2 - change code for SSL_check_crl to use X509_STORE_set_flags instead of
3 X509_STORE_CTX_set_flags based on bug report from
4 <tjtoocool[AT]phreaker[DOT]net >
5 - change opened() to report -1 if the IO::Handle is open, but the
6 SSL connection failed, needed with HTTP::Daemon::SSL which will send
7 an error mssage over the unencrypted socket
9 - change internal behavior when SSL handshake failed (like when verify
10 callback returned an error) in the hope to fix spurios errors in
11 t/auto_verify_hostname.t
13 - added support for verification of hostname from certificate
14 including subjectAltNames, support for IDN etc based on patch and
15 input from christopher[AT]odenbachs[DOT]de and
16 achim[AT]grolmsnet[DOT]de.
17 It is also possible to get more information from peer_certificate
18 based on this patch. See documentation for peer_certificate and
20 - automatic verification of hostnames with SSL_verifycn_scheme and
22 - global setting of default context options like SSL_verifycn_scheme,
23 SSL_verify_mode with set_ctx_defaults
24 - fix import of inet4,inet6 which got broken within 1.13_X.
25 Thanks to <at[AT]altlinux[DOT]ru> for bugreport and patch
26 - clarified and enhanced debugging supppport based on bugreport
27 http://rt.cpan.org/Ticket/Display.html?id=32960
28 - put information into README regarding the supported and recommanded
29 version of Net::SSLeay
31 - removed CLONE_SKIP which was added in 1.03 because this breaks
32 windows forking. Handled threads/windows forking better by making
33 sure that CTX from Net::SSLeay gets not freed multiple times from
34 different threads after cloning/forking
35 - removed setting LocalPort to 0 in tests, instead leave it undef
36 if a random port should be allocated. This should fix build problems
37 with 5.6.1. Thanks to <andrew[DOT]benham[AT]thus[DOT]net>
39 - treat timeouts of 0 for accept_SSL and connect_SSL like no timeout,
42 - fixed errors in accept_SSL which would work when called from start_SSL
45 - start_SSL, accept_SSL and connect_SSL have argument for Timeout
46 so that the SSL handshake will not block forever. Only used if the
47 socket is blocking. If not set the Timeout value from the underlying
50 - new method stop_SSL as opposite of start_SSL based on a idea
51 of Bron Gondwana <brong[AT]fastmail[DOT]fm>
52 To support this method the SSL_shutdown handling had to be
53 fixed, e.g. in close a proper unidirectional shutdown
54 should be done while in stop_SSL a bidirectional shutdown
55 - try to make it clearer that thread support is buggy
57 - make sure that Scalar::Util has support for dualvar
58 (Makefile.PL,SSL.pm) because the perl-only version has
61 - fix t/nonblock.t on systems which have by default a larger
62 socket buffer. Set SO_SNDBUF explicitly with setsockopt
63 to force smaller writes on the socket
65 - instead of setting undef args to '' in configure_SSL drop
66 them. This makes Net::SMTP::SSL working again because it
67 does not give LocalPort of '' to IO::Socket::INET any more
69 - make session cache working even if the IO::Socket::SSL object
70 was not created with IO::Socket::SSL->new but with
71 IO::Socket::SSL->start_SSL on an established socket
73 - added way to create SSL object with predefined session
74 cache, thus making it possible to share the cache between
75 objects even if the rest of the context is not shared
77 Note that the arguments of IO::Socket::SSL::SessionCache::new
78 changed (but you should never have used this class directly
79 because it's internal to IO::Socket::SSL)
81 - add CLONE_SKIP as proposed by
82 Jarrod Johnson jbjohnso at us dot ibm dot com
84 - added some info to BUGS and to BUGS section of pod
85 - added TELL and BINMODE to IO::Socket::SSL::SSL_HANDLE, even
86 if they do nothing useful.
87 - all tests allocate now the ports dynamically, so there should
88 be no longer a conflict with open ports on the system where
91 - work around Bug in Net::HTTPS where it defines sub blocking
92 as {}, e.g. force scalar context when calling sub blocking
93 (in IO::Socket::SSL::write)
94 see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383106
96 - fix depreciated and practically undocumented function
97 get_peer_certificate so that LWP Net::HTTPS works again
98 - set arg 'Blocking' while calling SUPER::configure only
99 if it was set by the caller to work around Problem in LWP
102 - If SSL_cipher_list is not given it uses the openssl
103 default instead of setting it to 'ALL:!LOW:!EXP' like
104 before. The old value included ADH and this might be
105 a bad idea, see BUGS why.
107 - declare socket as opened before calling fatal_ssl_error
108 because the SSL_error_trap set up from HTTP::Daemon
110 - accept_SSL sets errors on $socket (the accepted socket)
111 not $self (the listening socket if called from accept)
112 so it can be queried from SSL_error_trap
113 - note in BUGS section that IO::Socket::SSL is not thread-safe
115 - fix readline (e.g. getline,getlines,<>) so that it behaves
116 regarding $/ like written in the $/ dokumentation.
118 - removed links and comments to inofficial release of
119 Net::SSLeay, because there is a newer version already
121 - add support for Diffie Hellman Key Exchange.
122 See parameter SSL_dh_file and SSL_dh.
124 - hide DEBUG statements and remove test to load Debug.pm
125 because packets like Spamassisin cannot cope with it
126 (at least the OpenBSD port)
128 - added SSL_cert and SSL_key parameter which do not take
129 a file name like SSL_cert_file and SSL_key_file but
130 an internal X509* resp. EVP_PKEY* value. Useful for
131 dynamically created certificates and keys.
132 - added test for sysread/syswrite behavior (which was changed
135 - _set_rw_error does $!||=EAGAIN only if error is one of
136 SSL_WANT_READ|SSL_WANT_WRITE (patch from Mike Smith
137 <mike at mailchannels dot com>)
138 - Fix Makefile.PL to allow detectection of failures in PREREQ_PM
139 (http://rt.cpan.org/Public/Bug/Display.html?id=20563, patch
140 by alexchorny at gmail dot com)
142 - sysread and syswrite ar no longer the same as read and write,
143 but can return already if only parts of the data are read
144 or written (which is the usual semantic for sysread and syswrite)
145 This should fix problems with HTTP::Daemon::SSL
147 - just upgrade Version number because I've screwed up upload
150 - Maintainer changed to <Steffen_Ullrich at genua dot de>
151 - Better support for nonblocking sockets:
152 . exports $SSL_ERROR which contains the latest error from
153 the openssl library. Exports constants SSL_WANT_READ and
154 SSL_WANT_WRITE es special errors which will be set if
155 openssl wants to write or read during nonblocking connects,
156 accepts, reads or writes.
157 . accept,accept_SSL,connect and connect_SSL don't block
158 anymore if the socket is nonblocking.
159 Instead $! will be set from the underlying IO::Socket::INET
160 connect or accept if it failed there (usually EAGAIN or
161 EINPROGRESS) or if the underlying openssl needs to read or
162 write $! will be set to EAGAIN and $SSL_ERROR will be set
163 to SSL_WANT_READ or SSL_WANT_WRITE
164 . syswrite returns undef and sets $!,$SSL_ERROR if it fails
165 to write instead of returning 0.
166 - Bugfixes (http://rt.cpan.org/Public/Bug/Display.html?id=Bugid)
167 . Bug 18439: fileno 0 should be valid
168 . Bug 15001: sysread interpretes buffer "0" as ""
169 - peer_certifcate returns X509 struct string if no field
170 for extraction was specified
171 - get_peer_certificate returns the certificate instead of the
172 IO::Socket::SSL object
176 - Writes now correctly return errors. (Problem noted by
177 Dominique Quatravaux <dom at idealx.com>).
178 - CA paths now work without passing an empty SSL_ca_file
179 argument. (Problem found by Phil Pennock, <phil.pennock
181 - IO::Socket::SSL now automatically passes Proto => tcp (if
182 not already specified) to IO::Socket::INET to work around
183 /etc/services files with udp entries listed first. (Fix
184 suggested by Phil Pennock).
185 - $socket->accept() now returns the peer address in array
186 context for better conformance with IO::Socket::INET.
187 However, if you were doing "map { $_->accept } (@sockets)",
188 or similar tricks, you will need to use "scalar" to get the
189 old behavior back. (Problem noted by Nils Sowen, <n.sowen
191 - IO::Socket::SSL should now properly block on reads larger
192 than the buffer size of Net::SSLeay. (Problem found by Eric
193 Jergensen, <eric at dvns.com>).
194 - IO::Socket::SSL should now send CA Certs (if necessary)
195 along with certificates. (Problem found by <roy at
197 - Timeouts should now work, but be aware that if multiple
198 reads/writes are necessary to complete a connection, then
199 each one may have a separate timeout. (Request from
200 Dominique Quatravaux <dom at idealx.com>).
201 - In certain cases, start_SSL() would misplace a socket's
202 fileno, causing problems with starting SSL. This should now
203 be fixed. (Problem found by <russ at zerotech.net>).
204 - IO::Socket::SSL now requires a minimum of Net::SSLeay 1.21.
206 --- Old Versions --------------------------------------------------
209 - Makefile's error messages now correct if output is
210 redirected (patch from Ilya Zakharevich <ilya at
212 - Non-blocking connects/accepts now work (Problem found by
213 Uri Guttman <uri at stemsystems.com>).
214 - new_from_fd() now works.
215 - getline() and <> in scalar context now return undef
216 instead of '' if the read failed. (Problem found by
217 Christian Gilmore <cag at us.ibm.com>).
218 - Broken pipe signals are now ignored during socket close
219 to prevent a SSL shutdown message from killing the parent
220 program. (Problem found by Christian Gilmore).
221 - Tests should proceed much more quickly, and a semi-race was
222 fixed, meaning that on slow machines the tests should be
224 - Check for Scalar::Util and Weakref now uses default
225 $SIG{__DIE__} instead of a potentially user-altered one
226 (suggestion from Olaf Schneider <Olaf.Schneider at
227 iwr.fzk.de>). This only applies to Perl 5.6.0 & above.
228 - Session caching support (patch from Marko Asplund
229 <marko.asplund at kronodoc.fi>).
230 - set_default_context() added to alter the behavior of
231 modules that use IO::Socket::SSL from the main program.
232 - get_ssl_object() renamed to _get_ssl_object() to reflect
233 the fact that it's only supposed to be used internally
234 (not that you should have cared, of course).
235 - Added patch for Net::SSLeay to take advantage of
236 client-side session caching.
239 - Changed PeerAddr in example/ssl_client.pl back to localhost.
240 - Update of examples to automatically switch to the proper
241 directory if they cannot find the necessary SSL certificates.
242 - Minor documentation update with more INET6 info.
243 - Corrected some error messages for IO::Socket::INET6.
244 - Better opened() behavior when sockets close unexpectedly.
245 - Added note about random number generators for Solaris users
246 (Problem found by Christian Gilmore <cag at us.ibm.com>).
247 - Added support for WeakRef and Scalar::Util to allow
248 IO::Socket::SSL objects to auto-destroy themselves when
249 they go out of scope.
250 - Added croak()ing for unimplemented send() and recv() methods
251 so they are not accidentally used to transmit unencrypted
252 data. The Perl builtin functions cannot be reliably trapped
253 and are still dangerous, a fact that the POD now reflects
254 (Problem noted by Michal Ludvig <michal at logix.cx>).
257 - Changed accept() to use inherited accept() instead of
258 IO::Socket::accept, so that IPv6 inheritance is possible.
259 - Added options to import() so that a user could specify
260 IPv6 or IPv4 mode of operation.
261 - Documentation fixes, esp. e-mail address.
264 - Fixed error-checking slip in connect_SSL() (Problem found by
265 Uri Guttman <uri at stemsystems.com>).
266 - All functions now return the empty list () on errors.
267 - Added note about the above change to appease Graham Barr
268 <gbarr at pobox.com>.
269 - Fixed Net::SSLeay giving warnings when arguments are undef;
270 in all cases, undef arguments may be set to '' without any
271 change in behavior except for removing the warnings.
272 (Problem found by Dominique Quatravaux <dom at idealx.com>)
273 - If accept() or connect() fails in SSL negotiation, the user
274 now has the option to print something to the failed socket
275 before it is closed. (error_trap option in new())
276 - Added support for CRLs (SSL_check_crl option in new()) for
277 versions of OpenSSL >= 0.9.7b (Original patch from
278 Brian Lindauer <jbl at sysd.com>)
279 - Finally added decent support for certificate callbacks.
280 (SSL_verify_callback option in new(), suggestion from
281 Dariush Pietrzak <eyck at ghost.anime.pl>).
282 - accept()/connect()/socket_to_SSL() now fail immediately if
283 the socket in question does not have a fileno.
284 - Added the kill_socket() method to guarantee that a socket dies.
285 - Fixed extra warning when printing errors in debug mode.
286 - Deprecated socket_to_SSL() in favor of the class method
287 start_SSL() (Class method suggestion from Graham Barr
288 <gbarr at pobox.com>).
289 - Added the class method start_SSL() to allow for cases when
290 the desired class of the socket is not IO::Socket::SSL
291 (Request from Dariush Pietrzak <eyck at ghost.anime.pl>)
292 - Changed socket_to_SSL to rebless socket to original class
293 if SSL negotiation failed (Request from Graham Barr
294 <gbarr at pobox.com>)
295 - Removed the daemon.pl example, as it did not work with the
296 standard distribution of HTTP::Daemon (use HTTP::Daemon::SSL
300 - Changed the fileno() function to support returning the fileno
301 of server sockets. (Problem found by Roland Giersig
302 <RGiersig at cpan.org>).
303 - Fixed SSL_version incorrectly defaulting to SSLv2 (patch from
304 Roland Alder <roland.alder at celeris.ch>).
307 - Added support for SSL_peek and SSL_pending (peek() and
308 pending()). Updated documentation, tests, etc. to reflect
312 - Fixed the warning that happens when sockets are not explicitly
313 closed() before the program terminates.
317 - This version is a complete rewrite of IO::Socket::SSL. It now
318 has about half the lines of code, twice the amount of documentation,
319 and a slightly more polished interface.
320 - IO::Socket::SSL now works properly with mod_perl and taint mode.
321 - Major documentation update.
322 - Update of the BUGS file to reflect changes made in the rewrite.
323 - Update of the test suite for Perl v5.8.0 (or, more precisely,
325 - Update of the test suite for Perl v5.00503 (or, more precisely,
326 for the lack of several nice features added in v5.6.0) (Marko
327 Asplund <aspa at kronodoc.fi>).
328 - New test suite that does not need the Internet to function.
329 - Update of all the files in example/ to use more current features
331 - Removal of SSL_SSL and X509_Certificate classes.
332 - There have been a few name changes (like socketToSSL ->
333 socket_to_SSL) for better consistency.
334 - The functionality of get_peer_certificate() and friends is deprecated.
335 - The functionality of want_write() and want_read() is deprecated.
336 - The functionality of context_init() is deprecated for normal use.
337 - Support for all SSL context options in the new() call.
338 - SSL contexts are no longer global. The SSL_reuse_ctx option
339 is provided for those who want to re-use a context.
340 - The default verify mode is now VERIFY_NONE.
341 - IO::Socket::SSL::DEBUG is now linked to Net::SSLeay::trace to
342 provide different levels of debugging information.
343 - There is a uniform interface for error reporting, so on error
344 all functions will return undef and the error will be available
346 - The dump_peer_certificate() and peer_certificate() functions
348 - sysread() will now behave correctly if the offset argument is
349 greater than the length of the read buffer. It also will truncate
350 the read buffer properly, according to the Perl documentation for
352 - getline(), getlines(), and getc() have been added.
353 - syswrite() now uses references to avoid copying large amounts of data.
354 - readline() uses ssl_read_all in array context for improved speed.
355 - close() now uses SSL_shutdown() to properly close an SSL connection,
356 unless you tell it not to.
357 - If you have Net::SSLeay version 1.18 or greater, X509 certificates
358 will be properly freed.
359 - All other known bugs have been fixed.
362 v0.81a (Not publically released)
363 - Added support for SSL_passwd_cb.
364 - Added accept() server socket support to socketToSSL().
367 - calling context_init twice destroyed global context. fix from
368 Jason Heiss <jheiss at ofb.net>.
369 - file handle tying interface implementation moved to a separate
370 class to prevent problems resulting from self-tying filehandles.
371 Harmon S. Nine <hnine at netarx.com>.
372 - docs/debugging.txt file added
373 - require Net::SSLeay v1.08
374 - preliminary support for non-blocking read/write
375 - socketToSSL() now respects context's SSL verify setting
376 reported by Uri Guttman <uri at stemsystems.com>.
379 - fixed startTLS support (socketToSSL) (Graham Barr <gbarr at pobox.com>)
380 - make accept() set fileno attribute on newly created IO::Socket::SSL
381 object (Martin Oldfield <m at mail.tc>).
382 - certificate updates.
383 - use SSL_CTX_use_PrivateKey_file in SSL_Context::new.
386 - angle bracket readline operator support
387 (David Darville <david at dark.x.dtu.dk>).
388 - eliminate warnings in choosing SSL protocol version.
389 - implement our own opened method and make length parameter optional
390 in syswrite (Robert Bihlmeyer <robbe at orcus.priv.at>).
393 - test script targets changed, certificate setup fixed
394 - support for TLS in SSL_version. SSL_version parameter values
395 changed from integer to string. NB: this is an incompatible change.
396 all SSL_version parameter values have to be changed. valid values
397 include: 'sslv2', 'sslv3', 'sslv23'. Stephen C. Koehler
398 <koehler at securecomputing.com>.
399 - enable selecting SSL version for connections. patch from
400 Takanori Ugai <ugai at jp.fujitsu.com>.
401 - allow setting SSL_ca_file to ''. this is needed for being
402 able to use SSL_ca_path (Robert Bihlmeyer <robbe at orcus.priv.at>).
403 - include the Apache CA bundle file in the distribution (my-ca.pem).
407 - don't setup SSL CA verification unless cert verification is
408 actually used for the connections.
409 - default SSL protocol version selection in SSL.pm.
412 - patch from Kwok Chern Yue <chernyue at post1.com> for
413 making IO::Socket::SSL work with HTTP::Daemon.
416 - IO::Socket::SSL should now work with perl v5.6.0
417 - demo/*.pl and t/*.t now turn module debugging on if
418 DEBUG command line argument is given
419 - default certificates changed
423 - bugfix in IO::Socket::SSL::sysread() (zliu2 at acsu.buffalo.edu)
424 - libwww-perl and IO::Socket::SSL UML models added in docs
425 - URL changes in test scripts
426 - preliminary support for startTLS in IO::Socket::SSL::socketToSSL()
427 - miscellanous patches for Net::SSLeay added in diffs