@@ -1,3 +1,8 @@
+2.008 2014/12/16
+- work around recent OCSP verification errors for revoked.grc.com (badly signed
+ OCSP response, Firefox also complains about it) in test t/external/ocsp.t.
+- util/analyze.pl - report more details about preferred cipher for specific TLS
+ versions
2.007 2014/11/26
- make getline/readline fall back to super class if class is not sslified yet,
i.e. behave the same as sysread, syswrite etc.
@@ -4,7 +4,7 @@
"Steffen Ullrich <sullr@cpan.org>, Peter Behroozi, Marko Asplund"
],
"dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921",
+ "generated_by" : "ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.120630",
"license" : [
"perl_5"
],
@@ -50,5 +50,5 @@
"url" : "https://github.com/noxxi/p5-io-socket-ssl"
}
},
- "version" : "2.007"
+ "version" : "2.008"
}
@@ -3,26 +3,26 @@ abstract: 'Nearly transparent SSL encapsulation for IO::Socket::INET.'
author:
- 'Steffen Ullrich <sullr@cpan.org>, Peter Behroozi, Marko Asplund'
build_requires:
- ExtUtils::MakeMaker: 0
+ ExtUtils::MakeMaker: '0'
configure_requires:
- ExtUtils::MakeMaker: 0
+ ExtUtils::MakeMaker: '0'
dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921'
+generated_by: 'ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.120630'
license: perl
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
- version: 1.4
+ version: '1.4'
name: IO-Socket-SSL
no_index:
directory:
- t
- inc
requires:
- Net::SSLeay: 1.46
- Scalar::Util: 0
+ Net::SSLeay: '1.46'
+ Scalar::Util: '0'
resources:
bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL
homepage: https://github.com/noxxi/p5-io-socket-ssl
license: http://dev.perl.org/licenses/
repository: https://github.com/noxxi/p5-io-socket-ssl
-version: 2.007
+version: '2.008'
@@ -13,7 +13,7 @@
package IO::Socket::SSL;
-our $VERSION = '2.007';
+our $VERSION = '2.008';
use IO::Socket;
use Net::SSLeay 1.46;
@@ -911,7 +911,7 @@ sub accept_SSL {
redo;
} elsif ( $rv == 0 ) {
- $socket->error("SSL connect accept failed because of handshake problems" );
+ $socket->error("SSL accept attempt failed because of handshake problems" );
delete ${*$self}{'_SSL_opening'};
${*$socket}{'_SSL_opened'} = -1;
return $socket->fatal_ssl_error();
@@ -104,6 +104,10 @@ for my $test (@tests) {
if (!$ok && $SSL_ERROR =~m/revoked/) {
pass("revoked within stapling as expected");
next TEST;
+ } elsif (!$ok && $SSL_ERROR =~m/OCSP_basic_verify:certificate verify error/) {
+ # badly signed OCSP record
+ pass("maybe revoked, but got OCSP verification error: $SSL_ERROR");
+ next TEST;
} else {
fail( $ok ? "expected revoked but connection ok" :
"expected revoked, but $SSL_ERROR");
@@ -151,6 +151,7 @@ for my $test (@tests) {
};
my @problems;
+ my @protocols;
# basic connects without verification or any TLS extensions (OCSP)
# find out usable version and ciphers. Because some hosts (like cloudflare)
@@ -177,6 +178,11 @@ for my $test (@tests) {
$version = $cl->get_sslversion();
$cipher = $cl->get_cipher();
VERBOSE(2,"version $v no verification, ciphers=$ciphers, no TLS extensions -> $version,$cipher");
+ if (@protocols && $protocols[-1][0] eq $version) {
+ push @{$protocols[-1]},$cipher if $protocols[-1][-1] ne $cipher;
+ } else {
+ push @protocols, [ $version, $cipher ];
+ }
} else {
VERBOSE(2,"version $v, no verification, ciphers=$ciphers, no TLS extensions -> FAIL! $SSL_ERROR");
if ( ! $ciphers && $v eq 'SSLv23' ) {
@@ -405,7 +411,10 @@ for my $test (@tests) {
print "-- $host port $port".($stls? " starttls $stls":"")."\n";
print " ! $_\n" for(@problems);
print " * maximum SSL version : $version ($use_version)\n";
- print " * preferred cipher : $cipher\n";
+ print " * supported SSL versions with preferred cipher:\n";
+ for(@protocols) {
+ printf " * %7s %s\n",$_->[0], join(" ",@{$_}[1..$#$_]);
+ }
print " * cipher order by : ".(
! defined $server_cipher_order ? "unknown\n" :
$server_cipher_order ? "server\n" : "client\n"