. 679- readline() uses ssl_read_all in array context for improved speed. 680- close() now uses SSL_shutdown() to properly close an SSL connection, 681 unless you tell it not to. 682- If you have Net::SSLeay version 1.18 or greater, X509 certificates 683 will be properly freed. 684- All other known bugs have been fixed. 685 686 687v0.81a (Not publically released) 688- Added support for SSL_passwd_cb. 689- Added accept() server socket support to socketToSSL(). 690 691v0.81 2002.04.10 692- calling context_init twice destroyed global context. fix from 693 Jason Heiss <jheiss at ofb.net>. 694- file handle tying interface implementation moved to a separate 695 class to prevent problems resulting from self-tying filehandles. 696 Harmon S. Nine <hnine at netarx.com>. 697- docs/debugging.txt file added 698- require Net::SSLeay v1.08 699- preliminary support for non-blocking read/write 700- socketToSSL() now respects context's SSL verify setting 701 reported by Uri Guttman <uri at stemsystems.com>. 702 703v0.80 2001.08.19 704- fixed startTLS support (socketToSSL) (Graham Barr <gbarr at pobox.com>) 705- make accept() set fileno attribute on newly created IO::Socket::SSL 706 object (Martin Oldfield <m at mail.tc>). 707- certificate updates. 708- use SSL_CTX_use_PrivateKey_file in SSL_Context::new. 709 710v0.79 2001.06.04 711- angle bracket readline operator support 712 (David Darville <david at dark.x.dtu.dk>). 713- eliminate warnings in choosing SSL protocol version. 714- implement our own opened method and make length parameter optional 715 in syswrite (Robert Bihlmeyer <robbe at orcus.priv.at>). 716 717v0.78 2001.04.24 718- test script targets changed, certificate setup fixed 719- support for TLS in SSL_version. SSL_version parameter values 720 changed from integer to string. NB: this is an incompatible change. 721 all SSL_version parameter values have to be changed. valid values 722 include: 'sslv2', 'sslv3', 'sslv23'. Stephen C. Koehler 723 <koehler at securecomputing.com>. 724- enable selecting SSL version for connections. patch from 725 Takanori Ugai <ugai at jp.fujitsu.com>. 726- allow setting SSL_ca_file to ''. this is needed for being 727 able to use SSL_ca_path (Robert Bihlmeyer <robbe at orcus.priv.at>). 728- include the Apache CA bundle file in the distribution (my-ca.pem). 729- BUGS file added. 730 731v0.77 2001.01.15 732- don't setup SSL CA verification unless cert verification is 733 actually used for the connections. 734- default SSL protocol version selection in SSL.pm. 735 736v0.76 2000.11.17 737- patch from Kwok Chern Yue <chernyue at post1.com> for 738 making IO::Socket::SSL work with HTTP::Daemon. 739 740v0.75 2000.07.26 741- IO::Socket::SSL should now work with perl v5.6.0 742- demo/*.pl and t/*.t now turn module debugging on if 743 DEBUG command line argument is given 744- default certificates changed 745 746v0.74 2000.07.05 747- Changes file added 748- bugfix in IO::Socket::SSL::sysread() (zliu2 at acsu.buffalo.edu) 749- libwww-perl and IO::Socket::SSL UML models added in docs 750- URL changes in test scripts 751- preliminary support for startTLS in IO::Socket::SSL::socketToSSL() 752- miscellanous patches for Net::SSLeay added in diffs 753