libio-socket-ssl-perl (1.961-1) unstable; urgency=low Upstream version 1.956 introduced the following major behaviour changes: * BEHAVIOR CHANGE: make default cipher list more secure, especially - no longer support MD5 by default (broken) - no longer support anonymous authentication by default (vulnerable to man in the middle attacks) - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that it uses by default forward secrecy, if underlying Net::SSLeay/openssl supports it - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully been fixed and now RC4 is considered less safe than 3DES) - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to get the best cipher even if client preferes other ciphers PLEASE NOTE that this might break connections with older, less secure implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so. * BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and thus gets reused if context gets reused. PLEASE NOTE that using SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the ciphers of the context. * rework hostname verification schemes - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN * BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'.. but not 'www' -- Salvatore Bonaccorso Wed, 27 Nov 2013 15:34:34 +0100 libio-socket-ssl-perl (1.951-1) experimental; urgency=low Upstream version 1.951 introduced the following two major behaviour changes: * ssl_verify_mode now defaults to verify_peer for client. Until now it used verify_none, but loudly complained since 1.79 about it. It will not complain any longer, but the connection might probably fail. Please don't simply disable ssl verification, but instead set SSL_ca_file etc so that verification succeeds! * it will now complain if the builtin defaults of certs/my-ca.pem or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert and key are used, e.g. no certificates are specified explicitly. In the future these insecure (relative path!) defaults will be removed and the CA replaced with the system defaults. -- Salvatore Bonaccorso Sun, 07 Jul 2013 22:33:29 +0200 libio-socket-ssl-perl (1.88-1) unstable; urgency=low Upstream version 1.79 introduced the following change: IO::Socket::SSL will complain if SSL_verify_mode is SSL_VERIFY_NONE for client unless it was explicity set this way. In the future the default will change to verify the server certificate and apps, which don't provide the necessary credentials should fail. The module will carp with: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* -- Salvatore Bonaccorso Mon, 13 May 2013 21:58:44 +0200