1
libio-socket-ssl-perl (1.961-1) unstable; urgency=low
3
Upstream version 1.956 introduced the following major behaviour changes:
5
* BEHAVIOR CHANGE: make default cipher list more secure, especially
6
- no longer support MD5 by default (broken)
7
- no longer support anonymous authentication by default (vulnerable to man in
9
- prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
10
it uses by default forward secrecy, if underlying Net::SSLeay/openssl
12
- move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
13
been fixed and now RC4 is considered less safe than 3DES)
14
- default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
15
get the best cipher even if client preferes other ciphers
16
PLEASE NOTE that this might break connections with older, less secure
17
implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
18
* BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
19
thus gets reused if context gets reused. PLEASE NOTE that using
20
SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
21
ciphers of the context.
22
* rework hostname verification schemes
23
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
24
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
25
* BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'..
28
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 27 Nov 2013 15:34:34 +0100
30
libio-socket-ssl-perl (1.951-1) experimental; urgency=low
32
Upstream version 1.951 introduced the following two major behaviour changes:
34
* ssl_verify_mode now defaults to verify_peer for client.
35
Until now it used verify_none, but loudly complained since 1.79 about it.
36
It will not complain any longer, but the connection might probably fail.
37
Please don't simply disable ssl verification, but instead set SSL_ca_file
38
etc so that verification succeeds!
39
* it will now complain if the builtin defaults of certs/my-ca.pem or ca/
40
for CA and certs/{server,client}-{key,cert}.pem for cert and key are used,
41
e.g. no certificates are specified explicitly.
42
In the future these insecure (relative path!) defaults will be removed
43
and the CA replaced with the system defaults.
45
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 07 Jul 2013 22:33:29 +0200
47
libio-socket-ssl-perl (1.88-1) unstable; urgency=low
49
Upstream version 1.79 introduced the following change: IO::Socket::SSL will
50
complain if SSL_verify_mode is SSL_VERIFY_NONE for client unless it was
51
explicity set this way. In the future the default will change to verify the
52
server certificate and apps, which don't provide the necessary credentials
55
The module will carp with:
57
*******************************************************************
58
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
59
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
60
together with SSL_ca_file|SSL_ca_path for verification.
61
If you really don't want to verify the certificate and keep the
62
connection open to Man-In-The-Middle attacks please set
63
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
64
*******************************************************************
66
-- Salvatore Bonaccorso <carnil@debian.org> Mon, 13 May 2013 21:58:44 +0200