1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
libio-socket-ssl-perl (1.961-1) unstable; urgency=low
Upstream version 1.956 introduced the following major behaviour changes:
* BEHAVIOR CHANGE: make default cipher list more secure, especially
- no longer support MD5 by default (broken)
- no longer support anonymous authentication by default (vulnerable to man in
the middle attacks)
- prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
it uses by default forward secrecy, if underlying Net::SSLeay/openssl
supports it
- move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
been fixed and now RC4 is considered less safe than 3DES)
- default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
get the best cipher even if client preferes other ciphers
PLEASE NOTE that this might break connections with older, less secure
implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
* BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
thus gets reused if context gets reused. PLEASE NOTE that using
SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
ciphers of the context.
* rework hostname verification schemes
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
* BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'..
but not 'www'
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 27 Nov 2013 15:34:34 +0100
libio-socket-ssl-perl (1.951-1) experimental; urgency=low
Upstream version 1.951 introduced the following two major behaviour changes:
* ssl_verify_mode now defaults to verify_peer for client.
Until now it used verify_none, but loudly complained since 1.79 about it.
It will not complain any longer, but the connection might probably fail.
Please don't simply disable ssl verification, but instead set SSL_ca_file
etc so that verification succeeds!
* it will now complain if the builtin defaults of certs/my-ca.pem or ca/
for CA and certs/{server,client}-{key,cert}.pem for cert and key are used,
e.g. no certificates are specified explicitly.
In the future these insecure (relative path!) defaults will be removed
and the CA replaced with the system defaults.
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 07 Jul 2013 22:33:29 +0200
libio-socket-ssl-perl (1.88-1) unstable; urgency=low
Upstream version 1.79 introduced the following change: IO::Socket::SSL will
complain if SSL_verify_mode is SSL_VERIFY_NONE for client unless it was
explicity set this way. In the future the default will change to verify the
server certificate and apps, which don't provide the necessary credentials
should fail.
The module will carp with:
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
-- Salvatore Bonaccorso <carnil@debian.org> Mon, 13 May 2013 21:58:44 +0200
|
