8 changed files with 371 additions and 192 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/IO-Socket-SSL-2.060.tar.gz
+SOURCES/IO-Socket-SSL-2.073.tar.gz
--- a/.perl-IO-Socket-SSL.metadata
+++ b/.perl-IO-Socket-SSL.metadata
@ -1 +1 @@
-d00985ca87425ab5860bc38e59bcb9d39b372508 SOURCES/IO-Socket-SSL-2.060.tar.gz
+442c23ee1d0476df788f8b0b0f5fe174f871d792 SOURCES/IO-Socket-SSL-2.073.tar.gz
--- a/SOURCES/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch
+++ b/SOURCES/IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch
@ -1,121 +0,0 @@
 From e96b1c9e394011de4ee181cfa42b8021796bf7d4 Mon Sep 17 00:00:00 2001
 From: Steffen Ullrich <Steffen_Ullrich@genua.de>
 Date: Mon, 17 Sep 2018 14:09:48 +0200
 Subject: [PATCH] make all tests which use fork also ignore signal PIPE
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 t/nonblock.t         | 4 +---
 t/protocol_version.t | 2 --
 t/session_ticket.t   | 2 --
 t/signal-readline.t  | 1 -
 t/sni.t              | 2 --
 t/sni_verify.t       | 2 --
 t/testlib.pl         | 2 ++
 7 files changed, 3 insertions(+), 12 deletions(-)
 diff --git a/t/nonblock.t b/t/nonblock.t
 index 6c1bc38..ad62799 100644
 --- a/t/nonblock.t
 +++ b/t/nonblock.t
@@ -9,7 +9,7 @@ use Net::SSLeay;
 use Socket;
 use IO::Socket::SSL;
 use IO::Select;
 -use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS EPIPE ECONNRESET );
 +use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS);
 do './testlib.pl' || do './t/testlib.pl' || die "no testlib";
 if ( ! eval "use 5.006; use IO::Select; return 1" ) {
@@ -17,8 +17,6 @@ if ( ! eval "use 5.006; use IO::Select; return 1" ) {
     exit;
 }
 -$SIG{PIPE} = 'IGNORE'; # use EPIPE not signal handler
 -
 $|=1;
 print "1..27\n";
 diff --git a/t/protocol_version.t b/t/protocol_version.t
 index 2e5cc6f..3577720 100644
 --- a/t/protocol_version.t
 +++ b/t/protocol_version.t
@@ -7,8 +7,6 @@ use Socket;
 use IO::Socket::SSL;
 do './testlib.pl' || do './t/testlib.pl' || die "no testlib";
 -$SIG{PIPE} = 'IGNORE';
 -
 plan skip_all => "Test::More has no done_testing"
     if !defined &done_testing;
 diff --git a/t/session_ticket.t b/t/session_ticket.t
 index ca70b80..4071b8a 100644
 --- a/t/session_ticket.t
 +++ b/t/session_ticket.t
@@ -27,8 +27,6 @@ my ($server_cert,$server_key) = CERT_create(
     purpose => { server => 1 }
 );
 -$SIG{PIPE} = 'IGNORE';
 -
 # create two servers with the same session ticket callback
 my (@server,@saddr);
 for (1,2) {
 diff --git a/t/signal-readline.t b/t/signal-readline.t
 index 6dcd4ae..3e226c0 100644
 --- a/t/signal-readline.t
 +++ b/t/signal-readline.t
@@ -50,7 +50,6 @@ if ( $pid == 0 ) {
 my $csock = $server->accept;
 ok("accept");
 -$SIG{PIPE} = 'IGNORE';
 syswrite($csock,"foo") or print "not ";
 ok("wrote foo");
 diff --git a/t/sni.t b/t/sni.t
 index c6e6510..de0f06e 100644
 --- a/t/sni.t
 +++ b/t/sni.t
@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) {
     exit;
 }
 -$SIG{PIPE} = 'IGNORE';
 -
 print "1..17\n";
 my $server = IO::Socket::SSL->new(
     LocalAddr => '127.0.0.1',
 diff --git a/t/sni_verify.t b/t/sni_verify.t
 index 86b5dca..b3b299b 100644
 --- a/t/sni_verify.t
 +++ b/t/sni_verify.t
@@ -17,8 +17,6 @@ if ( ! IO::Socket::SSL->can_client_sni() ) {
     exit;
 }
 -$SIG{PIPE} = 'IGNORE';
 -
 print "1..17\n";
 my $server = IO::Socket::SSL->new(
     LocalAddr => '127.0.0.1',
 diff --git a/t/testlib.pl b/t/testlib.pl
 index 5a99e49..b3f342c 100644
 --- a/t/testlib.pl
 +++ b/t/testlib.pl
@@ -19,6 +19,8 @@ unless ( $Config::Config{d_fork} || $Config::Config{d_pseudofork} ||
     exit
 }
 +# let IO errors result in EPIPE instead of crashing the test
 +$SIG{PIPE} = 'IGNORE';
 # small implementations if not used from Test::More (09_fdleak.t)
 if ( ! defined &ok ) {
 -- 
 2.17.1
--- a/SOURCES/IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch
+++ b/SOURCES/IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch
@ -0,0 +1,130 @@
 From 6b05dc28e94e90ab4852c9977d7fbe66fec6cd48 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Fri, 8 Feb 2019 14:50:32 +0100
 Subject: [PATCH] Test client performs Post-Handshake-Authentication
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This test uses openssl tool because PHA is not yet supported by
 IO::Socket::SSL's server implementation. The openssl tool uses a fixed
 port. So the test can fail.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 MANIFEST       |  1 +
 t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100755 t/pha_client.t
 diff --git a/MANIFEST b/MANIFEST
 index 20cddb6..2b8328d 100644
 --- a/MANIFEST
 +++ b/MANIFEST
@@ -57,6 +57,7 @@ t/mitm.t
 t/multiple-cert-rsa-ecc.t
 t/nonblock.t
 t/npn.t
 +t/pha_client.t
 t/plain_upgrade_downgrade.t
 t/protocol_version.t
 t/public_suffix_lib_encode_idn.t
 diff --git a/t/pha_client.t b/t/pha_client.t
 new file mode 100755
 index 0000000..2413588
 --- /dev/null
 +++ b/t/pha_client.t
@@ -0,0 +1,90 @@
 +#!/usr/bin/perl
 +use strict;
 +use warnings;
 +use Test::More;
 +use IPC::Run ();
 +use IO::Socket::SSL ();
 +use Net::SSLeay ();
 +use IO::Select ();
 +
 +if (system('openssl', 'version')) {
 +    plan skip_all => 'openssl tool is not available';
 +} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) {
 +    plan skip_all => 'Net::SSLeay does not expose PHA';
 +} else {
 +    plan tests => 5;
 +}
 +
 +my $port = 2000;
 +my $ca_cert = 'certs/test-ca.pem';
 +
 +diag 'Starting a server';
 +my ($server, $input, $stdout, $stderr);
 +eval {
 +    $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
 +            '-Verify', '1',
 +            '-cert', 'certs/server-wildcard.pem',
 +            '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
 +        \$input, \$stdout, \$stderr);
 +    # subsequent \undef does not work
 +    # <https://github.com/toddr/IPC-Run/issues/124>
 +};
 +if (!$server or $@) {
 +    BAIL_OUT("Could not start a server: $@");
 +}
 +# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
 +while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
 +if ($stderr =~ /unable to bind socket/) {
 +    $server->kill_kill;
 +    BAIL_OUT("Could not start a server: $stderr");
 +}
 +ok($server, 'Server started');
 +
 +my $client = IO::Socket::SSL->new(
 +    PeerHost => 'localhost',
 +    PeerPort => $port,
 +    SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
 +    SSL_verifycn_scheme => 'www',
 +    SSL_verifycn_name => 'www.server.local',
 +    SSL_ca_file => $ca_cert,
 +    SSL_key_file => 'certs/client-key.pem',
 +    SSL_cert_file => 'certs/client-cert.pem'
 +);
 +ok($client, 'Client connected');
 +
 +SKIP: {
 +    skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
 +        unless $client;
 +    $client->blocking(0);
 +
 +    SKIP: {
 +        # Ask openssl s_server for PHA request and wait for the result.
 +        $input .= "c\n";
 +        while ($server->pumpable &&
 +            $stderr !~ /SSL_verify_client_post_handshake/ &&
 +            $stdout !~ /SSL_do_handshake -> 1/
 +        ) {
 +            # Push the PHA command to the server and read outputs.
 +            $server->pump;
 +
 +            # Client also must perform I/O to process the PHA request.
 +            my $select = IO::Select->new($client);
 +            while ($select->can_read(1)) {  # 1 second time-out because of
 +                                            # blocking IPC::Run
 +                my $retval = $client->read(my $buf, 1);
 +                if (defined $buf and $buf eq 'c') {
 +                    skip 'openssl tool does not support PHA command', 1;
 +                }
 +            }
 +        }
 +        ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
 +    }
 +
 +    ok($client->close, 'Client disconnected');
 +}
 +
 +eval {
 +    $server->kill_kill;
 +};
 +ok(!$@, 'Server terminated');
 +
 -- 
 2.20.1
--- a/SOURCES/IO-Socket-SSL-2.068-openssl-1.1.1e.patch
+++ b/SOURCES/IO-Socket-SSL-2.068-openssl-1.1.1e.patch
@ -0,0 +1,15 @@
 --- Makefile.PL
 +++ Makefile.PL
@@ -68,12 +68,6 @@ if (my $compiled = eval {
 	die sprintf("API-different OpenSSL versions compiled in (0x%08x) vs linked (0x%08x)",
 	    $compiled,$linked);
     }
 -
 -    # OpenSSL 1.1.1e introduced behavior changes breaking various code
 -    # will likely be reverted  in 1.1.1f - enforce to not use this version
 -    if ($linked == 0x1010105f) {
 -	die "detected OpenSSL 1.1.1e - please use a different version\n";
 -    }
 }
 # make sure that we have dualvar from the XS Version of Scalar::Util
--- a/SOURCES/IO-Socket-SSL-2.068-use-system-default-SSL-version.patch
+++ b/SOURCES/IO-Socket-SSL-2.068-use-system-default-SSL-version.patch
@ -1,6 +1,6 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -130,7 +130,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
+@@ -194,7 +194,7 @@ if ( defined &Net::SSLeay::CTX_set_min_p
 # global defaults
 my %DEFAULT_SSL_ARGS = (
     SSL_check_crl => 0,
@ -9,7 +9,7 @@
     SSL_verify_callback => undef,
     SSL_verifycn_scheme => undef,  # fallback cn verification
     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
-@@ -2295,7 +2295,7 @@ sub new {
+@@ -2383,7 +2383,7 @@ sub new {
     my $ssl_op = $DEFAULT_SSL_OP;
@ -20,10 +20,10 @@
 	or croak("invalid SSL_version specified");
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -1010,11 +1010,12 @@ protocol to the specified version.
+@@ -1043,11 +1043,12 @@ All values are case-insensitive.  Instea
- All values are case-insensitive.  Instead of 'TLSv1_1' and 'TLSv1_2' one can
+ 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'.  Support for
- also use 'TLSv11' and 'TLSv12'.  Support for 'TLSv1_1' and 'TLSv1_2' requires
+ 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay
- recent versions of Net::SSLeay and openssl.
+ and openssl.
 +The default SSL_version is defined by the underlying cryptographic library.
 Independent from the handshake format you can limit to set of accepted SSL
--- a/SOURCES/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
+++ b/SOURCES/IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
@ -1,24 +1,27 @@
 --- lib/IO/Socket/SSL.pm
 +++ lib/IO/Socket/SSL.pm
-@@ -138,10 +138,10 @@ my %DEFAULT_SSL_ARGS = (
+@@ -202,77 +202,17 @@ my %DEFAULT_SSL_ARGS = (
     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
     SSL_alpn_protocols => undef,   # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1']
-    # https://wiki.mozilla.org/Security/Server_Side_TLS, 2016/04/20
+-    # https://wiki.mozilla.org/Security/Server_Side_TLS, 2019/03/05
 -    # "Old backward compatibility" for best compatibility
 -    # .. "Most ciphers that are not clearly broken and dangerous to use are supported"
-    SSL_cipher_list => 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
+-    # slightly reordered to prefer AES since it is cheaper when hardware accelerated
 -    SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
 +    # Use system-wide default cipher list to support use of system-wide
 +    # crypto policy (#1076390, #1127577, CPAN RT#97816)
 +    # https://fedoraproject.org/wiki/Changes/CryptoPolicy
-+    SSL_cipher_list => 'DEFAULT',
+    SSL_cipher_list => 'PROFILE=SYSTEM',
 );
 my %DEFAULT_SSL_CLIENT_ARGS = (
-@@ -151,63 +151,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
+     %DEFAULT_SSL_ARGS,
     SSL_verify_mode => SSL_VERIFY_PEER,
 -
     SSL_ca_file => undef,
     SSL_ca_path => undef,
- 
+-
 -    # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
 -    # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
 -    # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
@ -81,7 +84,7 @@
 # set values inside _init to work with perlcc, RT#95452
 --- lib/IO/Socket/SSL.pod
 +++ lib/IO/Socket/SSL.pod
-@@ -1036,12 +1036,8 @@ documentation (L<http://www.openssl.org/
+@@ -1069,12 +1069,8 @@ documentation (L<https://www.openssl.org
 for more details.
 Unless you fail to contact your peer because of no shared ciphers it is
@ -92,7 +95,7 @@
 -To use the less secure OpenSSL builtin default (whatever this is) set
 -SSL_cipher_list to ''.
 +recommended to leave this option at the default setting, which honors the
-+system-wide DEFAULT cipher list.
+system-wide PROFILE=SYSTEM cipher list.
 In case different cipher lists are needed for different SNI hosts a hash can be
 given with the host as key and the cipher suite as value, similar to
--- a/SPECS/perl-IO-Socket-SSL.spec
+++ b/SPECS/perl-IO-Socket-SSL.spec
@ -1,25 +1,32 @@
 %if 0%{?rhel} >= 9
 %bcond_with perl_IO_Socket_SSL_test_unused_idn
 %else
 %bcond_without perl_IO_Socket_SSL_test_unused_idn
 %endif
 %bcond_without perl_IO_Socket_SSL_test_IO_Socket_INET6
 Name:		perl-IO-Socket-SSL
-Version:	2.060
+Version:	2.073
-Release:	2%{?dist}
+Release:	1%{?dist}
 Summary:	Perl library for transparent SSL
-License:	GPL+ or Artistic
+License:	(GPL+ or Artistic) and MPLv2.0
 URL:		https://metacpan.org/release/IO-Socket-SSL
 Source0:	https://cpan.metacpan.org/modules/by-module/IO/IO-Socket-SSL-%{version}.tar.gz
-Patch0:		IO-Socket-SSL-2.060-use-system-default-cipher-list.patch
+Patch0:		IO-Socket-SSL-2.068-use-system-default-cipher-list.patch
-Patch1:		IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
+Patch1:		IO-Socket-SSL-2.068-use-system-default-SSL-version.patch
-# Prevent tests from dying on SIGPIPE, bug #1610017, CPAN RT#126899,
+# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
-# in upstream after 2.060
+# bug #1632660, requires openssl tool
-Patch2:		IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch
+Patch2:		IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch
 Patch3:		IO-Socket-SSL-2.068-openssl-1.1.1e.patch
 BuildArch:	noarch
 # Module Build
 BuildRequires:	coreutils
 BuildRequires:	findutils
 BuildRequires:	make
 BuildRequires:	perl-generators
 BuildRequires:	perl-interpreter
-BuildRequires:	perl(ExtUtils::MakeMaker)
+BuildRequires:	perl(ExtUtils::MakeMaker) >= 6.76
 # Module Runtime
-BuildRequires:	openssl >= 0.9.8
+BuildRequires:	openssl-libs >= 0.9.8
 BuildRequires:	perl(Carp)
 BuildRequires:	perl(Config)
 BuildRequires:	perl(constant)
@ -27,47 +34,43 @@ BuildRequires:	perl(Errno)
 BuildRequires:	perl(Exporter)
 BuildRequires:	perl(HTTP::Tiny)
 BuildRequires:	perl(IO::Socket)
-BuildRequires:	perl(IO::Socket::INET6) >= 2.62
+BuildRequires:	perl(IO::Socket::INET)
 BuildRequires:	perl(IO::Socket::IP) >= 0.31
 BuildRequires:	perl(Net::SSLeay) >= 1.46
 BuildRequires:	perl(Scalar::Util)
-BuildRequires:	perl(Socket)
+BuildRequires:	perl(Socket) >= 1.95
 BuildRequires:	perl(Socket6)
 BuildRequires:	perl(strict)
 BuildRequires:	perl(URI::_idna)
 BuildRequires:	perl(vars)
 BuildRequires:	perl(warnings)
 # Test Suite
 # openssl tool required for Test-client-performs-Post-Handshake-Authentication.patch
 BuildRequires:	openssl
 BuildRequires:	perl(Data::Dumper)
 BuildRequires:	perl(File::Temp)
 BuildRequires:	perl(FindBin)
 BuildRequires:	perl(IO::Select)
-BuildRequires:	perl(IO::Socket::INET)
+%if %{with perl_IO_Socket_SSL_test_IO_Socket_INET6}
 BuildRequires:	perl(IO::Socket::INET6) >= 2.62
 %endif
 # IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch
 BuildRequires:	perl(IPC::Run)
 %if %{with perl_IO_Socket_SSL_test_unused_idn}
 BuildRequires:	perl(Net::IDN::Encode)
 BuildRequires:	perl(Net::LibIDN)
 %endif
 BuildRequires:	perl(Test::More) >= 0.88
 BuildRequires:	perl(utf8)
 BuildRequires:	procps
 # Runtime
 Requires:	perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
-Requires:	openssl >= 0.9.8
+Requires:	openssl-libs >= 0.9.8
 Requires:	perl(Config)
 Requires:	perl(HTTP::Tiny)
-
+Requires:	perl(IO::Socket::INET)
-# Use IO::Socket::IP for IPv6 support where available, else IO::Socket::INET6
+Requires:	perl(IO::Socket::IP) >= 0.31
-%if 0%{?fedora} > 15 || 0%{?rhel} > 6
+Requires:	perl(Socket) >= 1.95
 BuildRequires:	perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
 Requires:	perl(IO::Socket::IP) >= 0.20, perl(Socket) >= 1.95
 %else
 Requires:	perl(IO::Socket::INET6) >= 2.62, perl(Socket6)
 %endif
 # IDN back-ends: URI::_idna (from URI ≥ 1.50) is preferred
 # but Net::IDN::Encode (next pref) and Net::LibIDN are also tested
 BuildRequires:	perl(Net::IDN::Encode)
 BuildRequires:	perl(Net::LibIDN)
 %if 0%{?fedora:1} || 0%{?rhel} > 6
 BuildRequires:	perl(URI::_idna)
 Requires:	perl(URI::_idna)
 %else
 Requires:	perl(Net::IDN::Encode)
 %endif
 %description
 This module is a true drop-in replacement for IO::Socket::INET that
@ -81,6 +84,10 @@ mod_perl.
 %prep
 %setup -q -n IO-Socket-SSL-%{version}
 # Allow building with OpenSSL 1.1.1e as the Fedora package has the
 # problematic EOF handling change reverted
 %patch3
 # Use system-wide default cipher list to support use of system-wide
 # crypto policy (#1076390, #1127577, CPAN RT#97816)
 # https://fedoraproject.org/wiki/Changes/CryptoPolicy
@ -89,57 +96,202 @@ mod_perl.
 # Use system-default SSL version too
 %patch1
-# Prevent tests from dying on SIGPIPE (CPAN RT#126899)
+# Add a test for PHA
 %patch2 -p1
 %build
-NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor
+NO_NETWORK_TESTING=1 perl Makefile.PL \
-make %{?_smp_mflags}
+	INSTALLDIRS=vendor \
 	NO_PACKLIST=1 \
 	NO_PERLLOCAL=1
 %{make_build}
 %install
-make pure_install DESTDIR=%{buildroot}
+%{make_install}
 find %{buildroot} -type f -name .packlist -delete
 %{_fixperms} -c %{buildroot}
 %check
 make test
 %files
-%doc BUGS Changes README docs/ certs/ example/
+# GPL+ or Artistic
 %doc BUGS Changes README docs/ example/
 %dir %{perl_vendorlib}/IO/
 %dir %{perl_vendorlib}/IO/Socket/
 %dir %{perl_vendorlib}/IO/Socket/SSL/
 %doc %{perl_vendorlib}/IO/Socket/SSL.pod
 %{perl_vendorlib}/IO/Socket/SSL.pm
-%{perl_vendorlib}/IO/Socket/SSL/
+%{perl_vendorlib}/IO/Socket/SSL/Intercept.pm
 %{perl_vendorlib}/IO/Socket/SSL/Utils.pm
 %{_mandir}/man3/IO::Socket::SSL.3*
 %{_mandir}/man3/IO::Socket::SSL::Intercept.3*
 %{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*
 %{_mandir}/man3/IO::Socket::SSL::Utils.3*
 # MPLv2.0
 %{perl_vendorlib}/IO/Socket/SSL/PublicSuffix.pm
 %{_mandir}/man3/IO::Socket::SSL::PublicSuffix.3*
 %changelog
 * Tue Jan 04 2022 Michal Josef Špaček <mspacek@redhat.com> - 2.073-1
 - Update to 2.073, which has official support for OpenSSL 3.0.0
  Related: rhbz#1968046
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-5
 - Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065
 * Tue Jun 08 2021 Michal Josef Špaček <mspacek@redhat.com> - 2.070-4
 - Remove failing tests in openssl 3.0.0-alpha16. Related: rhbz#1968046
  - Provisional for mass rebuild of openssl3.
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.070-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Fri Mar 19 2021 Petr Pisar <ppisar@redhat.com> - 2.070-2
 - Disable optional libidn tests on ELN
 * Fri Feb 26 2021 Paul Howarth <paul@city-fan.org> - 2.070-1
 - Update to 2.070
  - Changed bugtracker in Makefile.PL to GitHub, away from obsolete rt.cpan.org
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.069-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Sat Jan 23 2021 Paul Howarth <paul@city-fan.org> - 2.069-1
 - Update to 2.069
  - IO::Socket::Utils CERT_asHash and CERT_create now support subject and
    issuer with multiple same parts (like multiple OU); in this case an array
    ref instead of a scalar is used as hash value (GH#95)
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.068-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.068-2
 - Perl 5.32 rebuild
 * Tue Mar 31 2020 Paul Howarth <paul@city-fan.org> - 2.068-1
 - Update to 2.068
  - Treat OpenSSL 1.1.1e as broken and refuse to build with it in order to
    prevent follow-up problems in tests and user code
    https://github.com/noxxi/p5-io-socket-ssl/issues/93
    https://github.com/openssl/openssl/issues/11388
    https://github.com/openssl/openssl/issues/11378
  - Update PublicSuffix with latest data from publicsuffix.org
 - Patch out the refusal to build with OpenSSL 1.1.1e as the OpenSSL package in
  Fedora has had the problematic EOF-handling change reverted
 * Sat Mar 21 2020 Paul Howarth <paul@city-fan.org> - 2.067-2
 - Fix FTBFS with OpenSSL 1.1.1e
  https://github.com/noxxi/p5-io-socket-ssl/issues/93
 * Sat Feb 15 2020 Paul Howarth <paul@city-fan.org> - 2.067-1
 - Update to 2.067
  - Fix memory leak on incomplete handshake (GH#92)
  - Add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers; this
    can decrease memory usage at the costs of more allocations (CPAN RT#129463)
  - More detailed error messages when loading of certificate file failed (GH#89)
  - Fix for ip_in_cn == 6 in verify_hostname scheme (CPAN RT#131384)
  - Deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
  - Fix warning when no ecdh support is available
  - Documentation update regarding use of select and TLS 1.3
  - Various fixes in documentation (GH#81, GH#87, GH#90, GH#91)
  - Stability fix for t/core.t
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 2.066-7
 - Default to PROFILE=SYSTEM cipher list (bug #1775167)
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.066-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Thu Jun 27 2019 Paul Howarth <paul@city-fan.org> - 2.066-5
 - Runtime openssl dependency should be on openssl-libs
 - Always require preferred IPv6 back-end: IO::Socket::IP ≥ 0.31
 - Always require preferred IDN back-end: URI::_idna
 - Modernize spec using %%{make_build} and %%{make_install}
 * Wed Jun 26 2019 Paul Howarth <paul@city-fan.org> - 2.066-4
 - PublicSuffix.pm is licensed MPLv2.0 (#1724169)
 * Mon Jun 17 2019 Petr Pisar <ppisar@redhat.com> - 2.066-3
 - Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1632660)
 * Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.066-2
 - Perl 5.30 rebuild
 * Wed Mar  6 2019 Paul Howarth <paul@city-fan.org> - 2.066-1
 - Update to 2.066
  - Make sure that Net::SSLeay::CTX_get0_param is defined before using
    X509_V_FLAG_PARTIAL_CHAIN; Net::SSLeay 1.85 defined only the second with
    LibreSSL 2.7.4 but not the first (CPAN RT#128716)
  - Prefer AES for server side cipher default since it is usually
    hardware-accelerated
  - Fix test t/verify_partial_chain.t by using the newly exposed function
    can_partial_chain instead of guessing (wrongly) if the functionality is
    available
 * Mon Mar  4 2019 Paul Howarth <paul@city-fan.org> - 2.064-1
 - Update to 2.064
  - Make algorithm for fingerprint optional, i.e. detect based on length of
    fingerprint (CPAN RT#127773)
  - Fix t/sessions.t and improve stability of t/verify_hostname.t on Windows
  - Use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are
    set
  - Update fingerprints for live tests
 * Sat Mar  2 2019 Paul Howarth <paul@city-fan.org> - 2.063-1
 - Update to 2.063
  - Support for both RSA and ECDSA certificate on same domain
  - Update PublicSuffix
  - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
    then linked against another API-incompatible version (i.e. more than just
    the patchlevel differs)
 * Mon Feb 25 2019 Paul Howarth <paul@city-fan.org> - 2.062-1
 - Update to 2.062
  - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
    OpenSSL (1.1.0+); this makes leaf certificates or intermediate certificates
    in the trust store be usable as full trust anchors too
 * Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 2.061-1
 - Update to 2.061
  - Support for TLS 1.3 session reuse (needs Net::SSLeay ≥ 1.86); note that
    the previous (and undocumented) API for the session cache has been changed
  - Support for multiple curves, automatic setting of curves and setting of
    supported curves in client (needs Net::SSLeay ≥ 1.86)
  - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
    client certificates are provided (needs Net::SSLeay ≥ 1.86)
 * Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
 - Client sends a post-handshake-authentication extension if a client key and
  a certificate are available (bug #1632660)
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Sep 24 2018 Petr Pisar <ppisar@redhat.com> - 2.060-2
- Prevent tests from dying on SIGPIPE (bug #1610017)
+- Prevent tests from dying on SIGPIPE (CPAN RT#126899)
 * Mon Sep 17 2018 Paul Howarth <paul@city-fan.org> - 2.060-1
- Update to 2.060 (bug #1610017)
+- Update to 2.060
-  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too);
+  - Support for TLS 1.3 with OpenSSL 1.1.1 (needs Net::SSLeay ≥ 1.86); see
-    see also CPAN RT#126899
+    also CPAN RT#126899
-  - TLS 1.3 support is not complete yet for session resume
+  - TLS 1.3 support is not complete yet for session reuse
 * Tue Aug 21 2018 Petr Pisar <ppisar@redhat.com> - 2.059-2
- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1610017)
+- Adapt to OpenSSL 1.1.1, it requires patched Net-SSLeay (bug #1616198)
 - Enable tests (bug #1610017)
 * Thu Aug 16 2018 Paul Howarth <paul@city-fan.org> - 2.059-1
- Update to 2.059 (bug #1610017)
+- Update to 2.059
  - Fix memory leak when CRLs are used (CPAN RT#125867)
  - Fix memory leak when using stop_SSL and threads
    (https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132)
 * Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
 - Disable %%check so package will build for Mass Rebuild
 - Related: bug#1614611
 * Thu Jul 19 2018 Paul Howarth <paul@city-fan.org> - 2.058-1
 - Update to 2.058
  - Fix memory leak that occurred with explicit stop_SSL in connection with
`@ -1 +1 @@`
	`SOURCES/IO-Socket-SSL-2.060.tar.gz`	`SOURCES/IO-Socket-SSL-2.073.tar.gz`
`@ -1 +1 @@`
	`d00985ca87425ab5860bc38e59bcb9d39b372508 SOURCES/IO-Socket-SSL-2.060.tar.gz`	`442c23ee1d0476df788f8b0b0f5fe174f871d792 SOURCES/IO-Socket-SSL-2.073.tar.gz`