IO-Socket-SSL-2.024/0000755000175100017510000000000012655445521012456 5ustar workworkIO-Socket-SSL-2.024/BUGS0000644000175100017510000000331112622126027013126 0ustar workworkSee documentation. Following are some common errors to watch out for: It doesn't work together with Storable::fd_retrieve|fd_store, see https://rt.cpan.org/Ticket/Display.html?id=23419. You need to use freeze/nfreeze/thaw and syswrite/sysread the data yourself. See the bug for examples how to do it. --------------------- Note that a random number generator is required for the proper operation of this module. Systems that have /dev/random or /dev/urandom are fine, but those that do not, like most versions of Solaris, will need to fetch one before installing IO::Socket::SSL. If you don't already have a favorite, try EGD (egd.sourceforge.net). --------------------- Versions of perl-ldap below v0.26 do not work with this version of IO::Socket::SSL because they contain a workaround for old versions of IO::Socket::SSL that breaks new versions. --------------------- One user mentioned that the following did not work as it should in IO::Socket::SSL, but worked in IO::Socket::INET: chomp($var = <$socket>); print ord(chop($var)); # Prints "10" for people using ASCII This is due to a bug in Perl that is fixed in 5.8.1. If you need a workaround, try one of the following: chomp($var = $socket->getline()); chomp($var = scalar <$socket>); chomp($var = $var = <$socket>); Any function that returns the value of <$socket> (in scalar context) unchanged will work. --------------------- If you have 384-bit RSA keys you need to use Diffie Hellman Key Exchange. See the parameter SSL_dh_file or SSL_dh for how to use it and http://groups.google.de/group/mailing.openssl.users/msg/d60330cfa7a6034b for an explanation why you need it. -- Steffen Ullrich (sullr at cpan.org) Peter Behroozi (behrooz at fas.harvard.edu) IO-Socket-SSL-2.024/README.Win320000644000175100017510000000042512321415553014230 0ustar workworkThe underlying IO::Socket::INET does not support non-blocking sockets on Win32, thus non-blocking IO::Socket::SSL is not supported on Win32, which means also, that timeouts don't work (because they are based on non-blocking). See also http://www.perlmonks.org/?node_id=378675 IO-Socket-SSL-2.024/docs/0000755000175100017510000000000012655445521013406 5ustar workworkIO-Socket-SSL-2.024/docs/debugging.txt0000644000175100017510000000163411136164317016100 0ustar workwork - check that IO::Socket::SSL and Net::SSLeay are properly installed, and that the versions are recently new: perl -MIO::Socket::SSL -e 'print "$IO::Socket::SSL::VERSION\n"' perl -MNet::SSLeay -e 'print "$Net::SSLeay::VERSION\n"' - run the tests in IO::Socket::SSL directory try running the tests with 'make test'. if some of the tests fail run the scripts one by one e.g.: perl -Ilib t/core.t - try running the demos using the DEBUG option - use the OpenSSL client and server for debugging the demo client and server. 'openssl s_client' and 'openssl s_server' against tests/demos testing the demo server: openssl s_client -connect localhost:9000 \ -key certs/client-key.pem -cert certs/client-cert.pem -verify 1 testing the demo client: openssl s_server -accept 9000 \ -key certs/server-key.pem -cert certs/server-cert.pem -verify 1 also, try these commands without the verify argument. IO-Socket-SSL-2.024/META.json0000664000175100017510000000247112655445521014105 0ustar workwork{ "abstract" : "Nearly transparent SSL encapsulation for IO::Socket::INET.", "author" : [ "Steffen Ullrich , Peter Behroozi, Marko Asplund" ], "dynamic_config" : 1, "generated_by" : "ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.120630", "license" : [ "perl_5" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", "version" : "2" }, "name" : "IO-Socket-SSL", "no_index" : { "directory" : [ "t", "inc" ] }, "prereqs" : { "build" : { "requires" : { "ExtUtils::MakeMaker" : "0" } }, "configure" : { "requires" : { "ExtUtils::MakeMaker" : "0" } }, "runtime" : { "requires" : { "Net::SSLeay" : "1.46", "Scalar::Util" : "0" } } }, "release_status" : "stable", "resources" : { "bugtracker" : { "web" : "https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL" }, "homepage" : "https://github.com/noxxi/p5-io-socket-ssl", "license" : [ "http://dev.perl.org/licenses/" ], "repository" : { "url" : "https://github.com/noxxi/p5-io-socket-ssl" } }, "version" : "2.024" } IO-Socket-SSL-2.024/example/0000755000175100017510000000000012655445521014111 5ustar workworkIO-Socket-SSL-2.024/example/async_https_server.pl0000644000175100017510000001117012622126027020362 0ustar workwork########################################################## # example HTTPS server using nonblocking sockets # requires Event::Lib # at the moment the response consists only of the HTTP # request, send back as text/plain ########################################################## use strict; use IO::Socket; use IO::Socket::SSL; use Event::Lib; use Errno ':POSIX'; #$Net::SSLeay::trace=3; eval 'use Debug'; *{DEBUG} = sub {} if !defined(&DEBUG); # create server socket my $server = IO::Socket::INET->new( LocalAddr => '0.0.0.0:9000', Listen => 10, Reuse => 1, Blocking => 0, ) || die $!; event_new( $server, EV_READ|EV_PERSIST, \&_s_accept )->add(); event_mainloop; ########################################################## ### accept new client on server socket ########################################################## sub _s_accept { my $fds = shift->fh; my $fdc = $fds->accept || return; DEBUG( "new client" ); $fdc = IO::Socket::SSL->start_SSL( $fdc, SSL_startHandshake => 0, SSL_server => 1, ) || die $!; $fdc->blocking(0); _ssl_accept( undef,$fdc ); } ########################################################## ### ssl handshake with client ### called again and again until the handshake is done ### this is called first from _s_accept w/o an event ### and later enters itself as new event until the ### handshake is done ### if the handshake is done it inits the buffers for the ### client socket and adds an event for reading the HTTP header ########################################################## sub _ssl_accept { my ($event,$fdc) = @_; $fdc ||= $event->fh; if ( $fdc->accept_SSL ) { DEBUG( "new client ssl handshake done" ); # setup the client ${*$fdc}{rbuf} = ${*$fdc}{wbuf} = ''; event_new( $fdc, EV_READ, \&_client_read_header )->add; } elsif ( $! != EWOULDBLOCK && $! != EAGAIN ) { die "new client failed: $!|$SSL_ERROR"; } else { DEBUG( "new client need to retry accept: $SSL_ERROR" ); my $what = $SSL_ERROR == SSL_WANT_READ ? EV_READ : $SSL_ERROR == SSL_WANT_WRITE ? EV_WRITE : die "unknown error"; event_new( $fdc, $what, \&_ssl_accept )->add; } } ########################################################## ### read http header ### this will re-add itself as an event until the full ### http header was read ### after reading the header it will setup the response ### which will for now just send the header back as text/plain ########################################################## sub _client_read_header { my $event = shift; my $fdc = $event->fh; DEBUG( "reading header" ); my $rbuf_ref = \${*$fdc}{rbuf}; my $n = sysread( $fdc,$$rbuf_ref,16384,length($$rbuf_ref)); if ( !defined($n)) { die $! if $! != EWOULDBLOCK && $! != EAGAIN; DEBUG( $SSL_ERROR ); if ( $SSL_ERROR == SSL_WANT_WRITE ) { # retry read once I can write event_new( $fdc, EV_WRITE, \&_client_read_header )->add; } else { $event->add; # retry } } elsif ( $n == 0 ) { DEBUG( "connection closed" ); close($fdc); } else { # check if we have the whole http header my $i = index( $$rbuf_ref,"\r\n\r\n" ); # check \r\n\r\n $i = index( $$rbuf_ref,"\n\n" ) if $i<0; # bad clients send \n\n only if ( $i<0 ) { $event->add; # read more from header return; } # got full header, send request back (we don't serve real pages yet) my $header = substr( $$rbuf_ref,0,$i,'' ); DEBUG( "got header:\n$header" ); my $wbuf_ref = \${*$fdc}{wbuf}; $$wbuf_ref = "HTTP/1.0 200 Ok\r\nContent-type: text/plain\r\n\r\n".$header; DEBUG( "will send $$wbuf_ref" ); event_new( $fdc, EV_WRITE, \&_client_write_response )->add; } } ########################################################## ### this is called to write the response to the client ### this will re-add itself as an event as until the full ### response was send ### if it's done it will just close the socket ########################################################## sub _client_write_response { my $event = shift; DEBUG( "writing response" ); my $fdc = $event->fh; my $wbuf_ref = \${*$fdc}{wbuf}; my $n = syswrite( $fdc,$$wbuf_ref ); if ( !defined($n) && ( $! == EWOULDBLOCK || $! == EAGAIN ) ) { # retry DEBUG( $SSL_ERROR ); if ( $SSL_ERROR == SSL_WANT_READ ) { # retry write once we can read event_new( $fdc, EV_READ, \&_client_write_response )->add; } else { $event->add; # retry again } } elsif ( $n == 0 ) { DEBUG( "connection closed: $!" ); close($fdc); } else { DEBUG( "wrote $n bytes" ); substr($$wbuf_ref,0,$n,'' ); if ($$wbuf_ref eq '') { DEBUG( "done" ); close($fdc); } else { # send more $event->add } } } IO-Socket-SSL-2.024/example/ssl_mitm.pl0000644000175100017510000000341612622126027016270 0ustar workwork#!/usr/bin/perl # simple HTTPS proxy with SSL bridging, uses Net::PcapWriter to # to log unencrypted traffic my $listen = '127.0.0.1:8443'; # where to listen my $connect = 'www.google.com:443'; # where to connect use strict; use warnings; use IO::Socket::SSL; use IO::Socket::SSL::Intercept; use IO::Socket::SSL::Utils; my ($proxy_cert,$proxy_key) = CERT_create( CA => 1, subject => { commonName => 'foobar' } ); my $mitm = IO::Socket::SSL::Intercept->new( proxy_cert => $proxy_cert, proxy_key => $proxy_key, ); my $listener = IO::Socket::INET->new( LocalAddr => $listen, Listen => 10, Reuse => 1, ) or die "failed to create listener: $!"; while (1) { # get connection from client my $toc = $listener->accept or next; # create new connection to server my $tos = IO::Socket::SSL->new( PeerAddr => $connect, SSL_verify_mode => 1, SSL_ca_path => '/etc/ssl/certs', ) or die "ssl connect to $connect failed: $!,$SSL_ERROR"; # clone cert from server my ($cert,$key) = $mitm->clone_cert( $tos->peer_certificate ); # and upgrade connection to client to SSL with cloned cert IO::Socket::SSL->start_SSL($toc, SSL_server => 1, SSL_cert => $cert, SSL_key => $key, ) or die "failed to ssl upgrade: $SSL_ERROR"; # transfer data my $readmask = ''; vec($readmask,fileno($tos),1) = 1; vec($readmask,fileno($toc),1) = 1; while (1) { select( my $can_read = $readmask,undef,undef,undef ) >0 or die $!; # try to read the maximum frame size of SSL to avoid issues # with pending data if ( vec($can_read,fileno($tos),1)) { sysread($tos,my $buf,16384) or last; print $toc $buf; } if ( vec($can_read,fileno($toc),1)) { sysread($toc,my $buf,16384) or last; print $tos $buf; } } } IO-Socket-SSL-2.024/example/simulate_proxy.pl0000644000175100017510000002164212622126027017526 0ustar workworkuse strict; use warnings; use IO::Socket::SSL; use IO::Socket::SSL::Utils; use IO::Select; use Socket 'MSG_PEEK'; use Getopt::Long qw(:config posix_default bundling); my $DEBUG; { my $addr = '0.0.0.0:8080'; my $ciphers; my $version; my $deny_tls12 = my $deny_tls11 = 0; my $issuer; my $wildcards = 0; GetOptions( 'h|help' => sub { usage() }, 'd|debug' => \$DEBUG, 'C|ciphers=s' => \$ciphers, 'V|version=s' => \$version, 'deny-tls12' => \$deny_tls12, 'deny-tls11' => \$deny_tls11, 'wildcards=i' => \$wildcards, 'issuer=s' => \$issuer, ); sub usage { print STDERR < } : do { local $/; }; my $issuer_cert = PEM_string2cert($data) or die "no issuer cert found"; my $issuer_key = PEM_string2key($data) or die "no issuer key found"; proxy_server( $addr, deny_tls12 => $deny_tls12, deny_tls11 => $deny_tls11, $ciphers ? ( SSL_cipher_list => $ciphers ):(), $version ? ( SSL_version => $version ):(), issuer_cert => $issuer_cert, issuer_key => $issuer_key, wildcards => $wildcards, ); } # ---------------------------------------------------------------------------- # simulate Proxy # ---------------------------------------------------------------------------- sub proxy_server { my ($addr,%args) = @_; my %sslargs; $sslargs{$_} = delete $args{$_} for grep { m{^SSL_} } keys %args; # dynamically create server certs my $wildcards = delete $args{wildcards} || 0; my $issuer_cert = delete $args{issuer_cert}; my $issuer_key = delete $args{issuer_key}; my $get_cert = do { my %cache; sub { my $host = my $cn = shift; $cn =~s{(^|\.)([\w\-]+)}{$1*} for(1..$wildcards); if ( $cache{$cn} ) { debug("reusing cert for $cn ($host) wildcards=$wildcards"); } else { debug("creating cert for $cn ($host) wildcards=$wildcards"); $cache{$cn} = [ CERT_create( subject => { commonName => $cn }, issuer_cert => $issuer_cert, issuer_key => $issuer_key, )]; } return @{ $cache{$cn} }; } }; debug("listen on $addr"); my $srv = IO::Socket::INET->new( LocalAddr => $addr, Listen => 1, Reuse => 1 ) or die $!; my $cl; while (1) { ACCEPT: $cl = undef; debug("waiting for request..."); $cl = $srv->accept or next; # peek into socket to determine if this is SSL or not # minimal request is "GET / HTTP/1.1\n\n" my $buf = ''; _peek($cl,\$buf,15) or do { debug("failed to get data from client"); goto ACCEPT; }; my $ssl_host = undef; if ( $buf =~m{\A[A-Z]{3,} } ) { # looks like HTTP $buf = ''; } else { # does not look like HTTP, assume direct SSL $ssl_host = "direct.ssl.access"; } SSL_UPGRADE: my $got_ciphers = ''; if ( $ssl_host ) { if ( $args{deny_tls12} || $args{deny_tls11} ) { _peek($cl,\$buf,11) or do { debug("failed to get client hello"); goto ACCEPT; }; if ( $args{deny_tls12} && $buf =~m{^.{9}\x03\x03}s ) { debug("got TLSv1.2 handshake - cut!"); goto ACCEPT; } elsif ( $args{deny_tls11} && $buf =~m{^.{9}\x03\x02}s ) { debug("got TLSv1.1 handshake - cut!"); goto ACCEPT; } } my ($cert,$key) = $get_cert->($ssl_host); debug("upgrade to SSL with certificate for $ssl_host"); IO::Socket::SSL->start_SSL( $cl, SSL_server => 1, SSL_cert => $cert, SSL_key => $key, %sslargs, ) or do { debug("SSL handshake failed: $SSL_ERROR"); goto ACCEPT; }; $got_ciphers = $cl->get_cipher; } REQUEST: # read header my $req = ''; while (<$cl>) { $_ eq "\r\n" and last; $req .= $_; } if ( $req =~m{\ACONNECT ([^\s:]+)} ) { if ( $ssl_host ) { debug("CONNECT inside SSL tunnel - cut"); next ACCEPT; } $ssl_host = $1; # simulate proxy print $cl "HTTP/1.0 200 ok\r\n\r\n"; debug("got proxy request to establish tunnel: CONNECT $ssl_host"); goto SSL_UPGRADE; } my ($met,$ver,$hdr) = $req =~m{\A([A-Z]+) \S+ HTTP/(1\.[01])\r?\n(.*)\Z}s or do { debug("bad request $req"); goto ACCEPT; }; $hdr =~s{\r?\n([ \t])}{$1}g; # continuation lines my $rqbody = ''; my $rqchunked; if ( $ver eq '1.1' and $hdr =~m{^Transfer-Encoding: *chunked}mi ) { $rqchunked = 1; debug("chunked request body"); while (1) { my $h = <$cl>; my $len = $h =~m{\A([\da-fA-F]+)\s*(?:;.*)?\r?\n\Z} && hex($1) // do { debug("bad chunking header in request body"); goto ACCEPT }; if ($len) { my $n = read($cl,$rqbody,$len,length($rqbody)); if ( $n != $len ) { debug("eof inside chunk in request body"); goto ACCEPT; } } $h = <$cl>; $h =~m{\A\r?\n\Z} or do { debug("expected newline after chunk, got '$h'"); goto ACCEPT; }; last if ! $len; } } elsif ( my $len = $hdr=~m{^Content-length: *(\d+)}mi && $1 ) { debug("request body with content-length=$len"); my $n = read($cl,$rqbody,$len); if ( $n != $len ) { debug("eof while reading request body, got $n of $len bytes"); goto ACCEPT; } } my $body = ( $ssl_host ? "SSL_HOST: $ssl_host\nCIPHERS: $got_ciphers\n": "NO SSL\n" ) . "---------\n" . $req; if ( $rqchunked ) { $body .= "--------- (chunked) body size=".(length($rqbody))."------\n$rqbody\n"; } elsif ( $rqbody ne '' ) { $body .= "--------- body size=".(length($rqbody))." ------\n$rqbody\n"; } print $cl "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n". "Content-length: ".length($body)."\r\n". "\r\n". $body; } } sub debug { $DEBUG or return; my $msg = shift; $msg = sprintf($msg,@_) if @_; print STDERR "DEBUG: $msg\n"; } sub _peek { my ($cl,$rbuf,$len) = @_; while (length($$rbuf)<$len) { my $lbuf; if ( ! IO::Select->new($cl)->can_read(30) or ! defined recv($cl,$lbuf,20,MSG_PEEK)) { return; } $$rbuf .= $lbuf; } return 1; } # ---------------------------------------------------------------------------- # this was used to create CA cert # ---------------------------------------------------------------------------- #| use IO::Socket::SSL::Utils; #| my ($cacert,$key) = CERT_create( CA => 1, #| subject => { organizationName => 'genua mbh', commonName => 'Test CA' } #| ); #| print PEM_cert2string($cacert).PEM_key2string($key); __DATA__ -----BEGIN CERTIFICATE----- MIICVjCCAb+gAwIBAgIFAIbQ7t4wDQYJKoZIhvcNAQEFBQAwJjEQMA4GA1UEAxMH VGVzdCBDQTESMBAGA1UEChMJZ2VudWEgbWJoMB4XDTEzMTAyMzA4MjI0MFoXDTE0 MTAyMzA4MjI0MFowJjEQMA4GA1UEAxMHVGVzdCBDQTESMBAGA1UEChMJZ2VudWEg bWJoMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBD9oBSf8pueg3BxNdf6Mm PKGmh46R0O3xNOE/HfXc9Z2WxgLEX4PaYMwdzgFuPcVTZycI5NdhM53yydnTilsX eFct5D2Bz3faiIOB2WnoiNft15YGCdyeue9kf2NkYRLs3eBQDPeU/cXKyfcHb1dS QpQNKiyL/ono1c0kZRoP3wIDAQABo4GPMIGMMB0GA1UdDgQWBBReUpKjaiNSYfZT X2+XsfQsYZef0zAfBgNVHSMEGDAWgBReUpKjaiNSYfZTX2+XsfQsYZef0zA8BgNV HSMENTAzoSqkKDAmMRAwDgYDVQQDEwdUZXN0IENBMRIwEAYDVQQKEwlnZW51YSBt YmiCBQCG0O7eMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg9H/7umS 4bKSEyyCzzqyR1vf735wPnUmTL7NrduPCaT/bLVRPmDwhyRrpNVedICxyU3NK9fc r0Fj12oBBbvLACm8Xfnt23x8IbnGXIz7n5aTFvrv2l3rVMkZOFqo/DFtFnfYGuY8 /N4DtEHG21dwpMrDxXE1pAE5IY+vRMlNEtA= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMEP2gFJ/ym56DcH E11/oyY8oaaHjpHQ7fE04T8d9dz1nZbGAsRfg9pgzB3OAW49xVNnJwjk12EznfLJ 2dOKWxd4Vy3kPYHPd9qIg4HZaeiI1+3XlgYJ3J6572R/Y2RhEuzd4FAM95T9xcrJ 9wdvV1JClA0qLIv+iejVzSRlGg/fAgMBAAECgYBK8Hs/6tg3+yjPS1jR/zx2GCzr Nk05/q6N5WfVlyybg1+TafMjBKxqtQ4mN5PIlgOldzHouuN7oIyb9IwwF9F5YeUb 8WTK1iLzTmrcfFJmtRyj0ITF5gb+r6PhPxGr4yt8f9bzaIj7G57a+QT9gXKnLKao AN4Vxx51MAPvMeREYQJBAPstPjOyWxLsT8yBphlok2w4MnWQASsrflrL6MzuJYOq zpVxQF3lwSHukhoUhDoyee9miY2kcB9H9PoXWbq4io8CQQDExOwxTlYnyqyvKjFq vXchcNZ4wCU5sf6pzXF2l6Hb6eCuqYlarMu2JN0h7CC0Jq4qr1BalgesS3WUT1M8 dw2xAkB6Kfgd5rp7CqqJOemSZBWHxhFssnyPBZlwCcsRmSZv0qylbK60vKFhooo2 2xGwyIob0RBH7tmFrVbOKHtA4K6rAkA3sRi8t9RQvN91UHbeJDP0phA96vxeQQ+4 Faq4iyBHswFhziBPJrsdmX9xG3kCJDSFZktS6EXRsSXdTTpc0cFxAkEAo5GS9dAY 7WLAcqNDUorHhFOcZouCYX3LRssikmwc0/dvc9DjwqpNqF1BHT6ucX0pqdQI+fp1 VHJ5f4e/SUTV3g== -----END PRIVATE KEY----- ; IO-Socket-SSL-2.024/example/lwp-with-verifycn.pl0000644000175100017510000000057612321415553020044 0ustar workworkuse strict; use warnings; ## !!! make sure that Net::SSL never gets loaded, otherwise it will ## be used instead of IO::Socket::SSL from LWP use IO::Socket::SSL 'debug0'; use LWP::Simple; IO::Socket::SSL::set_ctx_defaults( SSL_verifycn_scheme => 'www', SSL_verify_mode => 1, SSL_ca_file => 'verisign.pem', # root CA of verisign ); print get( 'https://signin.ebay.com' ); IO-Socket-SSL-2.024/example/ssl_client.pl0000644000175100017510000000365512622126027016605 0ustar workwork# # a test client for testing IO::Socket::SSL-class's behavior use strict; use warnings; use IO::Socket::SSL; use Getopt::Long qw(:config posix_default bundling); my ($cert_file,$key_file,$key_pass,$ca,$name,$no_verify); GetOptions( 'd|debug:i' => \$IO::Socket::SSL::DEBUG, 'h|help' => sub { usage() }, 'C|cert=s' => \$cert_file, 'K|key=s' => \$key_file, 'P|pass=s' => \$key_pass, 'ca=s' => \$ca, 'name=s' => \$name, 'no-verify' => \$no_verify, ) or usage("bad option"); sub usage { print STDERR "Error: @_\n" if @_; print STDERR <new( PeerAddr => $addr, $ca ? ( -d $ca ? ( SSL_ca_path => $ca ):( SSL_ca_file => $ca ) ):(), $name ? ( SSL_hostname => $name ):(), $no_verify ? ( SSL_verify_mode => 0 ):(), $cert_file ? ( SSL_cert_file => $cert_file, SSL_key_file => $key_file, defined($key_pass) ? ( SSL_passwd_cb => sub { $key_pass } ):(), ):() ) or die "failed to connect to $addr: $!,$SSL_ERROR"; warn "new SSL connection with cipher=".$cl->get_cipher." version=".$cl->get_sslversion." certificate:\n". "\tsubject=".$cl->peer_certificate('subject')."\n". "\tissuer=".$cl->peer_certificate('issuer')."\n" IO-Socket-SSL-2.024/example/ssl_server.pl0000644000175100017510000000452312622126027016630 0ustar workwork# # a test server for testing IO::Socket::SSL-class's behavior use strict; use warnings; use IO::Socket::SSL; use Getopt::Long qw(:config posix_default bundling); my ($cert_file,$key_file,$key_pass,$ca); GetOptions( 'd|debug:i' => \$IO::Socket::SSL::DEBUG, 'h|help' => sub { usage() }, 'C|cert=s' => \$cert_file, 'K|key=s' => \$key_file, 'P|pass=s' => \$key_pass, 'ca=s' => \$ca, ) or usage("bad option"); sub usage { print STDERR "Error: @_\n" if @_; print STDERR <can_ipv6 || 'IO::Socket::INET'; my $server = $ioclass->new( Listen => 5, LocalAddr => $addr, Reuse => 1, ) or die "failed to create SSL server at $addr: $!"; my $ctx = IO::Socket::SSL::SSL_Context->new( SSL_server => 1, SSL_cert_file => $cert_file, SSL_key_file => $key_file, defined($key_pass) ? ( SSL_passwd_cb => sub { $key_pass } ):(), $ca ? ( SSL_verify_mode => SSL_VERIFY_PEER, -d $ca ? ( SSL_ca_path => $ca ):( SSL_ca_file => $ca ) ):(), ) or die "cannot create context: $SSL_ERROR"; while (1) { warn "waiting for next connection.\n"; my $cl = $server->accept or do { warn "failed to accept: $!\n"; next; }; IO::Socket::SSL->start_SSL($cl, SSL_server => 1, SSL_reuse_ctx => $ctx) or do { warn "ssl handshake failed: $SSL_ERROR\n"; next; }; if ( $cl->peer_certificate ) { warn "new SSL connection with client certificate\n". "\tsubject=".$cl->peer_certificate('subject')."\n". "\tissuer=".$cl->peer_certificate('issuer')."\n" } else { warn "new SSL connection without client certificate\n" } print $cl "connected with cipher=".$cl->get_cipher." version=".$cl->get_sslversion."\n"; } IO-Socket-SSL-2.024/README0000644000175100017510000000222212622126027013323 0ustar workwork IO::Socket::SSL is a class implementing an object oriented interface to SSL sockets. The class is a descendent of IO::Socket::INET. In order to use IO::Socket::SSL you need to have Net::SSLeay v1.46 or newer installed. To use ECDH curves (needed for perfect forward secrecy) you need to use Net::SSLeay >= 1.56. To use OCSP to check for certificate revocations you need OpenSSL 1.0.0 or better and Net::SSLeay>=1.59. For those who do not have a built-in random number generator (including most users of Solaris), you should install one before attempting to install IO::Socket::SSL. If you don't already have a favorite, try "egd" (egd.sourceforge.net) or one of the other "Related Projects" listed on its home page. If you want to bypass the test for existence of the RNG, then set the "SKIP_RNG_TEST" environment variable to a true value. In addition to providing a general OO interface to SSL sockets, this package can be used with libwww-perl. installation: perl Makefile.PL make make test make install -- Steffen Ullrich, Steffen_Ullrich at genua.de Peter Behroozi, behrooz at fas.harvard.edu (Originally by Marko Asplund, marko.asplund at kronodoc.fi) IO-Socket-SSL-2.024/MANIFEST0000644000175100017510000000305012655445521013605 0ustar workworkBUGS certs/client-cert.pem certs/client-key.enc certs/client-key.pem certs/my-ca.pem certs/proxyca.pem certs/server-cert.der certs/server-cert.pem certs/server_enc.p12 certs/server-key.der certs/server-key.enc certs/server-key.pem certs/server.p12 certs/server-rsa384-dh.pem certs/server-wildcard.pem certs/test-ca.pem Changes docs/debugging.txt example/async_https_server.pl example/lwp-with-verifycn.pl example/simulate_proxy.pl example/ssl_client.pl example/ssl_mitm.pl example/ssl_server.pl lib/IO/Socket/SSL/Intercept.pm lib/IO/Socket/SSL.pm lib/IO/Socket/SSL.pod lib/IO/Socket/SSL/PublicSuffix.pm lib/IO/Socket/SSL/Utils.pm Makefile.PL MANIFEST This list of files README README.Win32 t/01loadmodule.t t/acceptSSL-timeout.t t/alpn.t t/auto_verify_hostname.t t/cert_formats.t t/cert_no_file.t t/compatibility.t t/connectSSL-timeout.t t/core.t t/dhe.t t/ecdhe.t t/external/ocsp.t t/external/usable_ca.t t/io-socket-inet6.t t/io-socket-ip.t t/memleak_bad_handshake.t t/mitm.t t/nonblock.t t/npn.t t/plain_upgrade_downgrade.t t/protocol_version.t t/public_suffix_lib_encode_idn.t t/public_suffix_lib_libidn.t t/public_suffix_lib.pl t/public_suffix_lib_uri.t t/public_suffix_ssl.t t/readline.t t/sessions.t t/signal-readline.t t/sni.t t/sni_verify.t t/startssl-failed.t t/startssl.t t/start-stopssl.t t/sysread_write.t t/testlib.pl t/verify_fingerprint.t t/verify_hostname_standalone.t t/verify_hostname.t META.yml Module YAML meta-data (added by MakeMaker) META.json Module JSON meta-data (added by MakeMaker) IO-Socket-SSL-2.024/Changes0000644000175100017510000017354512655445276013777 0ustar workwork2.024 2016/02/06 - Work around issue where the connect fails on systems having only a loopback interface and where IO::Socket::IP is used as super class (default when available). Since IO::Socket::IP sets AI_ADDRCONFIG by default connect to localhost would fail on this systems. This happened at least for the tests, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813796 Workaround is to explicitely set GetAddrInfoFlags to 0 if no GetAddrInfoFlags is set but the Family/Domain is given. In this case AI_ADDRCONFIG would not be useful anyway but would cause at most harm. 2.023 2016/01/30 - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS connection was not fully established (commit: f73c737c7ac908c5d6407c419769123392a3b0a9). This somehow resulted in Net::SSLeay::shutdown returning 0 (i.e. keep trying) which caused an endless loop. It will now ignore this result in case the TLS connection was not yet established and consider the TLS connection closed instead. 2.022 2015/12/10 - fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash. Thanks to Mark.Martinec[AT]ijs[DOT]si for reporting in #110253 2.021 2015/12/02 - Fixes for documentation and typos thanks to DavsX and jwilk. - Update PublicSuffx with latest version from publicsuffix.org 2.020 2015/09/20 - support multiple directories in SSL_ca_path as proposed in RT#106711 by dr1027[AT]evocat[DOT]ne. Directories can be given as array or as string with a path separator, see documentation. - typos fixed thanks to jwilk https://github.com/noxxi/p5-io-socket-ssl/pull/34 2.019 2015/09/01 - work around different behavior of getnameinfo from Socket and Socket6 by using a different wrapper depending on which module I use for IPv6. Thanks to bluhm for reporting. 2.018 2015/08/27 - RT#106687 - startssl.t failed on darwin with old openssl since server requested client certificate but offered also anon ciphers 2.017 2015/08/24 - checks for readability of files/dirs for certificates and CA no longer use -r because this is not safe when ACLs are used. Thanks to BBYRD, RT#106295 - new method sock_certificate similar to peer_certificate based on idea of Paul Evans, RT#105733 - get_fingerprint can now take optional certificate as argument and compute the fingerprint of it. Useful in connection with sock_certificate. - check for both EWOULDBLOCK and EAGAIN since these codes are different on some platforms. Thanks to Andy Grundman, RT#106573 - enforce default verification scheme if none was specified, i.e. no longer just warn but accept. If really no verification is wanted a scheme of 'none' must be explicitly specified. - support different cipher suites per SNI hosts 2.016 2015/06/02 - add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL (since 1.02) and available with Net::SSLeay. RT#104759 (thanks GAAS) - work around hanging prompt() with older perl in Makefile.PL RT#104731 - make t/memleak_bad_handshake.t work on cygwin and other systems having /proc/pid/statm, see RT#104659 - add better debugging based on patch from H.Merijn Brand 2.015 2015/05/13 - work around problem with IO::Socket::INET6 on windows, by explicitly using Domain AF_INET in the tests. Fixes RT#104226 reported by CHORNY 2.014 2015/05/05 - Utils::CERT_create - work around problems with authorityInfoAccess, where OpenSSL i2v does not create the same string as v2i expects - Intercept - don't clone some specific extensions which make only sense with the original certificate 2.013 2015/05/01 - assign severities to internal error handling and make sure that follow-up errors like "configuration failed" or "certificate verify error" don't replace more specific "hostname verification failed" when reporting in sub errstr/$SSL_ERROR. see also RT#103423 - enhanced documentation thanks to Chase Whitener https://github.com/noxxi/p5-io-socket-ssl/pull/26 2.012 2015/02/02 - fix t/ocsp.t in case no HTTP::Tiny is installed 2.011 2015/02/01 - fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling #101855 - added option 'purpose' to Utils::CERT_create to get better control of the certificates purpose. Default is 'server,client' for non-CA (contrary to only 'server' before) - removed RC4 from default cipher suites on the server site https://github.com/noxxi/p5-io-socket-ssl/issues/22 - refactoring of some tests using Test::More thanks to Sweet-kid and the 2015 Pull Request Challenge 2.010 2015/01/14 - new options SSL_client_ca_file and SSL_client_ca to let the server send the list of acceptable CAs for the client certificate. - t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay. RT#101485, thanks to TEAM. 2.009 2015/01/12 - remove util/analyze.pl. This tool is now together with other SSL tools in https://github.com/noxxi/p5-ssl-tools - added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) thanks to TEAM, RT#101452 2.008 2014/12/16 - work around recent OCSP verification errors for revoked.grc.com (badly signed OCSP response, Firefox also complains about it) in test t/external/ocsp.t. - util/analyze.pl - report more details about preferred cipher for specific TLS versions 2.007 2014/11/26 - make getline/readline fall back to super class if class is not sslified yet, i.e. behave the same as sysread, syswrite etc. This fixes RT#100529 2.006 2014/11/22 - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of EAGAIN. While this is the same on UNIX it is different on Windows and socket operations return there (WSA)EWOULDBLOCK and not EAGAIN. Enable non-blocking tests on Windows too. - make PublicSuffix::_default_data thread safe - update PublicSuffix with latest list from publicsuffix.org 2.005 2014/11/15 - next try to fix t/protocol_version.t for OpenSSL w/o SSLv3 support 2.004 2014/11/15 - only test fix: fix t/protocol_version.t to deal with OpenSSL installations which are compiled without SSLv3 support. 2.003 2014/11/14 - make SSLv3 available even if the SSL library disables it by default in SSL_CTX_new (like done in LibreSSL). Default will stay to disable SSLv3, so this will be only done when setting SSL_version explicitly. - fix possible segmentation fault when trying to use an invalid certificate, reported by Nick Andrew. - Use only the ICANN part of the default public suffix list and not the private domains. This makes existing exceptions for s3.amazonaws.com and googleapis.com obsolete. Thanks to Gervase Markham from mozilla.org. 2.002 2014/10/21 - fix check for (invalid) IPv4 when validating hostname against certificate. Do not use inet_aton any longer because it can cause DNS lookups for malformed IP. RT#99448, thanks to justincase[AT]yopmail[DOT]com. - Update PublicSuffix with latest version from publicsuffix.org - lots of new top level domains. - Add exception to PublicSuffix for s3.amazonaws.com - RT#99702, thanks to cpan[AT]cpanel[DOT]net. 2.001 2014/10/21 - Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security. Thanks to Heikki Vatiainen for suggesting. - Update external tests with currently expected fingerprints of hosts. - Some fixes to make it still work on 5.8.1. 2.000 2014/10/15 - consider SSL3.0 as broken because of POODLE and disable it by default. - Skip live tests without asking if environment NO_NETWORK_TESTING is set. Thanks to ntyni[AT]debian[DOT]org for suggestion. - skip tests which require fork on non-default windows setups without proper fork. Thanks to SHAY for https://github.com/noxxi/p5-io-socket-ssl/pull/18 1.999 2014/10/09 - make sure we don't use version 0.30 of IO::Socket::IP - make sure that PeerHost is checked on all places where PeerAddr is checked, because these are synonyms and IO::Socket::IP prefers PeerHost while others prefer PeerAddr. Also accept PeerService additionally to PeerPort. See https://github.com/noxxi/p5-io-socket-ssl/issues/16 for details. - add ability to use client certificates and to overwrite hostname with util/analyze-ssl.pl. 1.998 2014/09/07 - make client authentication work at the server side when SNI is in by use having CA path and other settings in all SSL contexts instead of only the main one. Based on code from lundstrom[DOT]jerry[AT]gmail[DOT]com, https://github.com/noxxi/p5-io-socket-ssl/pull/15 1.997 2014/07/12 - thanks to return code 1 from Net::SSLeay::library_init if the library needed initialization and 0 if not we can now clearly distinguish if initialization was needed and do not need any work-arounds for perlcc by the user. 1.996 2014/07/12 - move initialization of OpenSSL-internals out of INIT again because this breaks if module is used with require. Since there is no right place to work in all circumstances just document the work-arounds needed for perlcc. RT#97166 1.995 2014/07/11 - RT#95452 - move initialization and creation of OpenSSL-internals into INIT section, so they get executed after compilation and perlcc is happy. - refresh option for peer_certificate, so that it checks if the certificate changed in the mean time (on renegotiation) - fix fingerprint checking - now applies only to topmost certificate - IO::Socket::SSL::Utils - accept extensions within CERT_create - documentations fixes thanks to frioux - fix documentation bug RT#96765, thanks to Salvatore Bonaccorso. 1.994 2014/06/22 - IO::Socket::SSL can now be used as dual-use socket, e.g. start plain, upgrade to SSL and downgrade again all with the same object. See documentation of SSL_startHandshake and chapter Advanced Usage. - try to apply SSL_ca* even if verify_mode is 0, but don't complain if this fails. This is needed if one wants to explicitly verify OCSP lookups even if verification is otherwise off, because otherwise the signature check would fail. This is mostly useful for testing. - reorder documentation of attributes for new, so that the more important ones are at the top. 1.993 2014/06/13 - major rewrite of documentation, now in separate file - rework error handling to distinguish between SSL errors and internal errors (like missing capabilities). - fix handling of default_ca if given during the run of the program (Debian#750646) - util/analyze-ssl.pl - fix hostname check if SNI does not work 1.992 2014/06/01 - set $! to undef before doing IO (accept, read..). On Windows a connection reset could cause SSL read error without setting $!, so make sure we don't keep the old value and maybe thus run into endless loop. 1.991 2014/05/27 - new option SSL_OCSP_TRY_STAPLE to enforce staple request even if VERIFY_NONE - work around for RT#96013 in peer_certificates 1.990 2014/05/27 - added option SSL_ocsp_staple_callback to get the stapled OCSP response and verify it somewhere else - try to fix warnings on Windows again (#95967) - work around temporary OCSP error in t/external/ocsp.t 1.989 2014/05/24 - fix #95881 (warnings on windows), thanks to TMHALL 1.988 2014/05/17 - add transparent support for DER and PKCS#12 files to specify cert and key, e.g. it will autodetect the format - if SSL_cert_file is PEM and no SSL_key_file is given it will check if the key is in SSL_cert_file too 1.987 2014/05/17 - fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6 #95719, thanks srchulo - enable IPv6 support only if we have a usable inet_pton - remove stale entries from MANIFEST (thanks seen[AT]myfairpoint[DOT]net) 1.986 2014/05/16 - allow IPv4 in common name, because browsers allow this too. But only for scheme www/http, not for rfc2818 (because RC2818 does not allow this). In default scheme IPv6 and IPv4 are allowed in CN. Thanks to heiko[DOT]hund[AT]sophos[DOT]com for reporting the problem. - Fix handling of public suffix. Add exemption for *.googleapis.com wildcard, which should be better not allowed according to public suffix list but actually is used. - Add hostname verification test based on older test of chromium. But change some of the test expectations because we don't want to support IP as SAN DNS and because we enforce a public suffix list (and thus *.co.uk should not be allowed) 1.985 2014/05/15 - make OCSP callback return 1 even if it was called on the server side because of bad setup of the socket. Otherwise we get an endless calling of the OCSP callback. - consider an OCSP response which is not yet or no longer valid a soft error instead of an hard error - fix skip in t/external/ocsp.t in case fingerprint does not match - RT#95633 call EVP_PKEY_free not EVP_KEY_free in IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org - util/analyze.pl - with --show-chain check if chain with SNI is different from chain w/o SNI. 1.984 2014/05/10 - added OCSP support: - needs Net::SSLeay >=1.59 - for usage see documentation of IO::Socket::SSL (examples and anything with OCSP in the name) - new tool util/analyze-ssl.pl which is intended to help in debugging of SSL problems and to get information about capabilities of server. Works also as en example of how to use various features (like OCSP, SNI..) - fix peer_certificates (returns leaf certificate only once on client side) - added timeout for stop_SSL (either with Timeout or with the default timeout for IO::Socket) - fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local time is not GMT. Use Net::SSLeay::ASN1_TIME_timet if available. - fix t/external/usable_ca.t for system with junk in CA files 1.983 2014/05/03 - fix public suffix handling: ajax.googleapis.com should be ok even if googleapis.com is in public suffix list (e.g. check one level less) #95317, thanks to purification[AT]ukr[DOT]net - usable_ca.t - update fingerprints after heartbleed attack - usable_ca.t - make sure we have usable CA for tested hosts in CA store 1.982 2014/04/24 - fix for using subroutine as argument to set_args_filter_hack 1.981 2014/04/08 - #95432 fix ecdhe Test for openssl1.0.1d, thanks to paul[AT]city-fan[DOT]org - fix detection of openssl1.0.1d (detected 1.0.1e instead) - new function can_ecdh in IO::Socket::SSL 1.980 2014/04/08 - fixed incorrect calculation of certificate fingerprint in get_fingerprint* and comparison in SSL_fingerprint. Thanks to david[DT]palmer[AT]gradwell[DOT]com for reporting. - disable elliptic curve support for openssl 1.0.1d on 64bit because of openssl rt#2975 1.979 2014/04/06 - hostname checking: - configuration of 'leftmost' is renamed to 'full_label', but the old version is kept for compatibility reasons. - documentation of predefined schemes fixed to match reality 1.978 2014/04/04 - RT#94424 again, fix test on older openssl version with no SNI support 1.977 2014/04/04 - fix publicsuffix for IDNA, more tests with various IDNA libs RT#94424. Thanks to paul[AT]city-fan[DOT]org - reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm - add more checks to external/usable_ca.t. Now it is enough that at least one of the hosts verifies against the builtin CA store - add openssl and Net::SSleay version to diagnostics in load test 1.976 2014/04/03 - added public prefix checking to verification of wildcard certificates, e.g. accept *.foo.com but not *.co.uk. See documentation of SSL_verifycn_publicsuffix and IO::Socket::SSL::PublicSuffix Thanks to noloader for pointing out the problem. 1.975 2014/04/02 - BEHAVIOR CHANGE: work around TEA misfeature on OS X builtin openssl, e.g. guarantee that only the explicitly given CA or the openssl default CA will be used. This means that certificates inside the OS X keyring will no longer be used, because there is no way to control the use by openssl (e.g. certificate pinning etc) - make external tests run by default to make sure default CA works on all platforms, it skips automatically on network problems like timeouts or ssl interception, can also use http(s)_proxy environment variables 1.974 2014/04/02 - new function peer_certificates to get the whole certificate chain, needs Net::SSLeay>=1.58 - extended IO::Socket::Utils::CERT_asHash to provide way more information, like issuer information, cert and pubkey digests, all extensions, CRL distributions points and OCSP uri 1.973 2014/03/25 - with SSL_ca certificate handles can now be used additionally to SSL_ca_file and SSL_ca_path - do not complain longer if SSL_ca_file and SSL_ca_path are both given, instead add both as options to the CA store - Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create. 1.972 2014/03/23 - make sure t/external/usable_ca.t works also with older openssl without support for SNI. RT#94117. Thanks to paul[AT]city-fan[DOT]org 1.971 2014/03/22 - try to use SSL_hostname for hostname verification if no SSL_verifycn_name is given. This way hostname for SNI and verification can be specified in one step. - new test program example/simulate_proxy.pl 1.970 2014/03/19 - fix rt#93987 by making sure sub default_ca does use a local $_ and not a version of an outer scope which might be read-only. Thanks to gshank 1.969 2014/03/13 - fix set_defaults to match documentation regarding short names - new function set_args_filter_hack to make it possible to override bad SSL settings from other code at the last moment. - determine default_ca on module load (and not on first use in each thread) - don't try default hostname verification if verify_mode 0 - fix hostname verification when reusing context 1.968 2014/03/13 - BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file. These defaults were depreceated since 1.951 (2013/7/3). - Usable CA verification path on Windows etc: Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set system/build dependent default verification path, because there was no way to retrieve these default values and check if they contained usable CA. Instead re-implement the same algorithm and export the results with public function default_ca() and make it possible to overwrite it. Also check for usable verification path during build. If no usable path are detected require Mozilla::CA at build and try to use it at runtime. 1.967 2014/02/06 - verify the hostname inside a certificate by default with a superset of common verification schemes instead of not verifying identity at all. For now it will only complain if name verification failed, in the future it will fail certificate verification, forcing you to set the expected SSL_verifycn_name if you want to accept the certificate. - new option SSL_fingerprint and new methods get_fingerprint and get_fingerprint_bin. Together they can be used to selectively accept specific certificates which would otherwise fail verification, like self-signed, outdated or from unknown CAs. This makes another reason to disable verification obsolete. - Utils: - default RSA key length 2048 - digest algorithm to sign certificate in CERT_create can be given, defaults to SHA-256 - CERT_create can now issue non-CA selfsigned certificate - CERT_create add some more useful constraints to certificate - spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi 1.966 2014/01/21 - fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with specifying !TLSv12, only !TLSv1_2 worked - fixed leak of session objects in SessionCache, if another session replaced an existing session (introduced in 1.965) 1.965 2014/01/16 - new key SSL_session_key to influence how sessions are inserted and looked up in the clients session cache. This makes it possible to share sessions over different ip:host (like required with some FTPS servers) - t/core.t - handle case, were default loopback source is not 127.0.0.1, like in FreeBSD jails 1.964 2014/01/15 - Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc - The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches the syntax from OpenSSL. The old syntax continues to work in SSL_version. - New functions get_sslversion and get_sslversion_int which get the SSL version of the establish session as string or int. - disable t/io-socket-inet6.t if Acme::Override::INET is installed 1.963 2014/01/13 - fix behavior of stop_SSL: for blocking sockets it now enough to call it once, for non-blocking it should be called again as long as EAGAIN and SSL_ERROR is set to SSL_WANT_(READ|WRITE). - don't call blocking if start_SSL failed and downgraded socket has no blocking method, thanks to tokuhirom - documentation enhancements: - special section for differences to IO::Socket - describe problem with blocking accept on non-blocking socket - describe arguments to new_from_fd and make clear, that for upgrading an existing IO::Socket start_SSL should be used directly 1.962 2013/11/27 - work around problems with older F5 BIG-IP by offering fewer ciphers on the client side by default, so that the client hello stays below 255 byte 1.961 2013/11/26 - IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which are not self-signed (by giving issuer_*) 1.960 2013/11/12 only documentation enhancements: - clarify with text and example code, that within event loops not only select/poll should be used, but also pending has to be called. - better introduction into SSL, at least mention anonymous authentication as something you don't want and should take care with the right cipher - make it more clear, that user better does not change the cipher list, unless he really know what he is doing 1.959 2013/11/12 - bugfix test core.t windows only 1.958 2013/11/11 - cleanup: remove workaround for old IO::Socket::INET6 but instead require at least version 2.55 which is now 5 years old - fix t/session.t #RT90240, thanks to paul[AT]city-fan[DOT]org 1.957 2013/11/11 - fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous authorization. With the DH param given by default since 1.956 old versions of openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous authorization) instead of AES256-SHA and thus the check for the peer certificate failed (because ADH does not exchanges certificates). Fixed by explicitly specifying HIGH:!aNULL as cipher RT#90221, thanks to paul[AT]city-fan[DOT]org - cleaned up tests: - remove ssl_settings.req and 02settings.t, because all tests now create a simple socket at 127.0.0.1 and thus global settings are no longer needed. - some tests did not have use strict(!), fixed it. - removed special handling for older Net::SSLeay versions, which are less than our minimum requirement - some syntax enhancements, removed some SSL_version and SSL_cipher_list options where they were not really needed 1.956 2013/11/10 lots of behavior changes for more secure defaults: - BEHAVIOR CHANGE: make default cipher list more secure, especially - no longer support MD5 by default (broken) - no longer support anonymous authentication by default (vulnerable to man in the middle attacks) - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that it uses by default forward secrecy, if underlying Net::SSLeay/openssl supports it - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully been fixed and now RC4 is considered less safe than 3DES) - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to get the best cipher even if client prefers other ciphers PLEASE NOTE that this might break connections with older, less secure implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so. - BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and thus gets reused if context gets reused. PLEASE NOTE that using SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the ciphers of the context. - rework hostname verification schemes - add rfc names as scheme (e.g. 'rfc2818',...) - add SIP, SNMP, syslog, netconf, GIST - BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName - BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN - BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'.. but not 'www' - anywhere wildcards like x* are no longer applied to IDNA names (which start with 'xn--') - fix crash of Utils::CERT_free - support TLSv11, TLSv12 as handshake protocols 1.955 2013/10/11 - support for forward secrecy using ECDH, if the Net::SSLeay/openssl version supports it. 1.954 2013/9/15 - accept older versions of ExtUtils::MakeMaker and add meta information like link to repository only for newer versions. 1.953 2013/7/22 - fixes to IO::Socket::SSL::Utils, thanks to rurban[AT]x-ray[DOT]at, RT#87052 1.952 2013/7/11 - fix t/acceptSSL-timeout.t on Win32, RT#86862 1.951 2013/7/3 - better document builtin defaults for key,cert,CA and how they are depreceated - use Net::SSLeay::CTX_set_default_verify_paths to use openssl's builtin defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins used) 1.950 2013/7/3 - MAJOR BEHAVIOR CHANGE: ssl_verify_mode now defaults to verify_peer for client. Until now it used verify_none, but loudly complained since 1.79 about it. It will not complain any longer, but the connection might probably fail. Please don't simply disable ssl verification, but instead set SSL_ca_file etc so that verification succeeds! - MAJOR BEHAVIOR CHANGE: it will now complain if the builtin defaults of certs/my-ca.pem or ca/ for CA and certs/{server,client}-{key,cert}.pem for cert and key are used, e.g. no certificates are specified explicitly. In the future these insecure (relative path!) defaults will be removed and the CA replaced with the system defaults. v1.94 2013.06.01 - Makefile.PL reported wrong version of openssl, if Net::SSLeay was not installed instead of reporting missing dependency to Net::SSLeay. v1.93 2013.05.31 - need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6 years ago. Remove code to work around older releases. - changed AUTHOR in Makefile.PL from array back to string, because the array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739) v1.92 2013.05.30 - Intercept: use sha1-fingerprint of original cert for id into cache unless otherwise given - Fix pod error in IO::Socket::SSL::Utils RT#85733 v1.91 2013.05.30 - added IO::Socket::SSL::Utils for easier manipulation of certificates and keys - moved SSL interception into IO::Socket::SSL::Intercept and simplified it using IO::Socket::SSL::Utils - enhance meta information in Makefile.PL v1.90 2013.05.27 - RT#85290, support more digest, especially SHA-2. Thanks to ujvari[AT]microsec[DOT]hu - added support for easy SSL interception (man in the middle) based on ideas found in mojo-mitm proxy (which was written by Karel Miko) - make 1.46 the minimal required version for Net::SSLeay, because it introduced lots of useful functions. v1.89 2013.05.14 - if IO::Socket::IP is used it should be at least version 0.20, otherwise we get problems with HTTP::Daemon::SSL and maybe others (RT#81932) - Spelling corrections, thanks to dsteinbrunner v1.88 2013.05.02 - consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key* and SSL_cert* - some apps like Net::LDAP use it that way. Thanks to alexander[AT]kuehn[AT]nagilum[DOT]de for reporting the problem. v1.87 2013.04.24 - RT#84829 - complain if given SSL_(key|cert|ca)_(file|path) do not exist or if they are not readable. Thanks to perl[AT]minty[DOT]org - fix use of SSL_key|SSL_file objects instead of files, broken with 1.83 v1.86 2013.04.17 - RT#84686 - don't complain about SSL_verify_mode is SSL_reuse_ctx, thanks to CLEACH v1.85 2013.04.14 - probe for available modules with local __DIE__ and __WARN__handlers. fixes RT#84574, thanks to FRAZER - fix warning, when IO::Socket::IP is installed and inet6 support gets explicitly requested. RT#84619, thanks to Prashant[DOT]Tekriwal[AT]netapp[DOT]com v1.84 2013.02.15 - disabled client side SNI for openssl version < 1.0.0 because of RT#83289 - added functions can_client_sni, can_server_sni, can_npn to check availability of SNI and NPN features. Added more documentation for SNI and NPN. v1.83_1 2013.02.14 - separated documentation of non-blocking I/O from error handling - changed and documented behavior of readline to return the read data on EAGAIN/EWOULDBLOCK in case of non-blocking socket. See https://github.com/noxxi/p5-io-socket-ssl/issues/1, thanks to mytram v1.83 2013.02.03 - Server Name Indication (SNI) support on the server side, inspired by patch provided by karel[DOT]miko[AT]gmail[DOT]com. https://rt.cpan.org/Ticket/Display.html?id=82761 - reworked part of the documentation, like providing better examples. v1.82 2013.01.28 - sub error sets $SSL_ERROR etc only if there really is an error, otherwise it will keep the latest error. This causes IO::Socket::SSL->new.. to report the correct problem, even if the problem is deeper in the code (like in connect) - correct spelling, rt#8270. Thanks to ETHER v1.81 2012.12.06 - deprecated set_ctx_defaults, new name ist set_defaults (but old name still available) - changed handling of default path for SSL_(ca|cert|key)* keys: either if one of these keys is user defined don't add defaults for the others, e.g. don't mix user settings and defaults - cleaner handling of module defaults vs. global settings vs. socket specific settings. Global and socket specific settings are both provided by the user, while module defaults not. - make IO::Socket::INET6 and IO::Socket::IP specific tests run both, even if both modules are installed by faking a failed load of the other module. v1.80 2012.11.30 - removed some warnings in test (missing SSL_verify_mode => 0) which caused tests to hang on Windows. https://rt.cpan.org/Ticket/Display.html?id=81493 v1.79 2012.11.25 - prepare transition to a more secure default for SSL_verify_mode. The use of the current default SSL_VERIFY_NONE will cause a big warning for clients, unless SSL_verify_mode was explicitly set inside the application to this insecure value. In the near future the default will be SSL_VERIFY_PEER, and thus causing verification failures in unchanged applications. v1.78 2012.11.25 - use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and PeerPort from sockaddr in _update_peer, because this provides scope too. Thanks to bluhm[AT]genua[DOT]de. - work around systems which don't defined AF_INET6 https://rt.cpan.org/Ticket/Display.html?id=81216 Thanks to GAAS for reporting v1.77 2012.10.05 - update_peer for IPv6 also, applied fix to https://rt.cpan.org/Ticket/Display.html?id=79916 by tlhackque[AT]yahoo[DOT]com v1.76 2012.06.18 - no longer depend on Socket.pm 1.95 for inet_pton, but use Socket6.pm if no current Socket.pm is available. Thanks to paul[AT]city-fan[DOT]org for pointing out the problem and providing first patch v1.75 2012.06.15 - made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version v1.74_2 2012.06.07 - fixed documentation errors, reported by MARSCHAP https://rt.cpan.org/Ticket/Display.html?id=77690 v1.74_1 2012.06.07 - add support to IO::Socket::IP which support inet6 and inet4 by integrating patch from PEVANS for https://rt.cpan.org/Ticket/Display.html?id=75218 v1.74 2012.05.13 - accept a version of SSLv2/3 as SSLv23, because older documentation could be interpreted like this v1.73 2012.05.11 - make test t/dhe.t hopefully work for more version of openssl Thanks to paul[AT]city-fan[DOT]org for providing bug reports and testing environment v1.72 2012.05.10 - set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW Thanks to dcostas[AT]gmail[DOT]com for problem report v1.71 2012.05.09 - 1.70 done right. Also don't disable SSLv2 ciphers, SSLv2 support is better disabled by the default SSL_version of 'SSLv23:!SSLv2' v1.70 2012.05.08 - make it possible to disable protocols using SSL_version, make SSL_version default to 'SSLv23:!SSLv2' v1.69 2012.05.08 - re-added workaround in t/dhe.t v1.68 2012.05.07 - remove SSLv2 from default cipher list, which makes failed tests after last change work again, fix behavior for empty cipher list (use default) v1.67 2012.05.07 - https://rt.cpan.org/Ticket/Display.html?id=76929 thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting - if no explicit cipher list is given it will now default to ALL:!LOW instead of the openssl default, which usually includes weak ciphers like DES. - new config key SSL_honor_cipher_order and documented how to use it to fight BEAST attack. v1.66 2012.04.16 - make it thread safer, thanks to bug report from vega[DOT]james[AT]gmail [DOT]com, https://rt.cpan.org/Ticket/Display.html?id=76538 v1.65 2012.04.16 - added NPN (Next Protocol Negotiation) support based on patch from kmx https://rt.cpan.org/Ticket/Display.html?id=76223 v1.64 2012.04.06 - clarify some behavior regarding hostname verification. Thanks to DOHERTY for reporting. v1.63 2012.04.06 - applied patch of DOUGDUDE to ignore die from within eval to make tests more stable on Win32, https://rt.cpan.org/Ticket/Display.html?id=76147 v1.62 2012.03.28 - small fix to last version v1.61 2012.03.27 - call CTX_set_session_id_context so that servers session caching works with client certificates too. https://rt.cpan.org/Ticket/Display.html?id=76053 v1.60 2012.03.20 - don't make blocking readline if socket was set nonblocking, but return as soon no more data are available https://rt.cpan.org/Ticket/Display.html?id=75910 - fix BUG section about threading so that it shows package as thread safe as long as Net::SSLeay >= 1.43 is used https://rt.cpan.org/Ticket/Display.html?id=75749 v1.59 2012.03.08 - if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful message when attempting to use it. - modify constant declarations so that 5.6.1 should work again v1.58 2012.02.26 - fix t/dhe.t again to enable the workaround only for newer openssl versions, because this would cause failures on older versions v1.57 2012.02.26 - fix t/dhe.t for openssl 1.0.1 beta by forcing tlsv1, so that it does not complain about the too small rsa key which it should not use anyway. Thanks to paul[AT]city-fan[DOT]org for reporting. https://rt.cpan.org/Ticket/Display.html?id=75165 v1.56 2012.02.22 - add automatic or explicit (via SSL_hostname) SNI support, needed for multiple SSL hostnames with same IP. Currently only supported for the client. v1.55 2012.02.20 - work around IO::Sockets work around for systems returning EISCONN etc on connect retry for non-blocking sockets by clearing $! if SUPER::connect returned true. https://rt.cpan.org/Ticket/Display.html?id=75101 Thanks for Manoj Kumar for reporting. v1.54 2012.01.11 - return 0 instead of undef in SSL_verify_callback to fix uninitialized warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting the bug and MIKEM for the fix. https://rt.cpan.org/Ticket/Display.html?id=73629 v1.53 2011.12.11 - kill child in t/memleak_bad_handshake.t if test fails https://rt.cpan.org/Ticket/Display.html?id=73146 Thanks to CLEACH ofr reporting v1.52 2011.12.07 - fix syntax error in t/memleak_bad_handshake.t thanks to cazzaniga[DOT]sandro[AT]gmail[DOT]com for reporting v1.51 2011.12.06 - disable t/memleak_bad_handshake.t on AIX, because it might hang https://rt.cpan.org/Ticket/Display.html?id=72170 v1.50 2011.12.06 Thanks to HMBRAND for reporting and Rainer Tammer tammer[AT]tammer[DOT]net for providing access to AIX system v1.49 2011.10.28 - another regression for readline fix, this time it failed to return lines at eof which don't end with newline. Extended t/readline.t to catch this case and the fix for 1.48 Thanks to christoph[DOT]mallon[AT]gmx[DOT]de for reporting v1.48 2011.10.26 - bugfix for readline fix in 1.45. If the pending data where false (like '0') it failed to read rest of line. Thanks to Victor Popov for reporting https://rt.cpan.org/Ticket/Display.html?id=71953 v1.47 2011.10.21 - fix for 1.46 - check for mswin32 needs to be /i. Thanks to Alexandr Ciornii for reporting v1.46 2011.10.18 - disable test t/signal-readline.t on windows, because signals are not relevant for this platform and test does not work. https://rt.cpan.org/Ticket/Display.html?id=71699 v1.45 2011.10.12 - fix readline to continue when getting interrupt waiting for more data. Thanks to kgc[AT]corp[DOT]sonic[DOT]net for reporting problem v1.44 2011.05.27 - fix invalid call to inet_pton in verify_hostname_of_cert when identity should be verified as ipv6 address, because it contains colon. v1.43_1 2011.05.12 - try to make t/nonblock.t more stable, especially on Mac OS X v1.43 2011.05.11 - fix t/nonblock.t - stability improvements t/inet6.t v1.42 2011.05.10 - add SSL_create_ctx_callback to have a way to adjust context on creation. https://rt.cpan.org/Ticket/Display.html?id=67799 - describe problem of fake memory leak because of big session cache and how to fix it, see https://rt.cpan.org/Ticket/Display.html?id=68073 v1.41 2011.05.09 - fix issue in stop_SSL where it did not issue a shutdown of the SSL connection if it first received the shutdown from the other side. Thanks to fencingleo[AT]gmail[DOT]com for reporting - try to make t/nonblock.t more reliable, at least report the real cause of ssl connection errors v1.40 2011.05.02 - integrated patch from GAAS to get IDN support from URI. https://rt.cpan.org/Ticket/Display.html?id=67676 v1.39_1 2011.05.02 - fix in exampel/async_https_server. Thanks to DetlefPilzecker[AT]web[DOT]de for reporting v1.39 2011.03.03 - fixed documentation of http verification: wildcards in cn is allowed v1.38_1 2011.01.24 - close should undef _SSL_fileno, because the fileno is no longer valid (SSL connection and socket are closed) v1.38 2011.01.18 - fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1 instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for reporting https://rt.cpan.org/Ticket/Display.html?id=64864 v1.37 2010.12.09 - don't complain about invalid certificate locations if user explicitly set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what he is doing and will work around the problems by itself. http://rt.cpan.org/Ticket/Display.html?id=63741 v1.36 2010.12.08 - update documentation for SSL_verify_callback based on https://rt.cpan.org/Ticket/Display.html?id=63743 https://rt.cpan.org/Ticket/Display.html?id=63740 v1.35 2010.12.06 - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid it will no longer fall back to VERIFY_NONE but throw an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for pointing out the problem, see also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 v1.34 2010.11.01 - scheme http for certificate verification changed to wildcards_in_cn=1, because according to rfc2818 this is valid and also seen in the wild - if upgrading socket from inet to ssl fails due to handshake problems the socket gets downgraded, but is still open. See https://rt.cpan.org/Ticket/Display.html?id=61466 - deprecate kill_socket, just use close() v1.33 2010.03.17 - attempt to make t/memleak_bad_handshake.t more stable, it fails for unknown reason on various systems - fix hostname checking: an IP should only be checked against subjectAltName GEN_IPADD, never against GEN_DNS or CN. Thanks to rusch[AT]genua[DOT]de for bug report v1.32 2010.02.22 - Makefile.PL: die if Scalar::Util has no dualvar support instead of only complaining. Thanks to w[DOT]phillip[DOT]moore[AT]gmail[DOT]com for reporting. v1.31 2009.09.25 - add and export constants for SSL_VERIFY_* - set SSL_use_cert if cert is given and not SSL_server - support alternative CRL file with SSL_crl_file thanks to patch of w[DOT]phillip[DOT]moore[AT]gmail[DOT]com v1.30_3 2009.09.03 - make t/memleak_bad_handshake.t more stable (increase listen queue, ignore errors on connect, don't run on windows..) v1.30_2 2009.09.01 - t/memleak_bad_handshake.t don't write errors with ps to stderr, -o vsize argument is not supported on all platforms, just skip test then v1.30_1 2009.08.31 - make sure that idn_to_ascii gets no \0 bytes from identity, because it simply cuts the string their (using C semantics). Not really a security problem because IDN like identity is provided by user in hostname, not by certificate. v1.30 2009.08.19 - fix test t/memleak_bad_handshake.t v1.29 2009.08.19 - fixed thanks for version 1.28 v1.28 2009.08.19 - fix memleak when SSL handshake failed. Thanks richardhundtu[AT]gmail[DOT]com v1.27 2009.07.24 - changed possible local/utf-8 depended \w in some regex against more explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service names can't have '-' inside - fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131 where eli[AT]dvns[DOT]com reported warnings when perl -w was used. While there made it more aware of errors in Net::ssl_write_all (return undef not 0 in generic_write) v1.26 2009.07.03 - SECURITY BUGFIX! fix Bug in verify_hostname_of_cert where it matched only the prefix for the hostname when no wildcard was given, e.g. www.example.org matched against a certificate with name www.exam in it Thanks to MLEHMANN for reporting v1.25 2009.07.02 - t/nonblock.t: increase number of bytes written to fix bug with OS X 10.5 https://rt.cpan.org/Ticket/Display.html?id=47240 v1.24 2009.04.01 - add verify hostname scheme ftp, same as http - renew test certificates again (root CA expired, now valid for 10 years) v1.23 2009.02.23 - if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the default values have no existing file|path) disable checking of certificates, but carp about the problem - new test certificates, the old ones expired and caused tests to fail v1.22 2009.01.24 - Net::SSLeay stores verify callbacks inside hash and never clears them, so set verify callback to NULL in destroy of context v1.21 2009.01.22 - auto verification of name in certificate created circular reference between SSL and CTX object with the verify_callback, which caused the objects to be destroyed only at program end. Fix it be no longer access $self from inside the callback. Thanks to odenbach[AT]uni-paderborn[DOT]de for reporting v1.20 2009.01.15 - only changes on test suite to make it ready for win32 (tested with strawberry perl 5.8.8) v1.19 2008.12.31 - fix verifycn_name autodetection from PeerAddr/PeerHost v1.18 2008.11.17 - fixed typo in argument: wildcars_in_cn -> wildcards_in_cn http://rt.cpan.org/Ticket/Display.html?id=40997 thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting v1.17 2008.10.13 - no code changes, publish v.16_3 as v.17 because it looks better than v.16 - document win32 behavior regarding non-blocking and timeouts v1.16_3 2008.09.25 - fix t/nonblock.t with workaround for problems with IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do nonblocking connect and leaves socket blocked. - make some tests less verbose by fixing diag in t/testlib.t (send output to STDOUT not STDERR and prefix with '#') v1.16_2 2008.09.24 - work around Bug in IO::Socket::INET6 on BSD systems http://rt.cpan.org/Ticket/Display.html?id=39550 by setting Domain based on PeerAddr Thanks to srezic for report and support - remove tests of recv/send from t/core.t. Might badly interact with SSL handshake and cause crashes as seen on OS X 10.4 v1.16_1 2008.09.19 - better support for IPv6: - IPv6 is enabled by default if IO::Socket::INET6 is available - t/inet6.t for basic tests v1.16 2008.09.19 - change code for SSL_check_crl to use X509_STORE_set_flags instead of X509_STORE_CTX_set_flags based on bug report from - change opened() to report -1 if the IO::Handle is open, but the SSL connection failed, needed with HTTP::Daemon::SSL which will send an error message over the unencrypted socket v1.15 - change internal behavior when SSL handshake failed (like when verify callback returned an error) in the hope to fix spurious errors in t/auto_verify_hostname.t v1.14 - added support for verification of hostname from certificate including subjectAltNames, support for IDN etc based on patch and input from christopher[AT]odenbachs[DOT]de and achim[AT]grolmsnet[DOT]de. It is also possible to get more information from peer_certificate based on this patch. See documentation for peer_certificate and verify_hostname - automatic verification of hostnames with SSL_verifycn_scheme and SSL_verifycn_name - global setting of default context options like SSL_verifycn_scheme, SSL_verify_mode with set_ctx_defaults - fix import of inet4,inet6 which got broken within 1.13_X. Thanks to for bugreport and patch - clarified and enhanced debugging support based on bugreport http://rt.cpan.org/Ticket/Display.html?id=32960 - put information into README regarding the supported and recommended version of Net::SSLeay v1.13 - removed CLONE_SKIP which was added in 1.03 because this breaks windows forking. Handled threads/windows forking better by making sure that CTX from Net::SSLeay gets not freed multiple times from different threads after cloning/forking - removed setting LocalPort to 0 in tests, instead leave it undef if a random port should be allocated. This should fix build problems with 5.6.1. Thanks to v1.12 - treat timeouts of 0 for accept_SSL and connect_SSL like no timeout, like IO::Socket does. v1.11 - fixed errors in accept_SSL which would work when called from start_SSL but not from accept v1.10 - start_SSL, accept_SSL and connect_SSL have argument for Timeout so that the SSL handshake will not block forever. Only used if the socket is blocking. If not set the Timeout value from the underlying IO::Socket is used v1.09 - new method stop_SSL as opposite of start_SSL based on a idea of Bron Gondwana To support this method the SSL_shutdown handling had to be fixed, e.g. in close a proper unidirectional shutdown should be done while in stop_SSL a bidirectional shutdown - try to make it clearer that thread support is buggy v1.08 - make sure that Scalar::Util has support for dualvar (Makefile.PL,SSL.pm) because the perl-only version has has no dualvar v1.07 - fix t/nonblock.t on systems which have by default a larger socket buffer. Set SO_SNDBUF explicitly with setsockopt to force smaller writes on the socket v1.06 - instead of setting undef args to '' in configure_SSL drop them. This makes Net::SMTP::SSL working again because it does not give LocalPort of '' to IO::Socket::INET any more v1.05 - make session cache working even if the IO::Socket::SSL object was not created with IO::Socket::SSL->new but with IO::Socket::SSL->start_SSL on an established socket v1.04 - added way to create SSL object with predefined session cache, thus making it possible to share the cache between objects even if the rest of the context is not shared key SSL_session_cache Note that the arguments of IO::Socket::SSL::SessionCache::new changed (but you should never have used this class directly because it's internal to IO::Socket::SSL) v1.03 - add CLONE_SKIP as proposed by Jarrod Johnson jbjohnso at us dot ibm dot com v1.02 - added some info to BUGS and to BUGS section of pod - added TELL and BINMODE to IO::Socket::SSL::SSL_HANDLE, even if they do nothing useful. - all tests allocate now the ports dynamically, so there should be no longer a conflict with open ports on the system where the tests run v1.01 - work around Bug in Net::HTTPS where it defines sub blocking as {}, e.g. force scalar context when calling sub blocking (in IO::Socket::SSL::write) see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383106 v1.0 - fix deprecated and practically undocumented function get_peer_certificate so that LWP Net::HTTPS works again - set arg 'Blocking' while calling SUPER::configure only if it was set by the caller to work around Problem in LWP Net::HTTPS v0.999 - If SSL_cipher_list is not given it uses the openssl default instead of setting it to 'ALL:!LOW:!EXP' like before. The old value included ADH and this might be a bad idea, see BUGS why. v0.998 - declare socket as opened before calling fatal_ssl_error because the SSL_error_trap set up from HTTP::Daemon needs this - accept_SSL sets errors on $socket (the accepted socket) not $self (the listening socket if called from accept) so it can be queried from SSL_error_trap - note in BUGS section that IO::Socket::SSL is not thread-safe v0.997 - fix readline (e.g. getline,getlines,<>) so that it behaves regarding $/ like written in the $/ documentation. v0.996 - removed links and comments to unofficial release of Net::SSLeay, because there is a newer version already v0.995 - add support for Diffie Hellman Key Exchange. See parameter SSL_dh_file and SSL_dh. v0.994 - hide DEBUG statements and remove test to load Debug.pm because packages like SpamAssassin cannot cope with it (at least the OpenBSD port) v0.993 - added SSL_cert and SSL_key parameter which do not take a file name like SSL_cert_file and SSL_key_file but an internal X509* resp. EVP_PKEY* value. Useful for dynamically created certificates and keys. - added test for sysread/syswrite behavior (which was changed in v0.991) v0.992 - _set_rw_error does $!||=EAGAIN only if error is one of SSL_WANT_READ|SSL_WANT_WRITE (patch from Mike Smith ) - Fix Makefile.PL to allow detection of failures in PREREQ_PM (http://rt.cpan.org/Public/Bug/Display.html?id=20563, patch by alexchorny at gmail dot com) v0.991 - sysread and syswrite ar no longer the same as read and write, but can return already if only parts of the data are read or written (which is the usual semantic for sysread and syswrite) This should fix problems with HTTP::Daemon::SSL v0.99 - just upgrade Version number because I've screwed up upload of v0.98 to cpan v0.98 - Maintainer changed to - Better support for nonblocking sockets: . exports $SSL_ERROR which contains the latest error from the openssl library. Exports constants SSL_WANT_READ and SSL_WANT_WRITE es special errors which will be set if openssl wants to write or read during nonblocking connects, accepts, reads or writes. . accept,accept_SSL,connect and connect_SSL don't block anymore if the socket is nonblocking. Instead $! will be set from the underlying IO::Socket::INET connect or accept if it failed there (usually EAGAIN or EINPROGRESS) or if the underlying openssl needs to read or write $! will be set to EAGAIN and $SSL_ERROR will be set to SSL_WANT_READ or SSL_WANT_WRITE . syswrite returns undef and sets $!,$SSL_ERROR if it fails to write instead of returning 0. - Bugfixes (http://rt.cpan.org/Public/Bug/Display.html?id=Bugid) . Bug 18439: fileno 0 should be valid . Bug 15001: sysread interprets buffer "0" as "" - peer_certificate returns X509 struct string if no field for extraction was specified - get_peer_certificate returns the certificate instead of the IO::Socket::SSL object v0.97 - Writes now correctly return errors. (Problem noted by Dominique Quatravaux ). - CA paths now work without passing an empty SSL_ca_file argument. (Problem found by Phil Pennock, ). - IO::Socket::SSL now automatically passes Proto => tcp (if not already specified) to IO::Socket::INET to work around /etc/services files with udp entries listed first. (Fix suggested by Phil Pennock). - $socket->accept() now returns the peer address in array context for better conformance with IO::Socket::INET. However, if you were doing "map { $_->accept } (@sockets)", or similar tricks, you will need to use "scalar" to get the old behavior back. (Problem noted by Nils Sowen, ). - IO::Socket::SSL should now properly block on reads larger than the buffer size of Net::SSLeay. (Problem found by Eric Jergensen, ). - IO::Socket::SSL should now send CA Certs (if necessary) along with certificates. (Problem found by ). - Timeouts should now work, but be aware that if multiple reads/writes are necessary to complete a connection, then each one may have a separate timeout. (Request from Dominique Quatravaux ). - In certain cases, start_SSL() would misplace a socket's fileno, causing problems with starting SSL. This should now be fixed. (Problem found by ). - IO::Socket::SSL now requires a minimum of Net::SSLeay 1.21. --- Old Versions -------------------------------------------------- v0.96 2004.4.30 - Makefile's error messages now correct if output is redirected (patch from Ilya Zakharevich ). - Non-blocking connects/accepts now work (Problem found by Uri Guttman ). - new_from_fd() now works. - getline() and <> in scalar context now return undef instead of '' if the read failed. (Problem found by Christian Gilmore ). - Broken pipe signals are now ignored during socket close to prevent a SSL shutdown message from killing the parent program. (Problem found by Christian Gilmore). - Tests should proceed much more quickly, and a semi-race was fixed, meaning that on slow machines the tests should be more reliable. - Check for Scalar::Util and Weakref now uses default $SIG{__DIE__} instead of a potentially user-altered one (suggestion from Olaf Schneider ). This only applies to Perl 5.6.0 & above. - Session caching support (patch from Marko Asplund ). - set_default_context() added to alter the behavior of modules that use IO::Socket::SSL from the main program. - get_ssl_object() renamed to _get_ssl_object() to reflect the fact that it's only supposed to be used internally (not that you should have cared, of course). - Added patch for Net::SSLeay to take advantage of client-side session caching. v0.95 2003.8.25 - Changed PeerAddr in example/ssl_client.pl back to localhost. - Update of examples to automatically switch to the proper directory if they cannot find the necessary SSL certificates. - Minor documentation update with more INET6 info. - Corrected some error messages for IO::Socket::INET6. - Better opened() behavior when sockets close unexpectedly. - Added note about random number generators for Solaris users (Problem found by Christian Gilmore ). - Added support for WeakRef and Scalar::Util to allow IO::Socket::SSL objects to auto-destroy themselves when they go out of scope. - Added croak()ing for unimplemented send() and recv() methods so they are not accidentally used to transmit unencrypted data. The Perl builtin functions cannot be reliably trapped and are still dangerous, a fact that the POD now reflects (Problem noted by Michal Ludvig ). v0.94 2003.6.26 - Changed accept() to use inherited accept() instead of IO::Socket::accept, so that IPv6 inheritance is possible. - Added options to import() so that a user could specify IPv6 or IPv4 mode of operation. - Documentation fixes, esp. e-mail address. v0.93 2003.6.24 - Fixed error-checking slip in connect_SSL() (Problem found by Uri Guttman ). - All functions now return the empty list () on errors. - Added note about the above change to appease Graham Barr . - Fixed Net::SSLeay giving warnings when arguments are undef; in all cases, undef arguments may be set to '' without any change in behavior except for removing the warnings. (Problem found by Dominique Quatravaux ) - If accept() or connect() fails in SSL negotiation, the user now has the option to print something to the failed socket before it is closed. (error_trap option in new()) - Added support for CRLs (SSL_check_crl option in new()) for versions of OpenSSL >= 0.9.7b (Original patch from Brian Lindauer ) - Finally added decent support for certificate callbacks. (SSL_verify_callback option in new(), suggestion from Dariush Pietrzak ). - accept()/connect()/socket_to_SSL() now fail immediately if the socket in question does not have a fileno. - Added the kill_socket() method to guarantee that a socket dies. - Fixed extra warning when printing errors in debug mode. - Deprecated socket_to_SSL() in favor of the class method start_SSL() (Class method suggestion from Graham Barr ). - Added the class method start_SSL() to allow for cases when the desired class of the socket is not IO::Socket::SSL (Request from Dariush Pietrzak ) - Changed socket_to_SSL to rebless socket to original class if SSL negotiation failed (Request from Graham Barr ) - Removed the daemon.pl example, as it did not work with the standard distribution of HTTP::Daemon (use HTTP::Daemon::SSL instead). v0.92 2002.10.22 - Changed the fileno() function to support returning the fileno of server sockets. (Problem found by Roland Giersig ). - Fixed SSL_version incorrectly defaulting to SSLv2 (patch from Roland Alder ). v0.91 2002.08.31 - Added support for SSL_peek and SSL_pending (peek() and pending()). Updated documentation, tests, etc. to reflect this. v0.901 2002.08.19 - Fixed the warning that happens when sockets are not explicitly closed() before the program terminates. v0.90 2002.08.13 - This version is a complete rewrite of IO::Socket::SSL. It now has about half the lines of code, twice the amount of documentation, and a slightly more polished interface. - IO::Socket::SSL now works properly with mod_perl and taint mode. - Major documentation update. - Update of the BUGS file to reflect changes made in the rewrite. - Update of the test suite for Perl v5.8.0 (or, more precisely, for Scalar::Util). - Update of the test suite for Perl v5.00503 (or, more precisely, for the lack of several nice features added in v5.6.0) (Marko Asplund ). - New test suite that does not need the Internet to function. - Update of all the files in example/ to use more current features of IO::Socket::SSL. - Removal of SSL_SSL and X509_Certificate classes. - There have been a few name changes (like socketToSSL -> socket_to_SSL) for better consistency. - The functionality of get_peer_certificate() and friends is deprecated. - The functionality of want_write() and want_read() is deprecated. - The functionality of context_init() is deprecated for normal use. - Support for all SSL context options in the new() call. - SSL contexts are no longer global. The SSL_reuse_ctx option is provided for those who want to re-use a context. - The default verify mode is now VERIFY_NONE. - IO::Socket::SSL::DEBUG is now linked to Net::SSLeay::trace to provide different levels of debugging information. - There is a uniform interface for error reporting, so on error all functions will return undef and the error will be available by calling errstr(). - The dump_peer_certificate() and peer_certificate() functions have been added. - sysread() will now behave correctly if the offset argument is greater than the length of the read buffer. It also will truncate the read buffer properly, according to the Perl documentation for sysread(). - getline(), getlines(), and getc() have been added. - syswrite() now uses references to avoid copying large amounts of data. - readline() uses ssl_read_all in array context for improved speed. - close() now uses SSL_shutdown() to properly close an SSL connection, unless you tell it not to. - If you have Net::SSLeay version 1.18 or greater, X509 certificates will be properly freed. - All other known bugs have been fixed. v0.81a (Not publicly released) - Added support for SSL_passwd_cb. - Added accept() server socket support to socketToSSL(). v0.81 2002.04.10 - calling context_init twice destroyed global context. fix from Jason Heiss . - file handle tying interface implementation moved to a separate class to prevent problems resulting from self-tying filehandles. Harmon S. Nine . - docs/debugging.txt file added - require Net::SSLeay v1.08 - preliminary support for non-blocking read/write - socketToSSL() now respects context's SSL verify setting reported by Uri Guttman . v0.80 2001.08.19 - fixed startTLS support (socketToSSL) (Graham Barr ) - make accept() set fileno attribute on newly created IO::Socket::SSL object (Martin Oldfield ). - certificate updates. - use SSL_CTX_use_PrivateKey_file in SSL_Context::new. v0.79 2001.06.04 - angle bracket readline operator support (David Darville ). - eliminate warnings in choosing SSL protocol version. - implement our own opened method and make length parameter optional in syswrite (Robert Bihlmeyer ). v0.78 2001.04.24 - test script targets changed, certificate setup fixed - support for TLS in SSL_version. SSL_version parameter values changed from integer to string. NB: this is an incompatible change. all SSL_version parameter values have to be changed. valid values include: 'sslv2', 'sslv3', 'sslv23'. Stephen C. Koehler . - enable selecting SSL version for connections. patch from Takanori Ugai . - allow setting SSL_ca_file to ''. this is needed for being able to use SSL_ca_path (Robert Bihlmeyer ). - include the Apache CA bundle file in the distribution (my-ca.pem). - BUGS file added. v0.77 2001.01.15 - don't setup SSL CA verification unless cert verification is actually used for the connections. - default SSL protocol version selection in SSL.pm. v0.76 2000.11.17 - patch from Kwok Chern Yue for making IO::Socket::SSL work with HTTP::Daemon. v0.75 2000.07.26 - IO::Socket::SSL should now work with perl v5.6.0 - demo/*.pl and t/*.t now turn module debugging on if DEBUG command line argument is given - default certificates changed v0.74 2000.07.05 - Changes file added - bugfix in IO::Socket::SSL::sysread() (zliu2 at acsu.buffalo.edu) - libwww-perl and IO::Socket::SSL UML models added in docs - URL changes in test scripts - preliminary support for startTLS in IO::Socket::SSL::socketToSSL() - miscellaneous patches for Net::SSLeay added in diffs IO-Socket-SSL-2.024/certs/0000755000175100017510000000000012655445521013576 5ustar workworkIO-Socket-SSL-2.024/certs/server-key.pem0000644000175100017510000000156712321415553016376 0ustar workwork-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCfmHNLNKpPwlo8PbrwVFXm1Yqgj+SUWnJHNJphUMzQgY03xI4M ebTk2Q1xBj0HTSr/tWrv2zbwvu2ysC4Yr/M1knEVhPUqyxi9ftsmGMFOMSoBuBvJ qd9sYnQgSU1RFJP01hgH8z3Z99wQM+QAomxisFl+X/mOtqWvrfb75vrfmwIDAQAB AoGBAJmJZ7m9U+/hkUANPzAAYpftbi1j4Urb7L8WG0NuIWyihgJVxTa5S88yBZ1r nADPO4O/u74/Tg60ECdtGRvFAhtNwQA1DWIqoVat9kaFsXaJDRqalSFVNyJL94C8 NEDNkBOfL0LNDfbLdekHrsEx16Sk4Cb3+GwPcQlCBj83Oft5AkEA0QXrySU0/+yb 2M30SOe5m9h5G42RQHJ5wFz7e3NwN9iFd6rIcYAKaJ2vNjN67fYV8TqdCncOL2+2 ZjkeHIeWpQJBAMN2uh1ma0JRGHBG0zK5IiL5C0tvajoF+cNAgOfl7vf1CtRx5KW9 x2aOZumfzm9t0NbcutmEjGB0XbZdCNg9CT8CQEbUetHuiccvpqARKnaKD5t//4oW ruHn6NoGqDFtLNm/xXqHpOTRPrW0uWrkhwOcIFNeSVkCfwwUDvsU399LEwECQQCc GpIBMO6wg/u0j5vUgq6Up7kxgcWgmW0jVrycd7ImLXl8uYkWJT6+1TOzmYFQ1K9Z KefAGG/UCJtfLWYG7JgZAkBNooGdD0taYFyfAlxgbjVqNpgubgnpXvh3G4SRbm3J itE3l4HvYIrLPQVBzG2fomU+AIH8T9NleyFQNRB0BZay -----END RSA PRIVATE KEY----- IO-Socket-SSL-2.024/certs/server-wildcard.pem0000644000175100017510000001127712321415553017376 0ustar workworkCertificate: Data: Version: 3 (0x2) Serial Number: d6:d7:e1:b4:b3:30:91:ef Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Bayern, L=Muenchen, O=Whatever it is, CN=IO::Socket::SSL Demo CA Validity Not Before: Jan 1 00:00:01 2008 GMT Not After : Mar 30 06:58:42 2019 GMT Subject: C=DE, ST=Bayern, L=Muenchen, O=Whatever it is, CN=server.local Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bc:5e:af:1f:ac:1b:72:fd:51:d7:54:0c:77:9d: 15:3b:ef:1a:e4:cd:67:70:5a:d5:16:c2:a1:8d:db: a8:ee:79:7a:10:4d:55:60:21:15:34:7b:44:d0:8b: 21:05:3a:d3:2c:26:83:6f:0a:f6:1a:3c:69:cb:bf: 25:4b:77:0d:1a:c4:6f:7a:e5:f3:18:4d:d7:c5:65: d2:90:6a:45:b3:a3:51:73:b8:b1:d2:95:51:bb:73: 0a:85:11:c7:a8:cf:63:8e:24:b8:9a:e3:88:6d:90: 86:ee:ed:97:fd:9a:51:9e:44:9d:b1:c6:3b:92:3a: d5:30:a0:26:98:e9:17:03:15 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 38:21:43:F0:B2:21:77:17:88:B9:97:49:AE:2B:0A:0E:61:D6:DB:8A X509v3 Authority Key Identifier: keyid:DE:65:01:16:19:2E:51:E0:9A:51:1A:37:50:94:7D:39:29:2A:42:2C DirName:/C=DE/ST=Bayern/L=Muenchen/O=Whatever it is/CN=IO::Socket::SSL Demo CA serial:E7:AD:8B:07:55:8A:17:27 X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:*.server.local, IP Address:127.0.0.1, DNS:www*.other.local, DNS:smtp.mydomain.local, DNS:xn--lwe-sna.idntest.local Signature Algorithm: sha1WithRSAEncryption 57:e3:6d:aa:00:c3:da:61:ed:75:9a:29:1f:d9:d5:c5:f1:70: f3:c6:00:81:11:95:b4:e1:a3:9d:3a:86:f8:a0:53:42:3b:22: 1d:4b:23:97:b6:69:d7:ea:66:49:67:d4:18:e5:cb:5e:1c:c0: 6f:4d:42:a6:a9:3f:05:5d:4f:6d:38:e9:c1:ca:94:98:45:e3: eb:7b:c5:96:fb:f6:00:a2:0b:29:63:29:be:77:3a:4d:16:d0: 3b:e9:01:0d:95:a6:5c:3f:02:50:23:16:59:a6:26:78:c8:8b: 15:6f:48:b6:d1:77:0f:80:bb:99:c3:5a:ce:58:d3:2e:85:5b: 57:c3 -----BEGIN CERTIFICATE----- MIIDujCCAyOgAwIBAgIJANbX4bSzMJHvMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV BAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcTCE11ZW5jaGVuMRcwFQYD VQQKEw5XaGF0ZXZlciBpdCBpczEgMB4GA1UEAxMXSU86OlNvY2tldDo6U1NMIERl bW8gQ0EwHhcNMDgwMTAxMDAwMDAxWhcNMTkwMzMwMDY1ODQyWjBhMQswCQYDVQQG EwJERTEPMA0GA1UECBMGQmF5ZXJuMREwDwYDVQQHEwhNdWVuY2hlbjEXMBUGA1UE ChMOV2hhdGV2ZXIgaXQgaXMxFTATBgNVBAMTDHNlcnZlci5sb2NhbDCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAvF6vH6wbcv1R11QMd50VO+8a5M1ncFrVFsKh jduo7nl6EE1VYCEVNHtE0IshBTrTLCaDbwr2Gjxpy78lS3cNGsRveuXzGE3XxWXS kGpFs6NRc7ix0pVRu3MKhRHHqM9jjiS4muOIbZCG7u2X/ZpRnkSdscY7kjrVMKAm mOkXAxUCAwEAAaOCAW0wggFpMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ4IUPwsiF3F4i5 l0muKwoOYdbbijCBngYDVR0jBIGWMIGTgBTeZQEWGS5R4JpRGjdQlH05KSpCLKFw pG4wbDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBxMITXVl bmNoZW4xFzAVBgNVBAoTDldoYXRldmVyIGl0IGlzMSAwHgYDVQQDExdJTzo6U29j a2V0OjpTU0wgRGVtbyBDQYIJAOetiwdVihcnMAsGA1UdDwQEAwIF4DBhBgNVHREE WjBYgg4qLnNlcnZlci5sb2NhbIcEfwAAAYIQd3d3Ki5vdGhlci5sb2NhbIITc210 cC5teWRvbWFpbi5sb2NhbIIZeG4tLWx3ZS1zbmEuaWRudGVzdC5sb2NhbDANBgkq hkiG9w0BAQUFAAOBgQBX422qAMPaYe11mikf2dXF8XDzxgCBEZW04aOdOob4oFNC OyIdSyOXtmnX6mZJZ9QY5cteHMBvTUKmqT8FXU9tOOnBypSYRePre8WW+/YAogsp Yym+dzpNFtA76QENlaZcPwJQIxZZpiZ4yIsVb0i20XcPgLuZw1rOWNMuhVtXww== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC8Xq8frBty/VHXVAx3nRU77xrkzWdwWtUWwqGN26jueXoQTVVg IRU0e0TQiyEFOtMsJoNvCvYaPGnLvyVLdw0axG965fMYTdfFZdKQakWzo1FzuLHS lVG7cwqFEceoz2OOJLia44htkIbu7Zf9mlGeRJ2xxjuSOtUwoCaY6RcDFQIDAQAB AoGBALilE4K3YRzBhaTOJX5mgzcBtVoMolV3JCOwW05DwH8qomUyePrG0xNjtdu6 VX7b374KbpG9q+mhyI7I6pTjuPoRaQmVNdUOU8i5F8Wy0vOZFhDSaJoZpehQPkbk f+IqgjAGOQdFXeTMNAeRjUBqfuL5V15uaD9VX/1Xq3pWZyxtAkEA7BVDODOfKTTV Zfgmy4u2KdP4a3E2mHm+MwKpvdrxfmpgphpqfuc077f/36BSPN0jpYVw1IvDdy5z /iSuw+PIPwJBAMxC8vr7wtlTIDbgQWKZLQ8p9N/DUrTlBTUiJCeMdbrOL3tCJETn klaES7gjrgctvU8209T0yv3yTi+kkfInf6sCQGzJ/4fOgfGDHzM1/uqdHvx3aWpZ aUcqErN+7qlGUzJl4tOoKJsCACrXJ1ntjvftD5gevbe0EAbDqT/bt40dUhECQBWW 8fXDTIoJ9jq2o1KXnCKhLafFDmXeWxmNnUKs3vi6uFwP1qON0nLgktxIsSlDFWJd CjDVGuuSg98XRvHQaPcCQHSpGVcl7Y42cYprxSgSWXrLXBIIrq6AT9nREzFTPc3/ TNOdzTyL23tvqYFMzxgA4QK4aLUIdgLlMhx0oXZfaOA= -----END RSA PRIVATE KEY----- IO-Socket-SSL-2.024/certs/server-rsa384-dh.pem0000644000175100017510000000167011164437157017226 0ustar workwork-----BEGIN CERTIFICATE----- MIH7MIG2oAMCAQICAhI0MA0GCSqGSIb3DQEBBAUAMBYxFDASBgNVBAMTC3Jvb3Qu c2VydmVyMB4XDTA2MDgwMTE1MTU1MloXDTA2MDgwMjE1MTU1MlowFjEUMBIGA1UE AxMLcm9vdC5zZXJ2ZXIwTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEAoANEs5TuVeJQ OzQ2+2DKApESDF6JVasfAG/8KnXbv5uYSAio2Eb0SUiP3HdEAvgdAgMBAAEwDQYJ KoZIhvcNAQEEBQADMQBWs7i5qaq8jBhaf4kqAO72s7xawhobUvbi9++6ayu3cg5Z 7KzRgdK3wDV2H/jCkpU= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIHyAgEAAjEAoANEs5TuVeJQOzQ2+2DKApESDF6JVasfAG/8KnXbv5uYSAio2Eb0 SUiP3HdEAvgdAgMBAAECMFA8E1DxFuldx9lH/2HhUKok0CX/qWGZofDQnTr9CiN7 O+s7Wf07r8Oped85n/IKiQIZANMa1CwI5lo5zdrv0ayn9fWGkHiLlFEs0wIZAMIK 1nsU39QtreUeKNJ9GTlO8NE4bP9xTwIZAK9ACH996+1fK1vj10bkMLXhPjI0fa5d 7QIYRAxW8Sz93cPzMuFjwYVbfix/6W9XUjGjAhgEZGzKnur+N8HvShyhV74TIg7Q XfWYMhQ= -----END RSA PRIVATE KEY----- -----BEGIN DH PARAMETERS----- MEYCQQDeHNGXWnPTGUD8zHYq1XinwW7W1cu/mWBf1WibTJOpIwIrHvfLF9Z0v7Up nOuxI12P+vQUIs73Jjv5lseml+nrAgEC -----END DH PARAMETERS----- IO-Socket-SSL-2.024/certs/server_enc.p120000644000175100017510000000362212622126027016247 0ustar workwork0‚Ž0‚T *†H†÷  ‚E‚A0‚=0‚ *†H†÷  ‚0‚ 0‚ *†H†÷ 0 *†H†÷  0Ýüúe7ž©©€‚Ø7’#Ž2&ÛÒ{ÈñLOÊmt Xôcb·vžžãW\‡eì¦ÉìÝ“á\5;ºCévDôDÓö|ºX¥é$á2“|u´Á—2äÛ6œ6îÆ ïK&ä{¯ú^Ö€"*æq³ÔÕ´ËÇ"9œ`wÆæÑÒd“ò®ÿ–ÿœžƒÏIdþ.Û¯øCd[j›xŸÒߟÖV&Geô¤Sç›È9#CtñlN>Õƒ,/ÍÄžHbu£ºû^0Á•‰•^3£BJç)Öæ‰:¿„Ê÷^Š-¯#m¶ñõ… ‚UE>Ö¸D?¯x×>ë“à’œí/‹=ZˆŸ×¤°1’Qª:H°ð -ì‚寧çÞ8™ßÅ%sšdåòåô-´TC ü㹃½wäpÞ­•—Žócf¥ý·#’ª¥W²ævg˜kɽ¾“™78Ÿ¶v(fFúSä¾vçŠÞ±ËuG’W(ûýÝÏ'm[è›Ìïa»¹³‚8âGø¶…cˆpª˜_mo¥#•ͼlɧdÙÇmiÝ(gæê¡Ëƾt°&¿>Èý̱ц0ßP ܽJ,t8ÝÄÂÞ¨€ÿÝ9›2«±­èrúƒ?šy†Š‹Œ×%ÅáK<¹ôÄðð!¿a0Ϭ¶±±D ?9zrul±Û-¶À9ŠçŒ Q¢+D½ìzäsÍ–S ¹.{š”¹<=mMs6rvY ‚mÚoò“ÖUl'›rÝ<§ÌÛÈövcGöM\pïDaÇb=¯¨Ù™¢Oû»æ’Œ… T¼o‹^ÕŠ=0ÚPqì9§¹«ÙL ·Sß C+¹w!{fVtl‘’© yIÏ=©A¹ž‹×x!l­nŽÍ¹­àf-cô;Çš,áÈ¢L9/`OXbJÕÞ¬haãäÈúMÖƒb#lùòh…×%•¥ž`g¯Õ÷ÛÑuŸ“fgu¼tˆÙÀ?eTOÀàÛvÇ™`ûŒÒˆOŸO’ÂEÂe쨸P—WÊh~IÈŸ{­7Šóª*bOÆyŒ§YìmY·ÑªÇQM.“Üí âô)²rÊ{¼z˺¯âu(2Ê,ØeDùÉï¶NŸoÅ;Í ãnñÒ ÖXä©ê¢€öS|5ZvïZZçãi’ªQ·»kŸÜ9¡J”ôœDÖ–’Í}ÒѪ‰è™âø 0‚ *†H†÷  ‚‚0‚ÿ0‚û *†H†÷   ‚¦0‚¢0 *†H†÷  0÷X¾F„p'‚€[Ï—{ë:PŸV'‹ÊÛ Æ¶×(4´·lÖòÿžð\”oB}ô³3û³b°ÿcNv÷Þ\ ­<Ž ½N_Y@ÏrÇ­ò^ØK-”´¦ïù•æ†e8¢ò–„AÅy+Âð•_IZíóÎÅ©˜åÿàwBA ‚¥÷¢ï| ~†Àã‚úSÜåN’Æ{ÒèF•v¤ï¼ËÓ_ÖY.i—ÜtÛ&º–<$¹¾JŒ"÷b„Þ6ûW³ ÁÝ ûñ™R%”g ·Û1¸:ƒ‘dÄ&™¸â‘ƒ£†æÞG¹¼¸}g¢3Û¯þ@ó)›#‹„›]Ô:LüDêë¶ :NÆùÝ#X=‰FeöU‰SƒÛrÏGî£q´&­ÛD]u1Ú«FõAû*Å9=V|ì4§‰Øí–žíÞ\ûpüTÔCg`dj¨~A#!fŸ–éÚ T÷ë`ÅÖ¶«,]YWeU(:;1 êöïV¿éCÞ‰oóƒêntÏüßK†¨¬ð¿‚w6\1Ì`‡¬òŸv‘¾öìàâ ¶ –ìýcfBÞa¾Ýu¸Üv³!-üœ fëÐ…$Ü 5jy4!ˆºwíEëOZÖÂB´§ÿFC8Òœñƒc•©Œß-?˜ƒØ¶Ö<æü#‰4×=xcP$‡!o8É`Ò'Z`æí¨Ðÿ‹FÔÓ¢P×ï¤9¯Ï`ãР¥y k-öOÿÕ¬Ø`ŠÛ¶C¤¯ö8_2z™(j‘CqSû¶·Ñ‚ï˜ÿO¶WÌUöp ŸxÇɲhÃpJpi¡c5à|´g#ê¡kr…ÉžèÝWá ¹zN"x91B0 *†H†÷  1 server0# *†H†÷  1í0 :0âú&º˜zÁ߈}XëŒß010!0 +Tïíª£õS¬/@?²ìÝ–bz4u«ªIO-Socket-SSL-2.024/certs/client-key.enc0000644000175100017510000000170312321415553016322 0ustar workwork-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,B8D106E5875DEBC3 fdoA/G4J5lNf+F71QaL3bC1BtQqM/tJ+9C+FgYN4ECoV9T5gQZQ7FkACBWuPAbki BNKzvKH5TvSdpxUjgQuMtBcQQZEH9931ZjWLnxNEyoSYkvVI7jmdT66bZWOEuJmy UojLQG5FTXCqpBlTj59wY2Z1/6sS1rDoWnNcSKGRiOMyjNYr0qrVXjLNX63+j6Ng 2Sk9j2RhViLzAX+OfdpfgrXwAWt01z+zsa1nJq921vyBsfAHmyMVLUv5W1iQMLEc lNxwnTyl31x4AzD9S4GbpGoQoH2TOmVKnXQCcla4qiVSMLRrzJpEDTXk3BvSdXoB 8RwDpmfN2hhNQuUXBXEsm550ZQ2RzegX7ZJOQ6qYFixctm7t6TdG0x68JzZi7sTY kGB2JbgMFVfTdcqrfxHMnq1Wp0+XBbKj+EdSqSVY9D3BjmBFoAmUAVuwWg1gTdVG kVoSfQ4BB5CvDEYx9S0t1NHCQoF9DpEX/eOHp7gxitqvYryb9DSn+f28U5crTFRL GRRZ8093OBZRZqOmnvCTF3tnamPJnCw10tYCo6rNrnWReZpEPvGpPkAWNDgkfnUU ///QTfa1zoi1Cmgs2hYRx3k/y2Ttbq1ysalMOZektQ+99Y0kYRcLq2FN7NI4125r QfH+HvU/WHKVoksD60RZ1nWvC59n/innWJooFJ+pBqxe6WGabBdT6qXoHIt64JrU ZJXmwdnX3Cl2RcVNZ+213PqNEgRZ7/fi8+/qGaEJkzwWJB/yhS+tgYrzNPsaUs9g dY5CKbFCuG1K8sWY0kObFRq2uqM4Md7UfKXbi5kDXhnuWO+cyQCCjA== -----END RSA PRIVATE KEY----- IO-Socket-SSL-2.024/certs/my-ca.pem0000644000175100017510000000220312321415553015274 0ustar workwork-----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIJAOetiwdVihcnMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV BAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcTCE11ZW5jaGVuMRcwFQYD VQQKEw5XaGF0ZXZlciBpdCBpczEgMB4GA1UEAxMXSU86OlNvY2tldDo6U1NMIERl bW8gQ0EwHhcNMDkwNDAxMDY0NDQ4WhcNMTkwMzMwMDY0NDQ4WjBsMQswCQYDVQQG EwJERTEPMA0GA1UECBMGQmF5ZXJuMREwDwYDVQQHEwhNdWVuY2hlbjEXMBUGA1UE ChMOV2hhdGV2ZXIgaXQgaXMxIDAeBgNVBAMTF0lPOjpTb2NrZXQ6OlNTTCBEZW1v IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZROfatylcxcbrx0dTXvgo zlqFwps7ghgyx+Qvgwrv72w8dPIpMDk1zTeQPNSy8nTCYIsEr1tGC+T/dYt3raYm 2kXk20QzYiuXOCIUR+JY9xvUdnee9Z1vJD5u7DfkhnAsCJhkxVZ7xoSF4Zei812v i+Z+ePR+/F7uTJyeBbf5QQIDAQABo4HRMIHOMB0GA1UdDgQWBBTeZQEWGS5R4JpR GjdQlH05KSpCLDCBngYDVR0jBIGWMIGTgBTeZQEWGS5R4JpRGjdQlH05KSpCLKFw pG4wbDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBxMITXVl bmNoZW4xFzAVBgNVBAoTDldoYXRldmVyIGl0IGlzMSAwHgYDVQQDExdJTzo6U29j a2V0OjpTU0wgRGVtbyBDQYIJAOetiwdVihcnMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQEFBQADgYEAZu8EXePCEhV0LeC0zBXBMUlqu7p0fzQByL9U6SuOmwkKih/w OcsjxX6PFjJm3C5/NJ9mUw8WrbbBTKcMg7t2PvuyIuKK+wK3Nf5XZaGnzwtn1aFz M0LUhtV8z6OcURDEfnQBsgLCPODc9Mg4FEViDGVaZ1i233ZeAlLzXSZeXL8= -----END CERTIFICATE----- IO-Socket-SSL-2.024/certs/server-cert.der0000644000175100017510000000153312622126027016524 0ustar workwork0‚W0‚À  Ö×á´³0‘ð0  *†H†÷ 0l1 0 UDE10 UBayern10UMuenchen10U Whatever it is1 0UIO::Socket::SSL Demo CA0 080101000001Z 190330070544Z0a1 0 UDE10 UBayern10UMuenchen10U Whatever it is10U server.local0Ÿ0  *†H†÷ 0‰Ÿ˜sK4ªOÂZ<=ºðTUæÕŠ ä”ZrG4šaPÌÐ7ÄŽ y´äÙ q=M*ÿµjïÛ6ð¾í²°.¯ó5’q„õ*˽~Û&ÁN1*¸É©ßlbt IMQ“ôÖó=Ù÷Ü3ä¢lb°Y~_ùŽ¶¥¯­öûæúß›£‚ 0‚0 U00, `†H†øB OpenSSL Generated Certificate0U¼8{bÉÝ©º^œDª®q9zÉè0žU#–0“€Þe.QàšQ7P”}9)*B,¡p¤n0l1 0 UDE10 UBayern10UMuenchen10U Whatever it is1 0UIO::Socket::SSL Demo CA‚ ç­‹UŠ'0 Uà0  *†H†÷ "¬³ gëÂ@6šVq ü.K=Û±ƒó–Z3›Û3ÞRÜœ€6x›ãêcÌ ¬½ &G'ƒ#©¶®\Ø< 'Ê´^›…ü4¯^‘`;Òß·®ã ‰¯  ?ïCÖ=nt2³ðŠô€a÷ñƒ…è,¸ƒö‡³Í+ ˆù?w;ÌIO-Socket-SSL-2.024/certs/client-key.pem0000644000175100017510000000156712321415553016346 0ustar workwork-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDZSSdDQUabg9MiKu0flwxjjAY/TAp0PsOXvidX8kAYQHydP68S vnzsPwG7Dr0L/Q0wj3q5t/L37/jH4r93byUmq3bkF0w85cMpIpI43oL3A5w9+Ag1 tfuQVwVIixEATZf4OQe7NloT36YV02xafzExOY6wgo1DrDyfpvBvP8n3pwIDAQAB AoGAVDCM/vke04jrWLTLNc8/5J5PmVzsPAhJntT1x5S8kukBn6gaPKgEHUF4eTMH uspsvuEJC0aj5L9dZI2N5EfzW2YZsKx7vWn2A0j+XfQ1CT/p7Qq2ywr6RhmJux9l +ChupTvx/jsym7XAJoEsxD8KMjrLddxCPButk/Z7B+nX1uECQQD9qxccaJ1/3T7h tzJN7R8SEWAqj5Kc4Sk6oZRMV4Jn6x3jPoML8wkMiORGoeX8c+mJszTo+Ao3Gayz 4XtYEixRAkEA20hzbJWXvTW3xm3aePbkybLR5mT4c1RcU1h03wzPV3o06V34bahu k+JYXEvGzt7b3X1Lbuq+BTRfnhdoPK/+dwJAfQlIawhmGhDEXh4e/apUFmPaMyBx 9EJIQE5E+xxnezG5mbnGfq1dWIBhhS9oXfgEtYtQGUWqQ160cjZCxjavAQJAMFXi C3dWAUEMB1NDqxJREBy4o95x3Yok58JB0MDUG2Y2r5IlJpbP+Q0ViRKy+fqp4EK0 E/judds7kG98bJQmtQJBAIBkK4fWPkuSwxiLO7jsLUltXe6dzu3oEYYCpJWs7wy5 BtK/ta3rfXp1zNiu2XdCiccGJhuEB3WbCPBBpmvMye0= -----END RSA PRIVATE KEY----- IO-Socket-SSL-2.024/certs/client-cert.pem0000644000175100017510000000701512321415553016505 0ustar workworkCertificate: Data: Version: 3 (0x2) Serial Number: d6:d7:e1:b4:b3:30:91:ee Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Bayern, L=Muenchen, O=Whatever it is, CN=IO::Socket::SSL Demo CA Validity Not Before: Jan 1 00:00:01 2008 GMT Not After : Mar 30 06:56:31 2019 GMT Subject: C=DE, ST=Bayern, L=Muenchen, O=Whatever it is, CN=client.local Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d9:49:27:43:41:46:9b:83:d3:22:2a:ed:1f:97: 0c:63:8c:06:3f:4c:0a:74:3e:c3:97:be:27:57:f2: 40:18:40:7c:9d:3f:af:12:be:7c:ec:3f:01:bb:0e: bd:0b:fd:0d:30:8f:7a:b9:b7:f2:f7:ef:f8:c7:e2: bf:77:6f:25:26:ab:76:e4:17:4c:3c:e5:c3:29:22: 92:38:de:82:f7:03:9c:3d:f8:08:35:b5:fb:90:57: 05:48:8b:11:00:4d:97:f8:39:07:bb:36:5a:13:df: a6:15:d3:6c:5a:7f:31:31:39:8e:b0:82:8d:43:ac: 3c:9f:a6:f0:6f:3f:c9:f7:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A3:81:A9:13:5B:B5:3B:0E:99:0E:EF:09:C4:8C:EA:8B:F5:BD:A8:B0 X509v3 Authority Key Identifier: keyid:DE:65:01:16:19:2E:51:E0:9A:51:1A:37:50:94:7D:39:29:2A:42:2C DirName:/C=DE/ST=Bayern/L=Muenchen/O=Whatever it is/CN=IO::Socket::SSL Demo CA serial:E7:AD:8B:07:55:8A:17:27 X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha1WithRSAEncryption 7f:2b:5f:6b:dd:37:57:df:1c:37:d6:c5:64:d0:51:93:c0:d8: 41:dd:60:38:cb:37:dd:c3:4d:94:7c:3d:39:aa:29:38:7b:fe: 9a:4d:cc:fc:35:10:0f:1d:f5:5c:f5:1f:fa:c1:eb:b9:5f:40: fc:15:cb:ae:f4:49:93:31:bf:f6:e6:0c:ce:6e:c1:35:b9:12: 87:77:52:4f:18:e0:e9:a1:3e:41:ae:9d:59:be:ea:8e:42:1b: 4f:3e:1e:99:3a:c0:01:b3:eb:1f:de:0a:01:26:d3:4f:8f:f2: 0d:9a:ef:bb:33:b1:5e:46:b9:8d:74:bf:37:aa:2a:71:aa:f4: d9:95 -----BEGIN CERTIFICATE----- MIIDVzCCAsCgAwIBAgIJANbX4bSzMJHuMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV BAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcTCE11ZW5jaGVuMRcwFQYD VQQKEw5XaGF0ZXZlciBpdCBpczEgMB4GA1UEAxMXSU86OlNvY2tldDo6U1NMIERl bW8gQ0EwHhcNMDgwMTAxMDAwMDAxWhcNMTkwMzMwMDY1NjMxWjBhMQswCQYDVQQG EwJERTEPMA0GA1UECBMGQmF5ZXJuMREwDwYDVQQHEwhNdWVuY2hlbjEXMBUGA1UE ChMOV2hhdGV2ZXIgaXQgaXMxFTATBgNVBAMTDGNsaWVudC5sb2NhbDCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA2UknQ0FGm4PTIirtH5cMY4wGP0wKdD7Dl74n V/JAGEB8nT+vEr587D8Buw69C/0NMI96ubfy9+/4x+K/d28lJqt25BdMPOXDKSKS ON6C9wOcPfgINbX7kFcFSIsRAE2X+DkHuzZaE9+mFdNsWn8xMTmOsIKNQ6w8n6bw bz/J96cCAwEAAaOCAQowggEGMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSjgakTW7U7DpkO 7wnEjOqL9b2osDCBngYDVR0jBIGWMIGTgBTeZQEWGS5R4JpRGjdQlH05KSpCLKFw pG4wbDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBxMITXVl bmNoZW4xFzAVBgNVBAoTDldoYXRldmVyIGl0IGlzMSAwHgYDVQQDExdJTzo6U29j a2V0OjpTU0wgRGVtbyBDQYIJAOetiwdVihcnMAsGA1UdDwQEAwIF4DANBgkqhkiG 9w0BAQUFAAOBgQB/K19r3TdX3xw31sVk0FGTwNhB3WA4yzfdw02UfD05qik4e/6a Tcz8NRAPHfVc9R/6weu5X0D8Fcuu9EmTMb/25gzObsE1uRKHd1JPGODpoT5Brp1Z vuqOQhtPPh6ZOsABs+sf3goBJtNPj/INmu+7M7FeRrmNdL83qipxqvTZlQ== -----END CERTIFICATE----- IO-Socket-SSL-2.024/certs/server-key.der0000644000175100017510000000114112622126027016352 0ustar workwork0‚]Ÿ˜sK4ªOÂZ<=ºðTUæÕŠ ä”ZrG4šaPÌÐ7ÄŽ y´äÙ q=M*ÿµjïÛ6ð¾í²°.¯ó5’q„õ*˽~Û&ÁN1*¸É©ßlbt IMQ“ôÖó=Ù÷Ü3ä¢lb°Y~_ùŽ¶¥¯­öûæúß›™‰g¹½Sïá‘@ ?0b—ín-cáJÛì¿Cn!l¢†UÅ6¹KÏ2kœÏ;ƒ¿»¾?N´'mÅMÁ5 b*¡V­öF…±v‰ š•!U7"K÷€¼4@ÍŸ/BÍ öËué®Á1פ¤à&÷ølq B?79ûyAÑëÉ%4ÿì›ØÍôHç¹›Øy‘@ryÀ\û{sp7Ø…wªÈq€ h¯63zíöñ: w/o¶f9‡–¥AÃvºfkBQpFÓ2¹""ù Koj:ùÃ@€çåî÷õ Ôq䥽ÇfŽféŸÎomÐÖܺلŒ`t]¶]Ø= ?@FÔzÑî‰Ç/¦ *vŠ›ÿŠ®áçèÚ¨1m,Ù¿Åz‡¤äÑ>µ´¹j䇜 S^IY ûßßKAœ’0î°ƒû´›Ô‚®”§¹1Å ™m#V¼œw²&-y|¹‰%>¾Õ3³™PÔ¯Y)çÀoÔ›_-fì˜@M¢KZ`\Ÿ\`n5j6˜.n é^øw„‘nmÉŠÑ7—ï`ŠË=AÌmŸ¢e>üOÓe{!P5t–²IO-Socket-SSL-2.024/certs/server-key.enc0000644000175100017510000000170312321415553016352 0ustar workwork-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,B23BC22B9F68A8C3 oYwok70k0gvbWFIBTXIVJ6QNeXGZZUwRh8DjKKlaNy4UfYS9gINPbmaQgW0ynR0j haKMfPInUwXzIINC8NBc+ALx7fkPcWhZEEyow3nh9WTDggtNAU+Km2x76W/vgNKH PdQAYxqH67zaQK6dGumSTCG/Gz6CLKsHklsvvLZtqJwSeFGp+Vkn/CS7cILiG/Jr tZGSVrcfA3eB6U3+TnZw9F8k09G02hkt5wHk3j44pf9mIgJSS42aZXJ0vwiY8Fjt vjN3fywPN/0YsR+ahtKOvdyXkXsK2Bl5hbUv8wJNMy0wB86/esy8tSO/grhb8d9k KJ8uXm1DoaAd8d4oHwoCvSmMwujIcNkXSIsNUlBwN27FR58PjJA/XAl3uRiTHWZA D1feH3Aplxak94NfnHgfipW5hEYorM6zzYT8dvQ01RzaX8D8cgw1LhuBwXvbj8B6 4gLz+FkVQROIF0w7pJm3QBVCS2HZd36ZLOMVkqfWYxW16dZglvcT0ELkTeddwUHc A59CEL4pfLqqqVOnud13fxR4XXD+qZQPNx0Pm+zD3p+KRUuTupIg/suFEJNZSTpA WPiQ0EbFMcv7lg9jGCDZOG+E5Ir1na4oqDHt+uchF5h3EY1gnQKO/Pu4H3ShfSQ+ u9mMAQ74/ZwQ9nNFDd6+BmbomqORefqKMF/2xdkhfXoG3YwKLWXenOCG0j3DWiml Hlv9WpWLxnifkm2f6kpvwJ623c5E0U/Y4uNf6Vxlxqr+IaG0o6dPVHYz/q0Hsqhf hrWD45uTJrjFhV7nEBcOlukGkUFsNetWyb8EGFb5nimvgKGeJPbcyA== -----END RSA PRIVATE KEY----- IO-Socket-SSL-2.024/certs/server-cert.pem0000644000175100017510000000701512321415553016535 0ustar workworkCertificate: Data: Version: 3 (0x2) Serial Number: d6:d7:e1:b4:b3:30:91:f0 Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Bayern, L=Muenchen, O=Whatever it is, CN=IO::Socket::SSL Demo CA Validity Not Before: Jan 1 00:00:01 2008 GMT Not After : Mar 30 07:05:44 2019 GMT Subject: C=DE, ST=Bayern, L=Muenchen, O=Whatever it is, CN=server.local Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:9f:98:73:4b:34:aa:4f:c2:5a:3c:3d:ba:f0:54: 55:e6:d5:8a:a0:8f:e4:94:5a:72:47:34:9a:61:50: cc:d0:81:8d:37:c4:8e:0c:79:b4:e4:d9:0d:71:06: 3d:07:4d:2a:ff:b5:6a:ef:db:36:f0:be:ed:b2:b0: 2e:18:af:f3:35:92:71:15:84:f5:2a:cb:18:bd:7e: db:26:18:c1:4e:31:2a:01:b8:1b:c9:a9:df:6c:62: 74:20:49:4d:51:14:93:f4:d6:18:07:f3:3d:d9:f7: dc:10:33:e4:00:a2:6c:62:b0:59:7e:5f:f9:8e:b6: a5:af:ad:f6:fb:e6:fa:df:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BC:81:38:7B:62:C9:DD:A9:BA:5E:9C:44:AA:AE:71:39:7A:81:C9:E8 X509v3 Authority Key Identifier: keyid:DE:65:01:16:19:2E:51:E0:9A:51:1A:37:50:94:7D:39:29:2A:42:2C DirName:/C=DE/ST=Bayern/L=Muenchen/O=Whatever it is/CN=IO::Socket::SSL Demo CA serial:E7:AD:8B:07:55:8A:17:27 X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha1WithRSAEncryption 22:ac:b3:a0:67:eb:c2:40:36:9a:56:71:20:fc:2e:4b:3d:db: b1:83:f3:96:5a:33:9b:db:33:de:52:dc:9c:80:36:78:9b:e3: 90:ea:63:cc:0c:ac:0f:bd:01:20:26:8f:47:27:83:23:a9:90: b6:ae:5c:d8:3c:20:27:ca:04:b4:5e:9b:85:fc:34:af:5e:91: 60:3b:d2:df:b7:06:ae:e3:01:09:1f:89:af:0a:18:0a:3f:ef: 43:d6:3d:6e:16:74:32:b3:06:f0:8a:f4:80:61:f7:f1:83:85: e8:2c:1d:b8:83:f6:81:87:b3:cd:2b:0b:88:1a:f9:3f:15:77: 3b:cc -----BEGIN CERTIFICATE----- MIIDVzCCAsCgAwIBAgIJANbX4bSzMJHwMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV BAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcTCE11ZW5jaGVuMRcwFQYD VQQKEw5XaGF0ZXZlciBpdCBpczEgMB4GA1UEAxMXSU86OlNvY2tldDo6U1NMIERl bW8gQ0EwHhcNMDgwMTAxMDAwMDAxWhcNMTkwMzMwMDcwNTQ0WjBhMQswCQYDVQQG EwJERTEPMA0GA1UECBMGQmF5ZXJuMREwDwYDVQQHEwhNdWVuY2hlbjEXMBUGA1UE ChMOV2hhdGV2ZXIgaXQgaXMxFTATBgNVBAMTDHNlcnZlci5sb2NhbDCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAn5hzSzSqT8JaPD268FRV5tWKoI/klFpyRzSa YVDM0IGNN8SODHm05NkNcQY9B00q/7Vq79s28L7tsrAuGK/zNZJxFYT1KssYvX7b JhjBTjEqAbgbyanfbGJ0IElNURST9NYYB/M92ffcEDPkAKJsYrBZfl/5jralr632 ++b635sCAwEAAaOCAQowggEGMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS8gTh7Ysndqbpe nESqrnE5eoHJ6DCBngYDVR0jBIGWMIGTgBTeZQEWGS5R4JpRGjdQlH05KSpCLKFw pG4wbDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBxMITXVl bmNoZW4xFzAVBgNVBAoTDldoYXRldmVyIGl0IGlzMSAwHgYDVQQDExdJTzo6U29j a2V0OjpTU0wgRGVtbyBDQYIJAOetiwdVihcnMAsGA1UdDwQEAwIF4DANBgkqhkiG 9w0BAQUFAAOBgQAirLOgZ+vCQDaaVnEg/C5LPduxg/OWWjOb2zPeUtycgDZ4m+OQ 6mPMDKwPvQEgJo9HJ4MjqZC2rlzYPCAnygS0XpuF/DSvXpFgO9Lftwau4wEJH4mv ChgKP+9D1j1uFnQyswbwivSAYffxg4XoLB24g/aBh7PNKwuIGvk/FXc7zA== -----END CERTIFICATE----- IO-Socket-SSL-2.024/certs/test-ca.pem0000644000175100017510000000220312321415553015626 0ustar workwork-----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIJAOetiwdVihcnMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV BAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcTCE11ZW5jaGVuMRcwFQYD VQQKEw5XaGF0ZXZlciBpdCBpczEgMB4GA1UEAxMXSU86OlNvY2tldDo6U1NMIERl bW8gQ0EwHhcNMDkwNDAxMDY0NDQ4WhcNMTkwMzMwMDY0NDQ4WjBsMQswCQYDVQQG EwJERTEPMA0GA1UECBMGQmF5ZXJuMREwDwYDVQQHEwhNdWVuY2hlbjEXMBUGA1UE ChMOV2hhdGV2ZXIgaXQgaXMxIDAeBgNVBAMTF0lPOjpTb2NrZXQ6OlNTTCBEZW1v IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZROfatylcxcbrx0dTXvgo zlqFwps7ghgyx+Qvgwrv72w8dPIpMDk1zTeQPNSy8nTCYIsEr1tGC+T/dYt3raYm 2kXk20QzYiuXOCIUR+JY9xvUdnee9Z1vJD5u7DfkhnAsCJhkxVZ7xoSF4Zei812v i+Z+ePR+/F7uTJyeBbf5QQIDAQABo4HRMIHOMB0GA1UdDgQWBBTeZQEWGS5R4JpR GjdQlH05KSpCLDCBngYDVR0jBIGWMIGTgBTeZQEWGS5R4JpRGjdQlH05KSpCLKFw pG4wbDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBxMITXVl bmNoZW4xFzAVBgNVBAoTDldoYXRldmVyIGl0IGlzMSAwHgYDVQQDExdJTzo6U29j a2V0OjpTU0wgRGVtbyBDQYIJAOetiwdVihcnMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQEFBQADgYEAZu8EXePCEhV0LeC0zBXBMUlqu7p0fzQByL9U6SuOmwkKih/w OcsjxX6PFjJm3C5/NJ9mUw8WrbbBTKcMg7t2PvuyIuKK+wK3Nf5XZaGnzwtn1aFz M0LUhtV8z6OcURDEfnQBsgLCPODc9Mg4FEViDGVaZ1i233ZeAlLzXSZeXL8= -----END CERTIFICATE----- IO-Socket-SSL-2.024/certs/proxyca.pem0000644000175100017510000000334612622126027015763 0ustar workwork-----BEGIN CERTIFICATE----- MIICXDCCAcWgAwIBAgIJAPcrxpCHBqEIMA0GCSqGSIb3DQEBBQUAMEcxCzAJBgNV BAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMSMwIQYDVQQKDBpJTzo6U29ja2V0 OjpTU0w6OkludGVyY2VwdDAeFw0xMzA1MjkxNzE3MjdaFw0yMzA1MjcxNzE3Mjda MEcxCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMSMwIQYDVQQKDBpJ Tzo6U29ja2V0OjpTU0w6OkludGVyY2VwdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA3tXNX5XOwibRHUyHU2tN1FlI8dYMJtI9L+Si1QFA/DBsEXDJUocDf9SU UPacGtEsqRiRaptw3I7QnrggmR+4Id8np5rO9xlucLtQSBvVDZy8Y4hI3kV7Oeup 14JnfSQj/gVTJNolDUzI0u08ZZiKSS7d5DOw5cOu5F67UAfSOdUCAwEAAaNQME4w HQYDVR0OBBYEFBfCIp9KkFUPPix/KFXyTIa7hNN3MB8GA1UdIwQYMBaAFBfCIp9K kFUPPix/KFXyTIa7hNN3MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA MiF5uUZE4Xm5lUc8Yql1k1eGiVKR9nKpGIwOIUFC0SahiG8wZDkp7v8id0vtu8Pk R8tcOLsiKHYMfg49DiByBiMKA7m5+DQL8av4LD5wNJLM5Ha592jhqblVBLeEOCuB TfouWu+ieAQO/kAU+WCZLRN5Oc/NnI4fsV6ph5zqSc4= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQDe1c1flc7CJtEdTIdTa03UWUjx1gwm0j0v5KLVAUD8MGwRcMlS hwN/1JRQ9pwa0SypGJFqm3DcjtCeuCCZH7gh3yenms73GW5wu1BIG9UNnLxjiEje RXs566nXgmd9JCP+BVMk2iUNTMjS7TxlmIpJLt3kM7Dlw67kXrtQB9I51QIDAQAB AoGAK3Xrnk7rinZjpqE8a4qsHVRko7YpnJC4mlSvZXffItCW4zfqLAxlJFNjsf7H J3vQiBJgmjhC5OF90tb6lKLZGHTvUQRLIGOytHKJlO4qHKWvzqDv9R4qQPBnAHeC tOUXnxSmvxNrNKHW4talLPn6aqHkQwBeKKq1E85d+NzGnGkCQQDxoUUvI5S8/qFb CpaSa3GoDc89r9shnEUzoR24M+oDA3jwtMXy/q8dLtYCX7//PUaScqaOw5APVz8z osiBRxC7AkEA7BZjT0RD+1u9KmVZQfiiVCrJoasd2vDhCcAL0KCFEttMjjutaPeA QMFZiXwUIZWo/7NdRrD9PiQpmw7FZcm+rwJAVQ+fylNtRgchiGo2zX6zeSS7Ywzo SHG5zs4WJ0VnSP5M8ffBg6RywwQ85IMOlOzeTim8Rp/DtBLTtfrFOPVqhwJAB0ix i7KJfmnYLkSuOlDXgU1Ip0pGQ4kHCGv6cVdig7Bsbj79HK32MQlGH+3KGTcq3ajF CfdP+OjYt8X+5SMSVQJAF1zVY5UOQenILFyRCWpgUwIQZRo3FjfJzMykTb8LqgWc nQApujWvWi8qQerxPsAaDLgtfQh3V7ZCZxZRWvuh8A== -----END RSA PRIVATE KEY----- IO-Socket-SSL-2.024/certs/server.p120000644000175100017510000000362212622126027015422 0ustar workwork0‚Ž0‚T *†H†÷  ‚E‚A0‚=0‚ *†H†÷  ‚0‚ 0‚ *†H†÷ 0 *†H†÷  0=ŸxüpsÅ€‚Øôlv•UMèì‹d#]¸ÒÎÊÆësîÛ®zÌÎ÷í ¢]7©Qº1ð«…›%äaÛ&ˆªŒjK~ãò?ùy˜ÀT¨ÓcРÑSÒ =ö:¢–´q9úg=YæÛª©–«¥>ÑRŒ ÑïžDNu§'\Ä<‚ùYmT§ëºû‚:ü%Ò~ 2e„(f™)¶ú¥Ø^0˜˜í²ðDñužÎ§#â!W1R0è9­æ ¿„ @k˜!Bå>óØØJ›. ¥l ÉôŒ¡|T ÖÄi`o+8ÒŸÕjhø˜Á#â°Ø”˜°?\áPÏ6#õG4RÆRE-rŒ¢x¡+B3L QÿÈØÝ}øˆ:{Œ8HG®^¡ë@ Û°bí?_Âb‹ßâÒ›P×,mi¾=‚=Ư¦íõ`aϸdÿ+Ÿ!Ô=Ëkûç<‘Ê5!zèwþ?v§ ¬¯{Ii"U#½Åó##fg³»A)%Oßn1wy\®´!\–bÁµ­Åg­¿”½ÛU»úvs™¡¢Ü¾¤þÄd:q#,ÈïŸ5( X´zºã©Wä|ï0±µ×ÛGö`µAÚÎcMD©Ò;R·ë;Å}ÿÆÝ# r« Â!£³çNÑòTHº< "ã„OÕ?(r–ɱøüñŽÊ.oQ€°íòͳ¹¿«—…Ú Z ÷ÎÖ šjÄõùl±~R\NÉãt~Ŷ8V#Ìà MÛ\E¹D¬ò€ŸE©Á¹åðF±N&y h’´+l“W‚wîÞ)þ @'å¢{@Ë}‰×\íÞš€¼%–Z_ ³ã_+O[*•\Vóx@n$–Ece+—¨øW)7‚ KêL×ASX}y…ÕþÅFçoâôì*ŠÔÖ ûí2l;‘É)Cj7?“ O]Ñ x¨èüº­ÄÁ7A«“/í2j3²×ÅGS¯ ÅJ³ëJSf8Åè3×OéûúÿŒ*;¸6±pçVÍ Ž©Ö|Ø´ÿò-“œQWÅ,MƒJó<^_r4ÔèÎ…¸ž?¼¾«Yn*SòÍÿÆèmâw(cQ Ð̧·B*A)¶%Z.’(2~"Š,©Æ‡…¬ÜƒS¡h…²³¼®9ˆ LÇö’K¶©H¹Vwl*RvqCHLþÆoÞgË<݉N¸+Þ ˜œ] ˜‡ºHÍ[7J§¬ž,¶ù6ÅݼÔž€’åˆæzʈîÛH\².RBS_á ÙA1,Jåë5Ø0‚ *†H†÷  ‚‚0‚ÿ0‚û *†H†÷   ‚¦0‚¢0 *†H†÷  0µ¿ˆ­â.®‚€v]ÛÌ1 dÄq“Ë9ï¤omÐMP#FnÃKÕJ¥3t¯õ¤¾„9|üª6«t1X™wmr+ƒ ßNÔöeĆëÏ°1J«Ù5j&…^úNŽTh‡¿ô êC’BX|Ç®÷÷Á2a2W6_½óª§®Ùf®î¡ÿ2´ïînˆÜñöP¦¶»§…”7’jõHä‘Rº„›áØæ¾|PЃöIwu·:¸–è›íä<ŸD% >Oò.-ÂI)“ß/†ò»­÷D·KBâ“Ù¡tj8jÖÑ}#·Þ“•½ ˆ$ï}‹¸3%ç×Û’ï¶ì¹m† êi‚Š‹‰^† ¦K¶`8 f[唧â_ëW[c]|WïGŽ˜ïŸY«>§»·Ëu@&UbtV¦ßKšÝ‚y¸RVÛ?R‘À.¼bˆF0›K«Ê¸¾> ýÙš* ¨™ÿÛÄ3rN‰Ç@/¼›°ä9šŒ$«ŽúI(€0LIIÈèŬŽöÆW+ƒ®u Ä¿:~VL8€ N4ø¤4Dñx-§zv5§î  ïó ¼0n7PÒ'rġЙoÎ[oe¡l'F’ålôïÀ²Êrk±AÏ®üJÉé…»qÊœ_‹Ï˜¥¶áëè22¥˜}ÑA™šÄ6¯Až˜ÃÂð¢¯I÷u,q¹>UδŽüÂ(G ˆ]÷Y+‡ê„û¨\pÑÚµkqNÎ&hÞ #w€.†¢3Æ'û*ìQ¦¸á¶·hm+°°ßú²¦gy¤®>j¦¸û^$Î?—ž‰Sã¨Ýå,a1ÞD¼ wJa4›?HÛ?ð§¯Ò`ñu¦£„_‹À~ébÊQ1B0 *†H†÷  1 server0# *†H†÷  1í0 :0âú&º˜zÁ߈}XëŒß010!0 +-zòª@ŽŸ¡8an0‡ B{'Šy…Ä6½_ÖDIIO-Socket-SSL-2.024/Makefile.PL0000644000175100017510000001152512622126027014423 0ustar workwork# vim: set sts=4 sw=4 ts=8 ai: use 5.008; use ExtUtils::MakeMaker; # Test to make sure that Net::SSLeay can be properly seeded! unless (defined $ENV{EGD_PATH}) { foreach (qw(/var/run/egd-pool /dev/egd-pool /etc/egd-pool /etc/entropy)) { if (-S) { $ENV{EGD_PATH}=$_; last } } } $| = 1; my $yesno = sub { my ($msg,$default) = @_; return $default if defined $default && $ENV{PERL_MM_USE_DEFAULT}; # Taken from ExtUtils::MakeMaker 6.16 (Michael Schwern) so that # the prompt() function can be emulated for older versions of ExtUtils::MakeMaker. while ( -t STDIN && (-t STDOUT || !(-f STDOUT || -c STDOUT))) { print "$msg "; my $choice = ; $choice =~s{\s+$}{}; $choice ||= $default; next if $choice !~m{^\s*([yn])}i; return lc($1); } return $default; }; { # issue warning, if Net::SSLeay cannot find random generator # redefine __WARN__ only locally to allow detection of failures # in PREREQ_PM local $SIG{__WARN__} = sub { undef $SIG{__WARN__}; my $warning = shift; return unless $warning =~ /random/i; print "Net::SSLeay could not find a random number generator on\n"; print "your system. This will likely cause most of the tests\n"; print "to fail. Please see the README file for more information.\n"; print "the message from Net::SSLeay was: $warning\n"; $yesno->("Do you REALLY want to continue? y/[N]","n") eq 'y' or die "Install cancelled.\n"; }; if (! defined $ENV{SKIP_RNG_TEST}) { eval { require Net::SSLeay; $Net::SSLeay::trace=1; Net::SSLeay::randomize(); }; die $@ if $@ =~ /cancelled/; } else { print "Random Number Generator test skipped.\n"; } } { # don't support too old OpenSSL versions anymore, only causes trouble my $openssl = eval { require Net::SSLeay; Net::SSLeay::OPENSSL_VERSION_NUMBER() }; die sprintf( "minimal required version for OpenSSL is 0.9.8, but your Net::SSLeay reports 0x%08x", $openssl) if $openssl && $openssl < 0x00908000; } # make sure that we have dualvar from the XS Version of Scalar::Util if ( eval { require Scalar::Util } ) { eval { Scalar::Util::dualvar( 0,'' ) }; die "You need the XS Version of Scalar::Util for dualvar() support" if ($@); } # check if we have something which handles IDN if ( ! eval { require Net::IDN::Encode } and ! eval { require Net::LibIDN } and ! eval { require URI; URI->VERSION(1.50) }) { warn <<'EOM'; WARNING No library for handling international domain names found. It will work but croak if you try to verify an international name against a certificate. It's recommended to install either Net::IDN::Encode, Net::LibIDN or URI version>=1.50 EOM } # check if we have usable CA store # on windows we might need to install Mozilla::CA # settings for default path from openssl crypto/cryptlib.h my %usable_ca; { my $openssldir = eval { require Net::SSLeay; Net::SSLeay::SSLeay_version(5) =~m{^OPENSSLDIR: "(.+)"$} && $1 || ''; }; my $dir = $ENV{SSL_CERT_DIR} || ( $^O =~m{vms}i ? "SSLCERTS:":"$openssldir/certs" ); if ( opendir(my $dh,$dir)) { FILES: for my $f ( grep { m{^[a-f\d]{8}(\.\d+)?$} } readdir($dh) ) { open( my $fh,'<',"$dir/$f") or next; while (<$fh>) { m{^-+BEGIN (X509 |TRUSTED |)CERTIFICATE-} or next; $usable_ca{SSL_ca_path} = $dir; last FILES; } } } my $file = $ENV{SSL_CERT_FILE} || ( $^O =~m{vms}i ? "SSLCERTS:cert.pem":"$openssldir/cert.pem" ); if ( open(my $fh,'<',$file)) { while (<$fh>) { m{^-+BEGIN (X509 |TRUSTED |)CERTIFICATE-} or next; $usable_ca{SSL_ca_file} = $file; last; } } } my $xt = $ENV{NO_NETWORK_TESTING} && 'n'; $xt ||= $yesno->( "Should I do external tests?\n". "These test will detect if there are network problems and fail soft,\n". "so please disable them only if you definitely don't want to have any\n". "network traffic to external sites. [Y/n]", 'y' ); # See lib/ExtUtils/MakeMaker.pm for details of how to influence # the contents of the Makefile that is written. WriteMakefile( 'NAME' => 'IO::Socket::SSL', 'ABSTRACT' => 'Nearly transparent SSL encapsulation for IO::Socket::INET.', 'AUTHOR' => 'Steffen Ullrich , Peter Behroozi, Marko Asplund', 'LICENSE' => 'perl', 'DISTNAME' => 'IO-Socket-SSL', 'VERSION_FROM' => 'lib/IO/Socket/SSL.pm', 'PREREQ_PM' => { 'Net::SSLeay' => 1.46, 'Scalar::Util' => 0, ! %usable_ca ? ( 'Mozilla::CA' => 0 ):(), }, 'dist' => { COMPRESS => 'gzip', SUFFIX => 'gz', }, $xt eq 'y' ? ( test => { TESTS => 't/*.t t/external/*.t' }):(), $ExtUtils::MakeMaker::VERSION >= 6.46 ? ( 'META_MERGE' => { resources => { license => 'http://dev.perl.org/licenses/', repository => 'https://github.com/noxxi/p5-io-socket-ssl', homepage => 'https://github.com/noxxi/p5-io-socket-ssl', bugtracker => 'https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL', }, }, ):(), ); IO-Socket-SSL-2.024/t/0000755000175100017510000000000012655445521012721 5ustar workworkIO-Socket-SSL-2.024/t/signal-readline.t0000644000175100017510000000260412622126027016135 0ustar workwork#!perl use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; if ( $^O =~m{mswin32}i ) { print "1..0 # Skipped: signals not relevant on this platform\n"; exit } print "1..9\n"; my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, SSL_server => 1, SSL_ca_file => "certs/test-ca.pem", SSL_cert_file => "certs/server-wildcard.pem", SSL_key_file => "certs/server-wildcard.pem", ); warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; print "not ok\n", exit if !$server; ok("Server Initialization"); my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { $SIG{HUP} = sub { ok("got hup") }; close($server); my $client = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 0 ) || print "not "; ok( "client ssl connect" ); my $line = <$client>; print "not " if $line ne "foobar\n"; ok("got line"); exit; } my $csock = $server->accept; ok("accept"); $SIG{PIPE} = 'IGNORE'; syswrite($csock,"foo") or print "not "; ok("wrote foo"); sleep(1); kill HUP => $pid or print "not "; ok("send hup"); sleep(1); syswrite($csock,"bar\n") or print "not "; ok("wrote bar\\n"); wait; ok("wait: $?"); sub ok { print "ok #$_[0]\n"; } IO-Socket-SSL-2.024/t/sessions.t0000644000175100017510000001112112622126027014737 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/core.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; $|=1; my $numtests = 35; print "1..$numtests\n"; my @servers = map { IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, Timeout => 30, ReuseAddr => 1, SSL_key_file => "certs/server-key.enc", SSL_passwd_cb => sub { return "bluebell" }, SSL_verify_mode => SSL_VERIFY_NONE, SSL_ca_file => "certs/test-ca.pem", SSL_cert_file => "certs/server-cert.pem", ) } (1..3); if ( grep { !$_ } @servers > 0 ) { print "not ok # Server init\n"; exit; } &ok("Server initialization"); my @saddr = map { $_->sockhost.':'.$_->sockport } @servers; unless (fork) { @servers = (); my $ctx = IO::Socket::SSL::SSL_Context->new( SSL_passwd_cb => sub { return "opossum" }, SSL_verify_mode => SSL_VERIFY_PEER, SSL_ca_file => "certs/test-ca.pem", SSL_ca_path => '', SSL_version => 'TLSv1', SSL_cipher_list => 'HIGH', SSL_session_cache_size => 4, ); if (! defined $ctx->{'session_cache'}) { print "not ok \# Context init\n"; exit; } &ok("Context init"); # Bogus session test unless ($ctx->session_cache("bogus", "bogus", 0)) { print "not "; } &ok("Superficial Cache Addition Test"); unless ($ctx->session_cache("bogus1", "bogus1", 0)) { print "not "; } &ok("Superficial Cache Addition Test 2"); my $cache = $ctx->{'session_cache'}; if (keys(%$cache) != 4) { print "not "; } &ok("Cache Keys Check 1"); unless ($cache->{'bogus1:bogus1'} and $cache->{'bogus:bogus'}) { print "not "; } &ok("Cache Keys Check 2"); my ($bogus, $bogus1) = ($cache->{'bogus:bogus'}, $cache->{'bogus1:bogus1'}); unless ($cache->{'_head'} eq $bogus1) { print "not "; } &ok("Cache Head Check"); unless ($bogus1->{prev} eq $bogus and $bogus1->{next} eq $bogus and $bogus->{prev} eq $bogus1 and $bogus->{next} eq $bogus1) { print "not "; } &ok("Cache Link Check"); IO::Socket::SSL::set_default_context($ctx); my $sock3 = IO::Socket::INET->new($saddr[2]); my @clients = ( IO::Socket::SSL->new(PeerAddr => $saddr[0], Domain => AF_INET), IO::Socket::SSL->new(PeerAddr => $saddr[1], Domain => AF_INET), IO::Socket::SSL->start_SSL( $sock3 ), ); if ( grep { !$_ } @clients >0 ) { print "not ok \# Client init $SSL_ERROR\n"; exit; } &ok("Client init"); # Make sure that first 'bogus' entry has been removed if (keys(%$cache) != 6) { warn Dumper($cache); use Data::Dumper; print "not "; } &ok("Cache Keys Check 3"); if ($cache->{'bogus:bogus'}) { print "not "; } &ok("Cache Removal Test"); if ($cache->{'_head'}->{prev} ne $bogus1) { print "not "; } &ok("Cache Tail Check"); if ($cache->{'_head'} ne $cache->{$saddr[2]}) { print "not "; } &ok("Cache Insertion Test"); for (0..2) { if (Net::SSLeay::get_session($clients[$_]->_get_ssl_object) ne $cache->{$saddr[$_]}->{session}) { print "not "; } &ok("Cache Entry Test $_"); close $clients[$_]; } @clients = map { IO::Socket::SSL->new(PeerAddr => $_, Domain => AF_INET) } @saddr; if (keys(%$cache) != 6) { print "not "; } &ok("Cache Keys Check 4"); if (!$cache->{'bogus1:bogus1'}) { print "not "; } &ok("Cache Keys Check 5"); for (0..2) { if (Net::SSLeay::get_session($clients[$_]->_get_ssl_object) ne $cache->{$saddr[$_]}->{session}) { print "not "; } &ok("Second Cache Entry Test $_"); unless ($clients[$_]->print("Test $_\n")) { print "not "; } &ok("Write Test $_"); unless ($clients[$_]->readline eq "Ok $_\n") { print "not "; } &ok("Read Test $_"); close $clients[$_]; } exit(0); } my @clients = map { scalar $_->accept } @servers; if ( grep { !$_ } @clients > 0 ) { print "not ok \# Client init\n"; exit; } &ok("Client init"); close($_) for @clients; @clients = map { scalar $_->accept } @servers; if ( grep { !$_ } @clients > 0 ) { print $SSL_ERROR; print "not ok \# Client init 2\n"; exit; } &ok("Client init 2"); for (0..2) { unless ($clients[$_]->readline eq "Test $_\n") { print "not "; } &ok("Server Read $_"); unless ($clients[$_]->print("Ok $_\n")) { print "not "; } &ok("Server Write $_"); close $clients[$_]; close $servers[$_]; } wait; sub ok { print "ok #$_[0]\n"; } sub bail { print "Bail Out! $IO::Socket::SSL::ERROR"; } IO-Socket-SSL-2.024/t/io-socket-inet6.t0000644000175100017510000000463212622126027016022 0ustar workwork#!perl # make sure IO::Socket::IP will not be used BEGIN { if ( eval { require Acme::Override::INET }) { print "1..0 # Skipped: will not work with Acme::Override::INET installed\n"; exit } $INC{'IO/Socket/IP.pm'} = undef } use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; # check first if we have loaded IO::Socket::IP, as if so we won't need or use # IO::Socket::INET6 if( IO::Socket::SSL->CAN_IPV6 eq "IO::Socket::IP" ) { print "1..0 # Skipped: using IO::Socket::IP instead\n"; exit; } # check if we have loaded INET6, IO::Socket::SSL should do it by itself # if it is available unless( IO::Socket::SSL->CAN_IPV6 eq "IO::Socket::INET6" ) { # not available or IO::Socket::SSL forgot to load it if ( ! eval { require IO::Socket::INET6 } ) { print "1..0 # Skipped: no IO::Socket::INET6 available\n"; } elsif ( ! eval { IO::Socket::INET6->VERSION(2.62) } ) { print "1..0 # Skipped: no IO::Socket::INET6 available\n"; } else { print "1..1\nnot ok # automatic use of INET6\n"; } exit } my $addr = '::1'; # check if we can use ::1, e.g if the computer has IPv6 enabled if ( ! IO::Socket::INET6->new( Listen => 10, LocalAddr => $addr, )) { print "1..0 # no IPv6 enabled on this computer\n"; exit } $|=1; print "1..3\n"; print "# IO::Socket::INET6 version=$IO::Socket::INET6::VERSION\n"; # first create simple ssl-server my $ID = 'server'; my $server = IO::Socket::SSL->new( LocalAddr => $addr, Listen => 2, SSL_cert_file => "certs/server-cert.pem", SSL_key_file => "certs/server-key.pem", ) || do { notok($!); exit }; ok("Server Initialization at $addr"); # add server port to addr $addr = "[$addr]:".$server->sockport; print "# server at $addr\n"; my $pid = fork(); if ( !defined $pid ) { die $!; # fork failed } elsif ( !$pid ) { ###### Client $ID = 'client'; close($server); my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, SSL_verify_mode => 0, ) || do { notok( "connect failed: ".IO::Socket::SSL->errstr() ); exit }; ok( "client connected" ); } else { ###### Server my $to_client = $server->accept || do { notok( "accept failed: ".$server->errstr() ); kill(9,$pid); exit; }; ok( "Server accepted" ); wait; } sub ok { print "ok # [$ID] @_\n"; } sub notok { print "not ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/sni_verify.t0000644000175100017510000000434312622126027015256 0ustar workwork#!perl use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; if ( ! IO::Socket::SSL->can_server_sni() ) { print "1..0 # skipped because no server side SNI support - openssl/Net::SSleay too old\n"; exit; } if ( ! IO::Socket::SSL->can_client_sni() ) { print "1..0 # skipped because no client side SNI support - openssl/Net::SSleay too old\n"; exit; } print "1..17\n"; my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', Listen => 2, ReuseAddr => 1, SSL_server => 1, SSL_ca_file => "certs/test-ca.pem", SSL_cert_file => { 'server.local' => 'certs/server-cert.pem', 'client.local' => 'certs/client-cert.pem', 'smtp.mydomain.local' => "certs/server-wildcard.pem", '' => "certs/server-wildcard.pem", }, SSL_key_file => { 'server.local' => 'certs/server-key.pem', 'client.local' => 'certs/client-key.pem', 'smtp.mydomain.local' => "certs/server-wildcard.pem", '' => "certs/server-wildcard.pem", }, SSL_verify_mode => 1 ); warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; print "not ok\n", exit if !$server; print "ok # Server Initialization\n"; my $saddr = $server->sockhost.':'.$server->sockport; # www13.other.local should match default '' # all other should match the specific entries my @tests = qw( server.local client.local smtp.mydomain.local www13.other.local ); defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { close($server); for my $host (@tests) { my $client = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 1, SSL_hostname => $host, SSL_ca_file => 'certs/my-ca.pem', SSL_cert_file => 'certs/client-cert.pem', SSL_key_file => 'certs/client-key.pem', ) || print "not "; print "ok # client ssl connect $host\n"; $client->verify_hostname($host,'http') or print "not "; print "ok # client verify hostname in cert $host\n"; } exit; } for my $host (@tests) { my $csock = $server->accept or print "not "; print "ok # server accept\n"; my $name = $csock->get_servername; print "not " if ! $name or $name ne $host; print "ok # server got SNI name $host\n"; } wait; IO-Socket-SSL-2.024/t/acceptSSL-timeout.t0000644000175100017510000000352012622126027016402 0ustar workworkuse strict; use warnings; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; $|=1; print "1..15\n"; # first use SSL client { my ($server,$saddr) = create_listen_socket(); ok(1, "listening \@$saddr" ); my $srv = fork_sub( 'server',$server ); close($server); fd_grep_ok( 'Waiting', $srv ); my $cl = fork_sub( 'client_ssl',$saddr ); fd_grep_ok( 'Connect from',$srv ); fd_grep_ok( 'Connected', $cl ); fd_grep_ok( 'SSL Handshake OK', $srv ); fd_grep_ok( 'Hi!', $cl ); } # then try bad non-SSL client { my ($server,$saddr) = create_listen_socket(); ok(1, "listening \@$saddr" ); my $srv = fork_sub( 'server',$server ); close($server); fd_grep_ok( 'Waiting', $srv ); my $cl = fork_sub( 'client_no_ssl',$saddr ); fd_grep_ok( 'Connect from',$srv ); fd_grep_ok( 'Connected', $cl ); fd_grep_ok( 'SSL Handshake FAILED', $srv ); } sub server { my $server = shift; print "Waiting\n"; my $client = $server->accept || die "accept failed: $!"; print "Connect from ".$client->peerhost.':'.$client->peerport."\n"; if ( IO::Socket::SSL->start_SSL( $client, SSL_server => 1, Timeout => 5, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', )) { print "SSL Handshake OK\n"; print $client "Hi!\n"; } else { print "SSL Handshake FAILED - $!\n" } } sub client_no_ssl { my $saddr = shift; my $c = IO::Socket::INET->new( $saddr ) || die "connect failed: $!"; print "Connected\n"; while ( sysread( $c,my $buf,8000 )) {} } sub client_ssl { my $saddr = shift; my $c = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 0 ) || die "connect failed: $!|$SSL_ERROR"; print "Connected\n"; while ( sysread( $c,my $buf,8000 )) { print $buf } } IO-Socket-SSL-2.024/t/public_suffix_lib_uri.t0000644000175100017510000000016412622126027017445 0ustar workworkuse strict; use warnings; use FindBin; require "$FindBin::Bin/public_suffix_lib.pl"; run_with_lib( 'URI::_idna' ); IO-Socket-SSL-2.024/t/nonblock.t0000644000175100017510000002524212627645435014725 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/nonblock.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; use IO::Select; use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS EPIPE ECONNRESET ); do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; if ( ! eval "use 5.006; use IO::Select; return 1" ) { print "1..0 # Skipped: no support for nonblocking sockets\n"; exit; } $SIG{PIPE} = 'IGNORE'; # use EPIPE not signal handler $|=1; print "1..27\n"; # first create simple non-blocking tcp-server my $ID = 'server'; my $server = IO::Socket::INET->new( Blocking => 0, LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, ); print "not ok: $!\n", exit if !$server; # Address in use? ok("Server Initialization"); my $saddr = $server->sockhost.':'.$server->sockport; my $ssock = $server->sockname; defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { ############################################################ # CLIENT == child process ############################################################ close($server); $ID = 'client'; # fast: try connect_SSL immediately after sending plain text # connect_SSL should fail on the first attempt because server # is not ready yet # slow: wait before calling connect_SSL # connect_SSL should succeed, because server was already waiting for my $test ( 'fast','slow' ) { # initial socket is unconnected, tcp, nonblocking my $to_server = IO::Socket::INET->new( Proto => 'tcp', Blocking => 0 ); # nonblocking connect of tcp socket while (1) { connect($to_server,$ssock ) && last; if ( $!{EINPROGRESS} ) { diag( 'connect in progress' ); IO::Select->new( $to_server )->can_write(30) && next; print "not "; last; } elsif ( $!{EWOULDBLOCK} || $!{EAGAIN} ) { diag( 'connect not yet completed'); # just wait select(undef,undef,undef,0.1); next; } elsif ( $!{EISCONN} ) { diag('claims that socket is already connected'); # found on Mac OS X, dunno why it does not tell me that # the connect succeeded before last; } diag( 'connect failed: '.$! ); print "not "; last; } ok( "client tcp connect" ); # work around (older?) systems where IO::Socket::INET # cannot do non-blocking connect by forcing non-blocking # again (we want to test non-blocking behavior of IO::Socket::SSL, # not IO::Socket::INET) $to_server->blocking(0); # send some plain text on non-ssl socket my $pmsg = 'plaintext'; while ( $pmsg ne '' ) { my $w = syswrite( $to_server,$pmsg ); if ( ! defined $w ) { if ( ! $!{EWOULDBLOCK} && ! $!{EAGAIN} ) { diag("syswrite failed with $!"); print "not "; last; } IO::Select->new($to_server)->can_write(30) or do { diag("failed to get write ready"); print "not "; last; }; } elsif ( $w>0 ) { diag("wrote $w bytes"); substr($pmsg,0,$w,''); } else { die "syswrite returned 0"; } } ok( "write plain text" ); # let server catch up, so that it awaits my connection # so that connect_SSL does not have to wait sleep(5) if ( $test eq 'slow' ); # upgrade to SSL socket w/o connection yet if ( ! IO::Socket::SSL->start_SSL( $to_server, SSL_startHandshake => 0, SSL_verify_mode => 0, SSL_key_file => "certs/server-key.enc", SSL_passwd_cb => sub { return "bluebell" }, )) { diag( 'start_SSL return undef' ); print "not "; } elsif ( !UNIVERSAL::isa( $to_server,'IO::Socket::SSL' ) ) { diag( 'failed to upgrade socket' ); print "not "; } ok( "upgrade client to IO::Socket::SSL" ); # SSL handshake thru connect_SSL # if $test eq 'fast' we expect one failed attempt because server # did not call accept_SSL yet my $attempts = 0; while ( 1 ) { $to_server->connect_SSL && last; diag( $SSL_ERROR ); if ( $SSL_ERROR == SSL_WANT_READ ) { $attempts++; IO::Select->new($to_server)->can_read(30) && next; # retry if can read } elsif ( $SSL_ERROR == SSL_WANT_WRITE ) { IO::Select->new($to_server)->can_write(30) && next; # retry if can write } diag( "failed to connect: $@" ); print "not "; last; } ok( "connected" ); if ( $test ne 'slow' ) { print "not " if !$attempts; ok( "nonblocking connect with $attempts attempts" ); } # send some data # we send up to 500000 bytes, server reads first 10 bytes and then sleeps # before reading more. In total server only reads 30000 bytes # the sleep will cause the internal buffers to fill up so that the syswrite # should return with EWOULDBLOCK+SSL_WANT_WRITE. # the socket close should cause EPIPE or ECONNRESET my $msg = "1234567890"; $attempts = 0; my $bytes_send = 0; # set send buffer to 8192 so it will definitely fail writing all 500000 bytes in it # beware that linux allocates twice as much (see tcp(7)) # AIX seems to get very slow if you set the sndbuf on localhost, so don't to it # https://rt.cpan.org/Public/Bug/Display.html?id=72305 if ( $^O !~m/aix/i ) { eval q{ setsockopt( $to_server, SOL_SOCKET, SO_SNDBUF, pack( "I",8192 )); diag( "sndbuf=".unpack( "I",getsockopt( $to_server, SOL_SOCKET, SO_SNDBUF ))); }; } my $test_might_fail; if ( $@ ) { # the next test might fail because setsockopt(... SO_SNDBUF...) failed $test_might_fail = 1; } my $can; WRITE: for( my $i=0;$i<50000;$i++ ) { my $offset = 0; while (1) { if ( $can && ! IO::Select->new($to_server)->$can(30)) { diag("fail $can"); print "not "; last WRITE; }; my $n = syswrite( $to_server,$msg,length($msg)-$offset,$offset ); if ( !defined($n) ) { diag( "\$!=$! \$SSL_ERROR=$SSL_ERROR send=$bytes_send" ); if ( $! == EWOULDBLOCK || $! == EAGAIN ) { if ( $SSL_ERROR == SSL_WANT_WRITE ) { diag( 'wait for write' ); $can = 'can_write'; $attempts++; } elsif ( $SSL_ERROR == SSL_WANT_READ ) { diag( 'wait for read' ); $can = 'can_read'; } else { $can = 'can_write'; } } elsif ( $bytes_send > 30000 ) { diag( "connection closed" ); last WRITE; } next; } elsif ( $n == 0 ) { diag( "connection closed" ); last WRITE; } elsif ( $n<0 ) { diag( "syswrite returned $n!" ); print "not "; last WRITE; } $bytes_send += $n; if ( $n + $offset == 10 ) { last } else { $offset += $n; diag( "partial write of $n new offset=$offset" ); } } } ok( "syswrite" ); if ( ! $attempts && $test_might_fail ) { ok( " write attempts failed, but OK nevertheless because setsockopt failed" ); } else { print "not " if !$attempts; ok( "multiple write attempts" ); } print "not " if $bytes_send < 30000; ok( "30000 bytes send" ); } } else { ############################################################ # SERVER == parent process ############################################################ # pendant to tests in client. Where client is slow (sleep # between plain text sending and connect_SSL) I need to # be fast and where client is fast I need to be slow (sleep # between receiving plain text and accept_SSL) foreach my $test ( 'slow','fast' ) { # accept a connection IO::Select->new( $server )->can_read(30); my $from_client = $server->accept or print "not "; ok( "tcp accept" ); $from_client || do { diag( "failed to tcp accept: $!" ); next; }; # make client non-blocking! $from_client->blocking(0); # read plain text data my $buf = ''; while ( length($buf) <9 ) { sysread( $from_client, $buf,9-length($buf),length($buf) ) && next; die "sysread failed: $!" if $! != EWOULDBLOCK && $! != EAGAIN; IO::Select->new( $from_client )->can_read(30); } $buf eq 'plaintext' || print "not "; ok( "received plain text" ); # upgrade socket to IO::Socket::SSL # no handshake yet if ( ! IO::Socket::SSL->start_SSL( $from_client, SSL_startHandshake => 0, SSL_server => 1, SSL_verify_mode => 0x00, SSL_ca_file => "certs/test-ca.pem", SSL_use_cert => 1, SSL_cert_file => "certs/client-cert.pem", SSL_key_file => "certs/client-key.enc", SSL_passwd_cb => sub { return "opossum" }, )) { diag( 'start_SSL return undef' ); print "not "; } elsif ( !UNIVERSAL::isa( $from_client,'IO::Socket::SSL' ) ) { diag( 'failed to upgrade socket' ); print "not "; } ok( "upgrade to_client to IO::Socket::SSL" ); sleep(5) if $test eq 'slow'; # wait until client calls connect_SSL # SSL handshake thru accept_SSL # if test is 'fast' (e.g. client is 'slow') we expect the first # accept_SSL attempt to fail because client did not call connect_SSL yet my $attempts = 0; while ( 1 ) { $from_client->accept_SSL && last; if ( $SSL_ERROR == SSL_WANT_READ ) { $attempts++; IO::Select->new($from_client)->can_read(30) && next; # retry if can read } elsif ( $SSL_ERROR == SSL_WANT_WRITE ) { $attempts++; IO::Select->new($from_client)->can_write(30) && next; # retry if can write } else { diag( "failed to ssl accept ($test): $@" ); print "not "; last; } } ok( "ssl accept handshake done" ); if ( $test eq 'fast' ) { print "not " if !$attempts; ok( "nonblocking accept_SSL with $attempts attempts" ); } # reading 10 bytes # then sleeping so that buffers from client to server gets # filled up and clients receives EWOULDBLOCK+SSL_WANT_WRITE IO::Select->new( $from_client )->can_read(30); ( sysread( $from_client, $buf,10 ) == 10 ) || print "not "; #diag($buf); ok( "received client message" ); sleep(5); my $bytes_received = 10; # read up to 30000 bytes from client, then close the socket my $can; READ: while ( ( my $diff = 30000 - $bytes_received ) > 0 ) { if ( $can && ! IO::Select->new($from_client)->$can(30)) { diag("failed $can"); print "not "; last READ; } my $n = sysread( $from_client,my $buf,$diff ); if ( !defined($n) ) { diag( "\$!=$! \$SSL_ERROR=$SSL_ERROR" ); if ( $! == EWOULDBLOCK || $! == EAGAIN ) { if ( $SSL_ERROR == SSL_WANT_READ ) { $attempts++; $can = 'can_read'; } elsif ( $SSL_ERROR == SSL_WANT_WRITE ) { $attempts++; $can = 'can_write'; } else { $can = 'can_read'; } } else { print "not "; last READ; } next; } elsif ( $n == 0 ) { diag( "connection closed" ); last READ; } elsif ( $n<0 ) { diag( "sysread returned $n!" ); print "not "; last READ; } $bytes_received += $n; #diag( "read of $n bytes total $bytes_received" ); } diag( "read $bytes_received ($attempts r/w attempts)" ); close($from_client); } # wait until client exits wait; } exit; sub ok { print "ok # [$ID] @_\n"; } sub diag { print "# @_\n" } IO-Socket-SSL-2.024/t/startssl.t0000644000175100017510000000751712622126027014766 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/nonblock.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; use IO::Select; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; if ( ! eval "use 5.006; use IO::Select; return 1" ) { print "1..0 # Skipped: no support for nonblocking sockets\n"; exit; } $|=1; print "1..21\n"; my $server = IO::Socket::INET->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, ); print "not ok\n", exit if !$server; ok("Server Initialization"); print "not " if (!defined fileno($server)); ok("Server Fileno Check"); my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { close($server); my $client = IO::Socket::INET->new($saddr) || print "not "; ok( "client tcp connect" ); unless ( IO::Socket::SSL->start_SSL( $client, SSL_version => 'TLSv1', SSL_cipher_list => 'HIGH', SSL_verify_mode => 0, SSL_cert_file => "certs/client-cert.pem", SSL_key_file => "certs/client-key.enc", SSL_passwd_cb => sub { return "opossum" } )) { #DEBUG( $SSL_ERROR ); print "not "; } ok( "sslify client" ); UNIVERSAL::isa( $client,'IO::Socket::SSL' ) || print "not "; ok( 'client reblessed as IO::Socket::SSL' ); $client->sock_certificate('subject') =~ /client\.local/ or print "not "; ok("client local certificate subject"); $client->sock_certificate('issuer') =~ /O::Socket::SSL Demo CA/ or print "not "; ok("client local certificate issuer"); $client->get_fingerprint('sha256',$client->sock_certificate) eq 'sha256$cbc6a9f1faa81213f7fe3184c32fbfcfeb26f8b24189e64aea9488111437e5eb' or print "not "; ok("client local certificate fingerprint"); $client->peer_certificate('subject') =~ /server\.local/ or print "not "; ok("client peer certificate subject"); $client->peer_certificate('issuer') =~ /O::Socket::SSL Demo CA/ or print "not "; ok("client peer certificate issuer"); $client->get_fingerprint() eq 'sha256$abba71ff26f5d673b096a65a14e323efec37cee6d5a47017baba0b61e591ff8f' or print "not "; ok("client peer certificate fingerprint"); print $client "hannibal\n"; exit; } my $csock = $server->accept || print "not "; ok( "tcp accept" ); IO::Socket::SSL->start_SSL( $csock, SSL_server => 1, SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_ca_file => "certs/test-ca.pem", SSL_cert_file => "certs/server-cert.pem", SSL_version => 'TLSv1', SSL_cipher_list => 'HIGH:!ADH', SSL_key_file => "certs/server-key.enc", SSL_passwd_cb => sub { return "bluebell" }, ) || print "not "; #DEBUG( $IO::Socket::SSL::ERROR ); ok( 'sslify server' ); UNIVERSAL::isa( $csock,'IO::Socket::SSL' ) || print "not "; ok( 'server reblessed as IO::Socket::SSL' ); $csock->sock_certificate('subject') =~ /server\.local/ or print "not "; ok("server local certificate subject"); $csock->sock_certificate('issuer') =~ /O::Socket::SSL Demo CA/ or print "not "; ok("server local certificate issuer"); $csock->get_fingerprint('sha256',$csock->sock_certificate) eq 'sha256$abba71ff26f5d673b096a65a14e323efec37cee6d5a47017baba0b61e591ff8f' or print "not "; ok("server local certificate fingerprint"); $csock->peer_certificate('subject') =~ /client\.local/ or print "not "; ok("server peer certificate subject"); $csock->peer_certificate('issuer') =~ /O::Socket::SSL Demo CA/ or print "not "; ok("server peer certificate issuer"); $csock->get_fingerprint() eq 'sha256$cbc6a9f1faa81213f7fe3184c32fbfcfeb26f8b24189e64aea9488111437e5eb' or print "not "; ok("server peer certificate fingerprint"); my $l = <$csock>; #DEBUG($l); print "not " if $l ne "hannibal\n"; ok( "received client message" ); wait; sub ok { print "ok #$_[0]\n"; } IO-Socket-SSL-2.024/t/npn.t0000644000175100017510000000341512622126027013673 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/dhe.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; # check if we have NPN available # if it is available if ( ! IO::Socket::SSL->can_npn ) { print "1..0 # Skipped: NPN not available in Net::SSLeay\n"; exit } $|=1; print "1..5\n"; # first create simple ssl-server my $ID = 'server'; my $addr = '127.0.0.1'; my $server = IO::Socket::SSL->new( LocalAddr => $addr, Listen => 2, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', SSL_npn_protocols => [qw(one two)], ) || do { ok(0,$!); exit }; ok(1,"Server Initialization at $addr"); # add server port to addr $addr = "$addr:".$server->sockport; print "# server at $addr\n"; my $pid = fork(); if ( !defined $pid ) { die $!; # fork failed } elsif ( !$pid ) { ###### Client $ID = 'client'; close($server); my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, Domain => AF_INET, SSL_verify_mode => 0, SSL_npn_protocols => [qw(two three)], ) or do { ok(0, "connect failed: ".IO::Socket::SSL->errstr() ); exit }; ok(1,"client connected" ); my $proto = $to_server->next_proto_negotiated; ok($proto eq 'two',"negotiated $proto"); } else { ###### Server my $to_client = $server->accept or do { ok(0,"accept failed: ".$server->errstr() ); kill(9,$pid); exit; }; ok(1,"Server accepted" ); my $proto = $to_client->next_proto_negotiated; ok($proto eq 'two',"negotiated $proto"); wait; } sub ok { my $ok = shift; print $ok ? '' : 'not ', "ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/verify_fingerprint.t0000644000175100017510000000604212622126027017012 0ustar workworkuse strict; use warnings; use Test::More; use IO::Socket::SSL; use IO::Socket::SSL::Utils; use File::Temp 'tempfile'; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; plan tests => 12; my ($ca1,$cakey1) = CERT_create( CA => 1, subject => { CN => 'ca1' }); my ($cert1,$key1) = CERT_create( subject => { CN => 'cert1' }, issuer => [ $ca1,$cakey1 ] ); my ($ca2,$cakey2) = CERT_create( CA => 1, subject => { CN => 'ca2' }); my ($ica2,$icakey2) = CERT_create( CA => 1, subject => { CN => 'ica2' }, issuer => [ $ca2,$cakey2 ] ); my ($cert2,$key2) = CERT_create( subject => { CN => 'cert2' }, issuer => [ $ica2,$icakey2 ] ); my ($saddr1,$fp1) = _server([$cert1],$key1); my ($saddr2,$fp2,$ifp2) = _server([$cert2,$ica2],$key2); for my $test ( [ $saddr1, undef, $fp1, "accept fp1 for saddr1", 1 ], [ $saddr2, undef, $fp2, "accept fp2 for saddr2", 1 ], [ $saddr2, undef, $ifp2, "reject ifp2 for saddr2", 0 ], [ $saddr1, undef, $fp2, "reject fp2 for saddr1", 0 ], [ $saddr2, undef, $fp1, "reject fp1 for saddr2", 0 ], [ $saddr1, undef, [$fp1,$fp2], "accept fp1|fp2 for saddr1", 1 ], [ $saddr2, undef, [$fp1,$fp2], "accept fp1|fp2 for saddr2", 1 ], [ $saddr2, [$ca1], $fp2, "accept fp2 for saddr2 even if ca1 given", 1 ], [ $saddr2, [$ca2], undef, "accept ca2 for saddr2", 1 ], [ $saddr1, [$ca2], undef, "reject ca2 for saddr1", 0 ], [ $saddr1, [$ca1,$ca2], undef, "accept ca[12] for saddr1", 1 ], [ $saddr1, [$cert1], undef, "reject non-ca cert1 as ca for saddr1", 0 ], ) { my ($saddr,$certs,$fp,$what,$expect) = @$test; my $cafile; my $cl = IO::Socket::INET->new( $saddr ) or die $!; syswrite($cl,"X",1); my $ok = IO::Socket::SSL->start_SSL($cl, SSL_verify_mode => 1, SSL_fingerprint => $fp, SSL_ca => $certs, SSL_ca_file => undef, SSL_ca_path => undef, ); ok( ($ok?1:0) == ($expect?1:0),$what); } # Notify server children to exit by connecting and disconnecting immediately, # kill only if they will not exit. alarm(10); my @child; END { kill 9,@child } IO::Socket::INET->new($saddr1); IO::Socket::INET->new($saddr2); while ( @child && ( my $pid = waitpid(-1,0))>0 ) { @child = grep { $_ != $pid } @child } sub _server { my ($certs,$key) = @_; my $sock = IO::Socket::INET->new( LocalAddr => '0.0.0.0', Listen => 10 ) or die $!; defined( my $pid = fork()) or die $!; if ( $pid ) { push @child,$pid; return ( '127.0.0.1:'.$sock->sockport, map { 'sha1$'.Net::SSLeay::X509_get_fingerprint($_,'sha1') } @$certs ); } # The chain certificates will be added without increasing reference counter # and will be destroyed at close of context, so we better have a common # context between all start_SSL. my $ctx = IO::Socket::SSL::SSL_Context->new( SSL_server => 1, SSL_cert => $certs, SSL_key => $key ); while (1) { #local $IO::Socket::SSL::DEBUG=10; my $cl = $sock->accept or next; sysread($cl,my $buf,1) || last; IO::Socket::SSL->start_SSL($cl, SSL_server => 1, SSL_reuse_ctx => $ctx, ); } exit(0); } IO-Socket-SSL-2.024/t/verify_hostname.t0000644000175100017510000000744712622126027016313 0ustar workwork#!perl use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; # if we have an IDN library max the IDN tests too my $can_idn = eval { require Encode } && ( eval { require Net::LibIDN } || eval { require Net::IDN::Encode } || eval { require URI; URI->VERSION(1.50) } ); $|=1; my $max = 42; $max+=3 if $can_idn; print "1..$max\n"; my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, ReuseAddr => 1, SSL_ca_file => "certs/test-ca.pem", SSL_cert_file => "certs/server-wildcard.pem", SSL_key_file => "certs/server-wildcard.pem", ); warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; print "not ok\n", exit if !$server; ok("Server Initialization"); my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { close($server); my $client = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 0 ) || print "not "; ok( "client ssl connect" ); my $issuer = $client->peer_certificate( 'issuer' ); print "not " if $issuer !~m{IO::Socket::SSL Demo CA}; ok("issuer"); my $cn = $client->peer_certificate( 'cn' ); print "not " unless $cn eq "server.local"; ok("cn"); my @alt = $client->peer_certificate( 'subjectAltNames' ); my @want = ( GEN_DNS() => '*.server.local', GEN_IPADD() => '127.0.0.1', GEN_DNS() => 'www*.other.local', GEN_DNS() => 'smtp.mydomain.local', GEN_DNS() => 'xn--lwe-sna.idntest.local', ); while (@want) { my ($typ,$text) = splice(@want,0,2); my $data = ($typ == GEN_IPADD() ) ? inet_aton($text):$text; my ($th,$dh) = splice(@alt,0,2); $th == $typ and $dh eq $data or print "not "; ok( $text ); } @alt and print "not "; ok( 'no more altSubjectNames' ); my @tests = ( '127.0.0.1' => [qw( smtp ldap www)], 'server.local' => [qw(smtp ldap)], 'blafasel.server.local' => [qw(smtp ldap www)], 'lala.blafasel.server.local' => [], 'www.other.local' => [qw()], 'www-13.other.local' => [qw(www)], 'www-13.lala.other.local' => [], 'smtp.mydomain.local' => [qw(smtp ldap www)], 'xn--lwe-sna.idntest.local' => [qw(smtp ldap www)], 'smtp.mydomain.localizing.useless.local' => [], ); if ( $can_idn ) { # check IDN handling my $loewe = "l\366we.idntest.local"; push @tests, ( $loewe => [qw(smtp ldap www)] ); } while (@tests) { my ($host,$expect) = splice(@tests,0,2); my %expect = map { $_=>1 } @$expect; for my $typ (qw( smtp ldap www)) { my $is = $client->verify_hostname( $host, $typ ) ? 'pass':'fail'; my $want = $expect{$typ} ? 'pass':'fail'; print "not " if $is ne $want; ok( "$want $host $typ" ); } } exit; } my $csock = $server->accept; wait; # try with implicit checking # Should succeed defined( $pid = fork() ) || die $!; if ( $pid == 0 ) { IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_ca_file => "certs/test-ca.pem", SSL_verify_mode => 1, SSL_verifycn_scheme => 'www', SSL_verifycn_name => 'www.server.local' ) || print "not "; ok("implicit hostname check www.server.local"); exit; } $csock = $server->accept; wait; # Should fail defined( $pid = fork() ) || die $!; if ( $pid == 0 ) { if (IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_ca_file => "certs/test-ca.pem", SSL_verify_mode => 1, SSL_verifycn_scheme => 'www', SSL_verifycn_name => 'does.not.match.server.local' )) { print "not "; } elsif ($SSL_ERROR !~ /hostname verification failed/) { print "# wrong error(should be hostname verification failed): $SSL_ERROR\n"; print "not "; } ok("implicit hostname check does.not.match.server.local"); exit; } $csock = $server->accept; wait; sub ok { print "ok #$_[0]\n"; } IO-Socket-SSL-2.024/t/public_suffix_lib.pl0000644000175100017510000001511612625562350016747 0ustar workworkuse strict; use warnings; use Test::More; use utf8; my $ps; sub run_with_lib { my @idnlib = @_; my %require = ( 'URI::_idna' => 0, 'Net::LibIDN' => 0, 'Net::IDN::Encode' => 0, map { $_ => 1 } @idnlib, ); my %block; my $can_idn; while ( my ($lib,$load) = each %require ) { if ( $load ) { $can_idn = eval "require $lib"; } else { $lib =~s{::}{/}g; $block{"$lib.pm"} = 1; } } unshift @INC, sub { return sub {0} if $block{$_[1]}; return; }; require IO::Socket::SSL::PublicSuffix; plan tests => 79; # all one-level, but co.uk two-level $ps = IO::Socket::SSL::PublicSuffix->from_string("*\nco.uk"); ok($ps,"create two-level"); minimal_private_suffix('com','','com'); minimal_private_suffix('bar.com','','bar.com'); minimal_private_suffix('www.bar.com','www','bar.com'); minimal_private_suffix('www.foo.bar.com','www.foo','bar.com'); minimal_private_suffix('uk','','uk'); minimal_private_suffix('co.uk','','co.uk'); minimal_private_suffix('www.co.uk','','www.co.uk'); minimal_private_suffix('www.bar.co.uk','www','bar.co.uk'); minimal_private_suffix('www.foo.bar.co.uk','www.foo','bar.co.uk'); minimal_private_suffix('bl.uk','','bl.uk'); minimal_private_suffix('www.bl.uk','www','bl.uk'); minimal_private_suffix('www.bar.bl.uk','www.bar','bl.uk'); minimal_private_suffix('www.foo.bar.bl.uk','www.foo.bar','bl.uk'); $ps = IO::Socket::SSL::PublicSuffix->default(min_suffix => 0); # taken from Mozilla::PublicSuffix 0.1.18 t/01-psuffix.t ------ # Obviously invalid input: is public_suffix(undef), undef; is public_suffix(''), undef; is public_suffix([]), undef; # Mixed case: is public_suffix('COM'), 'com'; is public_suffix('example.COM'), 'com'; is public_suffix('WwW.example.COM'), 'com'; is public_suffix('123bar.com'), 'com'; is public_suffix('foo.123bar.com'), 'com'; if(0) { # behaves different # - we return '' instead of undef if unknown extension # - we return com with *.com # Leading dot: is public_suffix('.com'), undef; is public_suffix('.example'), undef; is public_suffix('.example.com'), undef; is public_suffix('.example.example'), undef; # Unlisted TLD: is public_suffix('example'), undef; is public_suffix('example.example'), undef; is public_suffix('b.example.example'), undef; is public_suffix('a.b.example.example'), undef; # Listed, but non-Internet, TLD: is public_suffix('local'), undef; is public_suffix('example.local'), undef; is public_suffix('b.example.local'), undef; is public_suffix('a.b.example.local'), undef; } else { # Leading dot: is public_suffix('.com'), 'com'; is public_suffix('.example'), ''; is public_suffix('.example.com'), 'com'; is public_suffix('.example.example'), ''; # Unlisted TLD: is public_suffix('example'), ''; is public_suffix('example.example'), ''; is public_suffix('b.example.example'), ''; is public_suffix('a.b.example.example'), ''; # Listed, but non-Internet, TLD: is public_suffix('local'), ''; is public_suffix('example.local'), ''; is public_suffix('b.example.local'), ''; is public_suffix('a.b.example.local'), ''; } # TLD with only one rule: is public_suffix('biz'), 'biz'; is public_suffix('domain.biz'), 'biz'; is public_suffix('b.domain.biz'), 'biz'; is public_suffix('a.b.domain.biz'), 'biz'; # TLD with some two-level rules: is public_suffix('com'), 'com'; is public_suffix('example.com'), 'com'; is public_suffix('b.example.com'), 'com'; is public_suffix('a.b.example.com'), 'com'; # uk.com is not in the ICANN part of the list if(0) { is public_suffix('uk.com'), 'uk.com'; is public_suffix('example.uk.com'), 'uk.com'; is public_suffix('b.example.uk.com'), 'uk.com'; is public_suffix('a.b.example.uk.com'), 'uk.com'; } is public_suffix('test.ac'), 'ac'; # TLD with only one (wildcard) rule: if(0) { # we return '' not undef is public_suffix('bd'), undef; } else { is public_suffix('bd'), ''; } is public_suffix('c.bd'), 'c.bd'; is public_suffix('b.c.bd'), 'c.bd'; is public_suffix('a.b.c.bd'), 'c.bd'; # More complex suffixes: is public_suffix('jp'), 'jp'; is public_suffix('test.jp'), 'jp'; is public_suffix('www.test.jp'), 'jp'; is public_suffix('ac.jp'), 'ac.jp'; is public_suffix('test.ac.jp'), 'ac.jp'; is public_suffix('www.test.ac.jp'), 'ac.jp'; is public_suffix('kyoto.jp'), 'kyoto.jp'; is public_suffix('c.kyoto.jp'), 'kyoto.jp'; is public_suffix('b.c.kyoto.jp'), 'kyoto.jp'; is public_suffix('a.b.c.kyoto.jp'), 'kyoto.jp'; is public_suffix('ayabe.kyoto.jp'), 'ayabe.kyoto.jp'; is public_suffix('test.kobe.jp'), 'test.kobe.jp'; # Wildcard rule. is public_suffix('www.test.kobe.jp'), 'test.kobe.jp'; # Wildcard rule. is public_suffix('city.kobe.jp'), 'kobe.jp'; # Exception rule. is public_suffix('www.city.kobe.jp'), 'kobe.jp'; # Identity rule. # TLD with a wildcard rule and exceptions: if(0) { # we return '' not undef is public_suffix('ck'), undef; } else { is public_suffix('ck'), ''; } is public_suffix('test.ck'), 'test.ck'; is public_suffix('b.test.ck'), 'test.ck'; is public_suffix('a.b.test.ck'), 'test.ck'; is public_suffix('www.ck'), 'ck'; is public_suffix('www.www.ck'), 'ck'; # US K12: is public_suffix('us'), 'us'; is public_suffix('test.us'), 'us'; is public_suffix('www.test.us'), 'us'; is public_suffix('ak.us'), 'ak.us'; is public_suffix('test.ak.us'), 'ak.us'; is public_suffix('www.test.ak.us'), 'ak.us'; is public_suffix('k12.ak.us'), 'k12.ak.us'; is public_suffix('test.k12.ak.us'), 'k12.ak.us'; is public_suffix('www.test.k12.ak.us'), 'k12.ak.us'; # Domains and gTLDs with characters outside the ASCII range: SKIP: { if ( $can_idn ) { is public_suffix('test.敎育.hk'), '敎育.hk'; is public_suffix('ਭਾਰਤ.ਭਾਰਤ'), 'ਭਾਰਤ'; } else { skip "no IDN support with @idnlib",2 } } } sub minimal_private_suffix { my $host = shift; if ( @_ == 2 ) { my ($rest,$suffix) = @_; my @r = $ps->public_suffix($host,+1); if ( $r[0] eq $rest and $r[1] eq $suffix ) { pass("$host -> $rest + $suffix"); } else { fail("$host -> $r[0]($rest) + $r[1]($suffix)"); } } elsif ( @_ == 1 ) { my ($expect_suffix) = @_; my $got_suffix = $ps->public_suffix($host,+1); is( $got_suffix,$expect_suffix, "$host -> suffix=$expect_suffix"); } else { die "@_"; } } sub public_suffix { my $host = shift; my $suffix = $ps->public_suffix($host); return $suffix; } 1; IO-Socket-SSL-2.024/t/connectSSL-timeout.t0000644000175100017510000000360012622126027016573 0ustar workworkuse strict; use warnings; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; $|=1; print "1..16\n"; { # first use SSL client my ($server,$saddr) = create_listen_socket(); ok( 1, "listening \@$saddr" ); my $srv = fork_sub( 'server','ssl',$server ); close($server); fd_grep_ok( 'Waiting', $srv ); my $cl = fork_sub( 'client',$saddr ); fd_grep_ok( 'Connect from',$srv ); fd_grep_ok( 'Connected', $cl ); fd_grep_ok( 'Server SSL Handshake OK', $srv ); fd_grep_ok( 'Client SSL Handshake OK', $cl ); fd_grep_ok( 'Hi!', $cl ); } { # then try bad non-SSL client my ($server,$saddr) = create_listen_socket(); ok( 1, "listening \@$saddr" ); my $srv = fork_sub( 'server','nossl',$server ); close($server); fd_grep_ok( 'Waiting', $srv ); my $cl = fork_sub( 'client',$saddr ); fd_grep_ok( 'Connect from',$srv ); fd_grep_ok( 'Connected', $cl ); fd_grep_ok( 'Client SSL Handshake FAILED', $cl ); } sub server { my ($behavior,$server) = @_; print "Waiting\n"; my $client = $server->accept || die "accept failed: $!"; print "Connect from ".$client->peerhost.':'.$client->peerport."\n"; if ( $behavior eq 'ssl' ) { if ( IO::Socket::SSL->start_SSL( $client, SSL_server => 1, Timeout => 30, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', )) { print "Server SSL Handshake OK\n"; print $client "Hi!\n"; } } else { while ( sysread( $client, my $buf,8000 )) {} } } sub client { my $saddr = shift; my $c = IO::Socket::INET->new( $saddr ) || die "connect failed: $!"; print "Connected\n"; if ( IO::Socket::SSL->start_SSL( $c, Timeout => 5, SSL_ca_file => 'certs/my-ca.pem', )) { print "Client SSL Handshake OK\n"; print <$c> } else { print "Client SSL Handshake FAILED - $SSL_ERROR\n"; } } IO-Socket-SSL-2.024/t/readline.t0000644000175100017510000000730412622126027014664 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/readline.t' # This tests the behavior of readline with the variety of # cases with $/: # $/ undef - read all # $/ '' - read up to next nonempty line: .*?\n\n+ # $/ s - read up to string s # $/ \$num - read $num bytes # scalar context - get first match # array context - get all matches use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; my @tests; push @tests, [ "multi\nple\n\n1234567890line\n\n\n\nbla\n\nblubb\n\nblip", sub { my $c = shift; local $/ = "\n\n"; my $b; ($b=<$c>) eq "multi\nple\n\n" || die "LFLF failed ($b)"; $/ = \"10"; ($b=<$c>) eq "1234567890" || die "\\size failed ($b)"; $/ = ''; ($b=<$c>) eq "line\n\n\n\n" || die "'' failed ($b)"; my @c = <$c>; die "'' @ failed: @c" unless $c[0] eq "bla\n\n" && $c[1] eq "blubb\n\n" && $c[2] eq "blip" && @c == 3; }, ]; push @tests, [ "some\nstring\nwith\nsome\nlines\nwhatever", sub { my $c = shift; local $/ = "\n"; my $b; ($b=<$c>) eq "some\n" || die "LF failed ($b)"; $/ = undef; ($b=<$c>) eq "string\nwith\nsome\nlines\nwhatever" || die "undef failed ($b)"; }, ]; push @tests, [ "some\nstring\nwith\nsome\nlines\nwhatever", sub { my $c = shift; local $/ = "\n"; my @c = <$c>; die "LF @ failed: @c" unless $c[0] eq "some\n" && $c[1] eq "string\n" && $c[2] eq "with\n" && $c[3] eq "some\n" && $c[4] eq "lines\n" && $c[5] eq "whatever" && @c == 6; }, ]; push @tests, [ "some\nstring\nwith\nsome\nlines\nwhatever", sub { my $c = shift; local $/; my @c = <$c>; die "undef @ failed: @c" unless $c[0] eq "some\nstring\nwith\nsome\nlines\nwhatever" && @c == 1; }, ]; push @tests, [ "1234567890", sub { my $c = shift; local $/ = \2; my @c = <$c>; die "\\2 @ failed: @c" unless $c[0] eq '12' && $c[1] eq '34' && $c[2] eq '56' && $c[3] eq '78' && $c[4] eq '90' && @c == 5; }, ]; push @tests, [ [ "bla\n","0","blubb\n","no newline" ], sub { my $c = shift; my $l = <$c>; $l eq "bla\n" or die "'bla\\n' failed"; $l = <$c>; $l eq "0blubb\n" or die "'0blubb\\n' failed"; $l = <$c>; $l eq "no newline" or die "'no newline' failed"; }, ]; $|=1; print "1..".(1+3*@tests)."\n"; # first create simple ssl-server my $ID = 'server'; my $addr = '127.0.0.1'; my $server = IO::Socket::SSL->new( LocalAddr => $addr, Listen => 2, ReuseAddr => 1, SSL_cert_file => "certs/server-cert.pem", SSL_key_file => "certs/server-key.pem", ) || do { notok($!); exit }; ok("Server Initialization"); # add server port to addr $addr.= ':'.(sockaddr_in( getsockname( $server )))[0]; my $pid = fork(); if ( !defined $pid ) { die $!; # fork failed } elsif ( $pid ) { ###### Server foreach my $test (@tests) { my $to_client = $server->accept || do { notok( "accept failed: ".$server->errstr() ); kill(9,$pid); exit; }; ok( "Server accepted" ); $to_client->autoflush; my $t = $test->[0]; $t = [$t] if ! ref($t); for(@$t) { $to_client->print($_); select(undef,undef,undef,0.1); } } wait; exit; } $ID = 'client'; close($server); my $testid = "Test00"; foreach my $test (@tests) { my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, Domain => AF_INET, SSL_verify_mode => 0 ) || do { notok( "connect failed: ".IO::Socket::SSL->errstr() ); exit }; ok( "client connected" ); eval { $test->[1]( $to_server ) }; $@ ? notok( "$testid $@" ) : ok( $testid ); $testid++ } sub ok { print "ok # [$ID] @_\n"; } sub notok { print "not ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/core.t0000755000175100017510000001764512622126027014045 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/core.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; use Errno qw( EWOULDBLOCK EAGAIN ); do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; use Test::More; Test::More->builder->use_numbers(0); Test::More->builder->no_ending(1); my $CAN_NONBLOCK = eval "use 5.006; use IO::Select; 1"; my $CAN_PEEK = &Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x0090601f; my $numtests = 40; $numtests+=5 if $CAN_NONBLOCK; $numtests+=3 if $CAN_PEEK; my $expected_peer = do { my $us = IO::Socket::INET->new( LocalAddr => '127.0.0.1', Proto => 'udp' ); my $uc = IO::Socket::INET->new( PeerAddr => $us->sockhost, PeerPort => $us->sockport, Proto => 'udp' ) or do { plan skip_all => "Skipped: cannot determine default peer IP"; }; $uc->sockhost, }; plan tests => $numtests; my $error_trapped = 0; my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, Timeout => 30, ReuseAddr => 1, SSL_verify_mode => 0x00, SSL_ca_file => "certs/test-ca.pem", SSL_use_cert => 1, SSL_cert_file => "certs/client-cert.pem", SSL_version => 'TLSv1', SSL_cipher_list => 'HIGH:!aNULL', SSL_error_trap => sub { my $self = shift; print $self "This server is SSL only"; $error_trapped = 1; $self->close; }, SSL_key_file => "certs/client-key.enc", SSL_passwd_cb => sub { return "opossum" } ); ok( $server, "Server Initialization"); $server or exit; ok( fileno( $server), "Server Fileno Check"); my $saddr = $server->sockhost.':'.$server->sockport; unless (fork) { close $server; my $client = IO::Socket::INET->new($saddr); print $client "Test\n"; is( <$client>, "This server is SSL only", "Client non-SSL connection"); close $client; $client = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 0x01, SSL_ca_file => "certs/test-ca.pem", SSL_use_cert => 1, SSL_cert_file => "certs/server-cert.pem", SSL_version => 'TLSv1', SSL_cipher_list => 'HIGH', SSL_key_file => "certs/server-key.enc", SSL_passwd_cb => sub { return "bluebell" }, SSL_verify_callback => \&verify_sub, ); sub verify_sub { my ($ok, $ctx_store, $cert, $error) = @_; $ok && $ctx_store && $cert && !$error or do { fail("client failure in verify_sub"); exit; }; like( $cert, qr/IO::Socket::SSL Demo CA/, "Client Verify-sub Check"); return 1; } $client || (print("not ok #client failure\n") && exit); ok( $client, "Client Initialization"); $client->fileno() || print "not "; ok( $client->fileno(), "Client Fileno Check"); # $client->untaint() if ($HAVE_SCALAR_UTIL); # In the future... ok( $client->dump_peer_certificate(), "Client Peer Certificate Check"); ok( $client->peer_certificate("issuer"), "Client Peer Certificate Issuer Check"); ok( $client->get_cipher(), "Client Cipher Check"); $client->syswrite('00waaaanf00', 7, 2); if ($CAN_PEEK) { my $buffer; $client->read($buffer,2); is( $buffer, "ok", "Client Peek Check"); } $client->print("Test\n"); $client->printf("\$%.2f\n%d\n%c\n%s", 1.0444442342, 4.0, ord("y"), "Test\nBeaver\nBeaver\n"); shutdown($client, 1); my $buffer="\0\0aaaaaaaaaaaaaaaaaaaa"; $client->sysread($buffer, 7, 2); is( $buffer, "\0\0waaaanf", "Client Sysread Check"); ## The future... # if ($HAVE_SCALAR_UTIL) { # print "not " if (is_tainted($buffer)); # &ok("client"); # } my @array = $client->getline(); is( $array[0], "Test\n", "Client Getline Check"); is( $client->getc, "\$", "Client Getc Check"); @array = $client->getlines; is( scalar @array, 6, "Client Getlines Check 1"); is( $array[0], "1.04\n", "Client Getlines Check 2"); is( $array[1], "4\n", "Client Getlines Check 3"); is( $array[2], "y\n", "Client Getlines Check 4"); is( join("", @array[3..5]), "Test\nBeaver\nBeaver\n", "Client Getlines Check 5"); ok( !<$client>, "Client Finished Reading Check"); $client->close(SSL_no_shutdown => 1); my $client_2 = IO::Socket::INET->new($saddr); ok( $client_2, "Second Client Initialization"); $client_2 = IO::Socket::SSL->new_from_fd($client_2->fileno, '+<>', SSL_reuse_ctx => $client); ok( $client_2, "Client Init from Fileno Check"); $buffer = <$client_2>; is( $buffer, "Boojums\n", "Client (fileno) Readline Check"); $client_2->close(SSL_ctx_free => 1); if ($CAN_NONBLOCK) { my $client_3 = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 0x01, SSL_version => 'TLSv1', SSL_cipher_list => 'HIGH', SSL_ca_file => "certs/test-ca.pem", SSL_use_cert => 1, SSL_cert_file => "certs/server-cert.pem", SSL_key_file => "certs/server-key.enc", SSL_passwd_cb => sub { return "bluebell" }, Blocking => 0, ); ok( $client_3, "Client Nonblocking Check 1"); close $client_3; my $client_4 = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_reuse_ctx => $client_3, Blocking => 0 ); ok( $client_4, "Client Nonblocking Check 2"); $client_3->close(SSL_ctx_free => 1); } exit(0); } my $client = $server->accept; ok( $error_trapped, "Server non-SSL Client Check"); if ($client && $client->opened) { fail("client stayed alive"); exit; } ok( !$client, "Server Kill-client Check"); ($client, my $peer) = $server->accept; ok( $client, "Server Client Accept Check"); $client or exit; ok( $peer, "Accept returning peer address check."); ok( fileno($client), "Server Client Fileno Check"); my $buffer; if ($CAN_PEEK) { $client->peek($buffer, 7, 2); is( $buffer, "\0\0waaaanf","Server Peek Check"); is( $client->pending(), 7, "Server Pending Check"); print $client "ok"; } sysread($client, $buffer, 7, 2); is( $buffer, "\0\0waaaanf", "Server Sysread Check"); my @array = scalar <$client>; is( $array[0], "Test\n", "Server Getline Check"); is( getc($client), "\$", "Server Getc Check"); @array = <$client>; is( scalar @array, 6, "Server Getlines Check 1"); is( $array[0], "1.04\n", "Server Getlines Check 2"); is( $array[1], "4\n", "Server Getlines Check 3"); is( $array[2], "y\n", "Server Getlines Check 4"); is( join("", @array[3..5]), "Test\nBeaver\nBeaver\n", "Server Getlines Check 5"); syswrite($client, '00waaaanf00', 7, 2); print($client "Test\n"); printf $client "\$%.2f\n%d\n%c\n%s", (1.0444442342, 4.0, ord("y"), "Test\nBeaver\nBeaver\n"); close $client; ($client, $peer) = $server->accept or do { fail("client creation failed"); exit; }; is( inet_ntoa((unpack_sockaddr_in($peer))[1]), $expected_peer, "Peer address check"); if ($CAN_NONBLOCK) { $client->blocking(0); $client->read($buffer, 20, 0); is( $SSL_ERROR, SSL_WANT_READ, "Server Nonblocking Check 1"); } ok( $client->opened, "Server Client Opened Check 1"); print $client "Boojums\n"; close($client); ${*$client}{'_SSL_opened'} = 1; ok( !$client->opened, "Server Client Opened Check 2"); ${*$client}{'_SSL_opened'} = 0; if ($CAN_NONBLOCK) { $client = $server->accept; ok( $client->opened, "Server Nonblocking Check 2"); close $client; $server->blocking(0); IO::Select->new($server)->can_read(30); $client = $server->accept; while ( ! $client ) { #DEBUG( "$!,$SSL_ERROR" ); if ( $! == EWOULDBLOCK || $! == EAGAIN ) { if ( $SSL_ERROR == SSL_WANT_WRITE ) { IO::Select->new( $server->opening )->can_write(30); } else { IO::Select->new( $server->opening )->can_read(30); } } else { last } $client = $server->accept; } ok( $client->opened, "Server Nonblocking Check 3"); close $client; } $server->close(SSL_ctx_free => 1); wait; ## The future.... #sub is_tainted { # my $arg = shift; # my $nada = substr($arg, 0, 0); # local $@; # eval {eval "# $nada"}; # return length($@); #} IO-Socket-SSL-2.024/t/testlib.pl0000644000175100017510000001311412622126027014713 0ustar workworkuse strict; use warnings; use IO::Socket; use IO::Socket::SSL; use Config; ############################################################################ # # small test lib for common tasks: # adapted from t/testlib.pl in Net::SIP package # ############################################################################ unless ( $Config::Config{d_fork} || $Config::Config{d_pseudofork} || (($^O eq 'MSWin32' || $^O eq 'NetWare') and $Config::Config{useithreads} and $Config::Config{ccflags} =~ /-DPERL_IMPLICIT_SYS/) ) { print "1..0 # Skipped: fork not implemented on this platform\n"; exit } # small implementations if not used from Test::More (09_fdleak.t) if ( ! defined &ok ) { no strict 'refs'; *{'ok'} = sub { my ($bool,$desc) = @_; print $bool ? "ok ":"not ok ", '# ',$desc || '',"\n"; }; *{'diag'} = sub { print "# @_\n"; }; *{'like'} = sub { my ( $data,$rx,$desc ) = @_; ok( $data =~ $rx ? 1:0, $desc ); }; } $SIG{ __DIE__ } = sub { return if $^S; # Ignore from within evals ok( 0,"@_" ); killall(); exit(1); }; ############################################################################ # kill all process collected by fork_sub # Args: ?$signal # $signal: signal to use, default 9 # Returns: NONE ############################################################################ my @pids; sub killall { my $sig = shift || 9; kill $sig, @pids; #diag( "killed @pids with $sig" ); while ( wait() >= 0 ) {} # collect all @pids = (); } ############################################################################ # fork named sub with args and provide fd into subs STDOUT # Args: ($name,@args) # $name: name or ref to sub, if name it will be used for debugging # @args: arguments for sub # Returns: $fh # $fh: file handle to read STDOUT of sub ############################################################################ my %fd2name; # associated sub-name for file descriptor to subs STDOUT sub fork_sub { my ($name,@arg) = @_; my $sub = ref($name) ? $name : UNIVERSAL::can( 'main',$name ) || die; pipe( my $rh, my $wh ) || die $!; defined( my $pid = fork() ) || die $!; if ( ! $pid ) { # CHILD, exec sub close($rh); local *STDOUT = local *STDERR = $wh; $wh->autoflush; print "OK\n"; $sub->(@arg); exit(0); } push @pids,$pid; close( $wh ); $fd2name{$rh} = $name; fd_grep_ok( 'OK',10,$rh ) || die 'startup failed'; return $rh; } ############################################################################ # grep within fd's for specified regex or substring # Args: ($pattern,[ $timeout ],@fd) # $pattern: regex or substring # $timeout: how many seconds to wait for pattern, default 10 # @fd: which fds to search, usually fds from fork_sub(..) # Returns: $rv| ($rv,$name) # $rv: matched text if pattern is found, else undef # $name: name for file handle ############################################################################ my %fd2buf; # already read data from fd sub fd_grep { my $pattern = shift; my $timeout = 10; $timeout = shift if !ref($_[0]); my @fd = @_; $pattern = qr{\Q$pattern} if ! UNIVERSAL::isa( $pattern,'Regexp' ); my $name = join( "|", map { $fd2name{$_} || "$_" } @fd ); #diag( "look for $pattern in $name" ); my @bad = wantarray ? ( undef,$name ):(undef); @fd || return @bad; my $rin = ''; map { $_->blocking(0); vec( $rin,fileno($_),1 ) = 1 } @fd; my $end = defined( $timeout ) ? time() + $timeout : undef; while (@fd) { # check existing buf from previous reads foreach my $fd (@fd) { my $buf = \$fd2buf{$fd}; $$buf || next; if ( $$buf =~s{\A(?:.*?)($pattern)}{}s ) { #diag( "found" ); return wantarray ? ( $1,$name ) : $1; } } # if not found try to read new data $timeout = $end - time() if $end; return @bad if $timeout < 0; select( my $rout = $rin,undef,undef,$timeout ); $rout || return @bad; # not found foreach my $fd (@fd) { my $name = $fd2name{$fd} || "$fd"; my $buf = \$fd2buf{$fd}; my $fn = fileno($fd); my $n; if ( defined ($fn)) { vec( $rout,$fn,1 ) || next; my $l = $$buf && length($$buf) || 0; $n = sysread( $fd,$$buf,8192,$l ); } if ( ! $n ) { #diag( "$name >CLOSED<" ); delete $fd2buf{$fd}; @fd = grep { $_ != $fd } @fd; close($fd); next; } diag( "$name >> ".substr( $$buf,-$n ). "<<" ); } } return @bad; } ############################################################################ # like Test::Simple::ok, but based on fd_grep, same as # ok( fd_grep( pattern,... ), "[$subname] $pattern" ) # Args: ($pattern,[ $timeout ],@fd) - see fd_grep # Returns: $rv - like in fd_grep # Comment: if !$rv and wantarray says void it will die() ############################################################################ sub fd_grep_ok { my $pattern = shift; my ($rv,$name) = fd_grep( $pattern, @_ ); local $Test::Builder::Level = $Test::Builder::Level || 0 +1; ok( $rv,"[$name] $pattern" ); die "fatal error" if !$rv && ! defined wantarray; return $rv; } ############################################################################ # create socket on IP # return socket and ip:port ############################################################################ sub create_listen_socket { my ($addr,$port,$proto) = @_; $addr ||= '127.0.0.1'; my $sock = IO::Socket::INET->new( LocalAddr => $addr, $port ? ( LocalPort => $port, Reuse => 1 ) : (), Listen => 10, ) || die $!; ($port,$addr) = unpack_sockaddr_in( getsockname($sock) ); return wantarray ? ( $sock, inet_ntoa($addr).':'.$port ) : $sock; } 1; IO-Socket-SSL-2.024/t/dhe.t0000644000175100017510000000364712622126027013647 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/dhe.t' # This tests the use of Diffie Hellman Key Exchange (DHE) # If you have only a 384bit RSA key you can not use RSA key exchange, # but DHE is usable. For an explanation see # http://groups.google.de/group/mailing.openssl.users/msg/d60330cfa7a6034b # So this test simple uses a 384bit RSA key to make sure that DHE is used. use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; $|=1; print "1..3\n"; # first create simple ssl-server my $ID = 'server'; my $addr = '127.0.0.1'; my $server = IO::Socket::SSL->new( LocalAddr => $addr, Listen => 2, ReuseAddr => 1, SSL_cert_file => "certs/server-rsa384-dh.pem", SSL_key_file => "certs/server-rsa384-dh.pem", SSL_dh_file => "certs/server-rsa384-dh.pem", # at least 0.9.8[ab] have problems if we don't explicitly disable # RSA or EXPORT56, and 1.0.1 complains if we have RSA authentication # enabled SSL_cipher_list => 'ALL:RSA:!aRSA', ) || do { notok($!); exit }; ok("Server Initialization"); # add server port to addr $addr.= ':'.(sockaddr_in( getsockname( $server )))[0]; my $pid = fork(); if ( !defined $pid ) { die $!; # fork failed } elsif ( !$pid ) { ###### Client $ID = 'client'; close($server); my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, Domain => AF_INET, SSL_cipher_list => 'ALL:RSA:!aRSA', SSL_verify_mode => 0 ) || do { notok( "connect failed: $SSL_ERROR" ); exit }; ok( "client connected" ); } else { ###### Server my $to_client = $server->accept || do { notok( "accept failed: $SSL_ERROR" ); kill(9,$pid); exit; }; ok( "Server accepted" ); wait; } sub ok { print "ok # [$ID] @_\n"; } sub notok { print "not ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/compatibility.t0000644000175100017510000000353412622126027015753 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/compatibility.t' use strict; use warnings; use IO::Socket::SSL; use Socket; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; use Test::More tests => 9; Test::More->builder->use_numbers(0); Test::More->builder->no_ending(1); $SIG{'CHLD'} = "IGNORE"; IO::Socket::SSL::context_init(SSL_verify_mode => 0x01, SSL_version => 'TLSv1' ); my $server = IO::Socket::INET->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 1, ) or do { plan skip_all => "Bail out!". "Setup of test IO::Socket::INET client and server failed. All the rest of". "the tests in this suite will fail also unless you change the values in". "ssl_settings.req in the t/ directory."; }; pass("server create"); { package MyClass; use IO::Socket::SSL; our @ISA = "IO::Socket::SSL"; } my $saddr = $server->sockhost.':'.$server->sockport; unless (fork) { close $server; my $client = IO::Socket::INET->new($saddr); ok( MyClass->start_SSL($client, SSL_verify_mode => 0), "ssl upgrade"); is( ref( $client ), "MyClass", "class MyClass"); ok( $client->issuer_name, "issuer_name"); ok( $client->subject_name, "subject_name"); ok( $client->opened, "opened"); print $client "Ok to close\n"; close $client; exit(0); } my $contact = $server->accept; my $socket_to_ssl = IO::Socket::SSL::socketToSSL($contact, { SSL_server => 1, SSL_verify_mode => 0, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', }); ok( $socket_to_ssl, "socketToSSL"); <$contact>; close $contact; close $server; bless $contact, "MyClass"; ok( !IO::Socket::SSL::socket_to_SSL($contact, SSL_server => 1), "socket_to_SSL"); is( ref($contact), "MyClass", "upgrade is MyClass"); IO-Socket-SSL-2.024/t/cert_formats.t0000644000175100017510000000350312622126027015566 0ustar workworkuse strict; use warnings; use Test::More; use IO::Socket::SSL; use File::Temp 'tempfile'; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; my $srv = IO::Socket::INET->new( LocalAddr => '127.0.0.1', Listen => 10, ); plan skip_all => "server creation failed: $!" if ! $srv; my $saddr = $srv->sockhost.':'.$srv->sockport; my ($fh,$pemfile) = tempfile(); my $master = $$; END { unlink($pemfile) if $$ == $master }; for ('certs/server-cert.pem','certs/server-key.pem') { open( my $pf,'<',$_ ) or die "open $_: $!"; print $fh do { local $/; <$pf> }; } close($fh); my @tests = ( 'PEM' => { SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', }, 'PEM_one_file' => { SSL_cert_file => $pemfile, }, 'PEM_keyenc' => { SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.enc', SSL_passwd_cb => sub { "bluebell" }, }, 'DER' => { SSL_cert_file => 'certs/server-cert.der', SSL_key_file => 'certs/server-key.der', }, 'PKCS12' => { SSL_cert_file => 'certs/server.p12', }, 'PKCS12_enc' => { SSL_cert_file => 'certs/server_enc.p12', SSL_passwd_cb => sub { "bluebell" }, }, ); plan tests => @tests/2; while (my ($name,$sslargs) = splice(@tests,0,2)) { defined(my $pid = fork()) or die "fork failed: $!"; if ($pid == 0) { # child = server my $cl = $srv->accept or die "accept $!"; if (!IO::Socket::SSL->start_SSL($cl, SSL_server => 1, Timeout => 10, %$sslargs )) { diag("start_SSL failed: $SSL_ERROR"); } exit(0); } else { # parent = client my $cl = IO::Socket::INET->new($saddr) or die "connect: $!"; if (!IO::Socket::SSL->start_SSL($cl, SSL_verify_mode => 0 )) { fail("[$name] ssl connect failed: $SSL_ERROR"); } else { pass("[$name] ssl connect success"); } wait; } } IO-Socket-SSL-2.024/t/public_suffix_ssl.t0000644000175100017510000000526212622126027016625 0ustar workworkuse strict; use warnings; use IO::Socket::SSL; use IO::Socket::SSL::Utils; use Test::More; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; my @tests = qw( fail:com|* ok:com|com fail:googleapis.com|*.com ok:googleapis.com|googleapis.com ok:ajax.googleapis.com|*.googleapis.com ok:s3.amazonaws.com|s3.amazonaws.com ok:foo.s3.amazonaws.com|*.s3.amazonaws.com fail:google.com|*.com ok:google.com|google.com ok:www.google.com|*.google.com ok:www.bar.com|*.bar.com ok:www.foo.bar.com|*.foo.bar.com ok:www.foo.co.uk|*.foo.co.uk fail:www.co.uk|*.co.uk fail:co.uk|*.uk ok:bl.uk|bl.uk ok:www.bl.uk|*.bl.uk fail:bar.kobe.jp|*.kobe.jp fail:foo.bar.kobe.jp|*.bar.kobe.jp ok:www.foo.bar.kobe.jp|*.foo.bar.kobe.jp fail:city.kobe.jp|*.kobe.jp ok:city.kobe.jp|city.kobe.jp ok:www.city.kobe.jp|*.city.kobe.jp fail:nodomain|* fail:foo.nodomain|*.nodomain ok:www.foo.nodomain|*.foo.nodomain ); $|=1; plan tests => 0+@tests; # create listener my $server = IO::Socket::INET->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, ) || die "not ok #tcp listen failed: $!\n"; my $saddr = $server->sockhost.':'.$server->sockport; #diag("listen at $saddr"); # create CA - certificates will be created on demand my ($cacert,$cakey) = CERT_create( CA => 1 ); defined( my $pid = fork() ) || die $!; if ( ! $pid ) { while (@tests) { my $cl = $server->accept or next; shift(@tests); # only for counting # client initially sends line with expected CN defined( my $cn = <$cl> ) or do { warn "failed to get expected name from client, remaining ".(0+@tests); next; }; chop($cn); print $cl "ok\n"; my ($cert,$key) = CERT_create( subject => { CN => $cn }, issuer => [ $cacert,$cakey ], key => $cakey, # reuse to speed up ); #diag("created cert for $cn"); <$cl> if IO::Socket::SSL->start_SSL($cl, SSL_server => 1, SSL_cert => $cert, SSL_key => $key, ); } exit(0); } # if anything blocks - this will at least finish the test alarm(60); $SIG{ALRM} = sub { die "test takes too long" }; close($server); for my $test (@tests) { my ($expect,$host,$cn) = $test=~m{^(ok|fail):(\S+)\|(\S+)} or die $test; my $cl = IO::Socket::INET->new($saddr) or die "failed to connect: $!"; print $cl "$cn\n"; <$cl>; my $sslok = IO::Socket::SSL->start_SSL($cl, SSL_verifycn_name => $host, SSL_verifycn_scheme => 'http', SSL_ca => [$cacert], ); if ( ! $sslok ) { is( $sslok?1:0, $expect eq 'ok' ? 1:0, "ssl $host against $cn -> $expect ($SSL_ERROR)"); } else { is( $sslok?1:0, $expect eq 'ok' ? 1:0, "ssl $host against $cn -> $expect"); } } IO-Socket-SSL-2.024/t/verify_hostname_standalone.t0000644000175100017510000002073212627645435020531 0ustar workworkuse strict; use warnings; use Test::More; use IO::Socket::SSL; use IO::Socket::SSL::Utils; my @tests = tests(); plan tests => 0+@tests; my ($ca,$key) = CERT_create( CA => 1); for my $test (@tests) { SKIP: { my ($expect_match,$hostname,$cn,$san_dns,$san_ip) = @$test; my (@san,$ip6); push @san, map { [ "DNS", $_ ] } $san_dns =~m{([^,\s]+)}g if $san_dns; for( ($san_ip||'') =~m{([^,\s]+)}g ) { if ( my @h = m{^x(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})$}) { $_ = join(':',@h); $ip6 = 1; } push @san, [ "IP", $_ ]; } my $idn = $hostname =~m{[^a-zA-Z0-9_.\-]}; my $diag = "$hostname: cn=$cn san=". join(",", map { "$_->[0]:$_->[1]" } @san); $diag =~s{([\\\x00-\x1f\x7f-\xff])}{ sprintf("\\x%02x",ord($1)) }esg; if ($ip6 && !IO::Socket::SSL->can_ipv6) { skip "no IPv6 support - $diag",1; } if ($idn && ! eval { IO::Socket::SSL::idn_to_ascii("fo") }) { skip "no IDNA library installed - $diag",1 } my %cert = ( subject => length($cn) ? { CN => $cn }:{}, @san ? ( subjectAltNames => \@san ):(), issuer_cert => $ca, issuer_key => $key, key => $key ); my $cert; eval { ($cert) = CERT_create(%cert) }; if ($@) { skip "failed to create cert: $diag\n$@",1 } #diag($diag); my $match = IO::Socket::SSL::verify_hostname_of_cert($hostname,$cert,'www')||0; if ( $match == $expect_match ) { pass("$expect_match|$diag"); } else { fail("$match != $expect_match |$diag"); #warn PEM_cert2string($cert); } CERT_free($cert); } } # based on # https://raw.githubusercontent.com/adobe/chromium/master/net/base/x509_certificate_unittest.cc # 16.5.2014 # # format: [ expect_match, hostname, CN, san_dns, san_ip ] sub tests {( [ 1, 'foo.com', 'foo.com' ], [ 1, 'f', 'f' ], [ 0, 'h', 'i' ], [ 1, 'bar.foo.com', '*.foo.com' ], [ 1, 'www.test.fr', 'common.name', '*.test.com,*.test.co.uk,*.test.de,*.test.fr' ], [ 1, 'wwW.tESt.fr', 'common.name', ',*.*,*.test.de,*.test.FR,www' ], [ 0, 'f.uk', '.uk' ], [ 0, 'w.bar.foo.com', '?.bar.foo.com' ], [ 0, 'www.foo.com', '(www|ftp).foo.com' ], [ 0, 'www.foo.com', "www.foo.com\0" ], # CERT_create just strips everything after \0 so we get not the expected # certificate and thus cannot run this test # [ 0, 'www.foo.com', '', "www.foo.com\0*.foo.com,\0,\0" ], [ 0, 'www.house.example', 'ww.house.example' ], [ 0, 'test.org', '', 'www.test.org,*.test.org,*.org' ], [ 0, 'w.bar.foo.com', 'w*.bar.foo.com' ], [ 0, 'www.bar.foo.com', 'ww*ww.bar.foo.com' ], [ 0, 'wwww.bar.foo.com', 'ww*ww.bar.foo.com' ], [ 1, 'wwww.bar.foo.com', 'w*w.bar.foo.com' ], [ 0, 'wwww.bar.foo.com', 'w*w.bar.foo.c0m' ], [ 1, 'WALLY.bar.foo.com', 'wa*.bar.foo.com' ], [ 1, 'wally.bar.foo.com', '*Ly.bar.foo.com' ], # disabled test: we don't accept URL encoded hostnames # [ 1, 'ww%57.foo.com', '', 'www.foo.com' ], # disabled test: & is not allowed in hostname - and CN should not # allow URL encoding # [ 1, 'www&.foo.com', 'www%26.foo.com' ], # Common name must not be used if subject alternative name was provided. [ 0, 'www.test.co.jp', 'www.test.co.jp', '*.test.de,*.jp,www.test.co.uk,www.*.co.jp' ], [ 0, 'www.bar.foo.com', 'www.bar.foo.com', '*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com,' ], # I think they got this test wrong # common name should not be checked only if SAN contains DNS names # so in this case common name should be checked -> match # corrected test therefore # [ 0, 'www.bath.org', 'www.bath.org', '', '20.30.40.50' ], [ 1, 'www.bath.org', 'www.bath.org', '', '20.30.40.50' ], [ 0, '66.77.88.99', 'www.bath.org', 'www.bath.org' ], # IDN tests [ 1, 'xn--poema-9qae5a.com.br', 'xn--poema-9qae5a.com.br' ], [ 1, 'www.xn--poema-9qae5a.com.br', '*.xn--poema-9qae5a.com.br' ], [ 0, 'xn--poema-9qae5a.com.br', '', '*.xn--poema-9qae5a.com.br,xn--poema-*.com.br,xn--*-9qae5a.com.br,*--poema-9qae5a.com.br' ], # There should be no *.com.br certificates and public suffix catches this. # So this example is bad and we change it to .foo.com.br # [ 1, 'xn--poema-9qae5a.com.br', '*.com.br' ], [ 1, 'xn--poema-9qae5a.foo.com.br', '*.foo.com.br' ], # The following are adapted from the examples quoted from # http://tools.ietf.org/html/rfc6125#section-6.4.3 # (e.g., *.example.com would match foo.example.com but # not bar.foo.example.com or example.com). [ 1, 'foo.example.com', '*.example.com' ], [ 0, 'bar.foo.example.com', '*.example.com' ], [ 0, 'example.com', '*.example.com' ], # (e.g., baz*.example.net and *baz.example.net and b*z.example.net would # be taken to match baz1.example.net and foobaz.example.net and # buzz.example.net, respectively) [ 1, 'baz1.example.net', 'baz*.example.net' ], [ 1, 'foobaz.example.net', '*baz.example.net' ], [ 1, 'buzz.example.net', 'b*z.example.net' ], # Wildcards should not be valid unless there are at least three name # components. # There should be no *.co.uk certificates and public suffix catches this. # So change example to *.foo.com instead # [ 1, 'h.co.uk', '*.co.uk' ], [ 1, 'h.foo.com', '*.foo.com' ], [ 0, 'foo.com', '*.com' ], [ 0, 'foo.us', '*.us' ], [ 0, 'foo', '*' ], # Multiple wildcards are not valid. [ 0, 'foo.example.com', '*.*.com' ], [ 0, 'foo.bar.example.com', '*.bar.*.com' ], # Absolute vs relative DNS name tests. Although not explicitly specified # in RFC 6125, absolute reference names (those ending in a .) should # match either absolute or relative presented names. [ 1, 'foo.com', 'foo.com.' ], [ 1, 'foo.com.', 'foo.com' ], [ 1, 'foo.com.', 'foo.com.' ], [ 1, 'f', 'f.' ], [ 1, 'f.', 'f' ], [ 1, 'f.', 'f.' ], [ 1, 'www-3.bar.foo.com', '*.bar.foo.com.' ], [ 1, 'www-3.bar.foo.com.', '*.bar.foo.com' ], [ 1, 'www-3.bar.foo.com.', '*.bar.foo.com.' ], [ 0, '.', '.' ], [ 0, 'example.com', '*.com.' ], [ 0, 'example.com.', '*.com' ], [ 0, 'example.com.', '*.com.' ], [ 0, 'foo.', '*.' ], # IP addresses in common name; IPv4 only. [ 1, '127.0.0.1', '127.0.0.1' ], [ 1, '192.168.1.1', '192.168.1.1' ], # we expect proper IP and not this junk, so we will not allow these # [ 1, '676768', '0.10.83.160' ], # [ 1, '1.2.3', '1.2.0.3' ], [ 0, '192.169.1.1', '192.168.1.1' ], [ 0, '12.19.1.1', '12.19.1.1/255.255.255.0' ], [ 0, 'FEDC:ba98:7654:3210:FEDC:BA98:7654:3210', 'FEDC:BA98:7654:3210:FEDC:ba98:7654:3210' ], [ 0, '1111:2222:3333:4444:5555:6666:7777:8888', '1111:2222:3333:4444:5555:6666:7777:8888' ], [ 0, '::192.9.5.5', '[::192.9.5.5]' ], # No wildcard matching in valid IP addresses [ 0, '::192.9.5.5', '*.9.5.5' ], [ 0, '2010:836B:4179::836B:4179', '*:836B:4179::836B:4179' ], [ 0, '192.168.1.11', '*.168.1.11' ], [ 0, 'FEDC:BA98:7654:3210:FEDC:BA98:7654:3210', '*.]' ], # IP addresses in subject alternative name (common name ignored) [ 1, '10.1.2.3', '', '', '10.1.2.3' ], # we expect proper IP and not this junk, so we will not allow this # [ 1, '14.15', '', '', '14.0.0.15' ], # according to RFC2818 common name should be checked if no DNS entries in SAN # so this must match if we match IP in common name -> changed expected result # [ 0, '10.1.2.7', '10.1.2.7', '', '10.1.2.6,10.1.2.8' ], [ 1, '10.1.2.7', '10.1.2.7', '', '10.1.2.6,10.1.2.8' ], [ 0, '10.1.2.8', '10.20.2.8', 'foo' ], [ 1, '::4.5.6.7', '', '', 'x00000000000000000000000004050607' ], [ 0, '::6.7.8.9', '::6.7.8.9', '::6.7.8.9', 'x00000000000000000000000006070808,x0000000000000000000000000607080a,xff000000000000000000000006070809,6.7.8.9' ], [ 1, 'FE80::200:f8ff:fe21:67cf', 'no.common.name', '', 'x00000000000000000000000006070808,xfe800000000000000200f8fffe2167cf,xff0000000000000000000000060708ff,10.0.0.1' ], # Numeric only hostnames (none of these are considered valid IP addresses). [ 0, '12345.6', '12345.6' ], [ 0, '121.2.3.512', '', '1*1.2.3.512,*1.2.3.512,1*.2.3.512,*.2.3.512', '121.2.3.0'], [ 0, '1.2.3.4.5.6', '*.2.3.4.5.6' ], # IP address should not be matched against SAN DNS entry -> skip test # [ 1, '1.2.3.4.5', '', '1.2.3.4.5' ], # Invalid host names. # this cert cannot be created currently # [ 0, "junk)(£)\$*!\@~\0", "junk)(£)\$*!\@~\0" ], [ 0, 'www.*.com', 'www.*.com' ], [ 0, 'w$w.f.com', 'w$w.f.com' ], [ 0, 'nocolonallowed:example', '', 'nocolonallowed:example' ], [ 0, 'www-1.[::FFFF:129.144.52.38]', '*.[::FFFF:129.144.52.38]' ], [ 0, '[::4.5.6.9]', '', '', 'x00000000000000000000000004050609' ], )} IO-Socket-SSL-2.024/t/01loadmodule.t0000644000175100017510000000100512622126027015357 0ustar workworkuse strict; use warnings; no warnings 'once'; use Test::More; plan tests => 3; ok( eval { require IO::Socket::SSL },"loaded"); diag( sprintf( "openssl version=0x%0x", Net::SSLeay::OPENSSL_VERSION_NUMBER())); diag( sprintf( "Net::SSLeay version=%s", $Net::SSLeay::VERSION)); diag( sprintf( "parent %s version=%s", $_, $_->VERSION)) for (@IO::Socket::SSL::ISA); IO::Socket::SSL->import(':debug1'); is( $IO::Socket::SSL::DEBUG,1, "IO::Socket::SSL::DEBUG 1"); is( $Net::SSLeay::trace,1, "Net::SSLeay::trace 1"); IO-Socket-SSL-2.024/t/protocol_version.t0000644000175100017510000000747312622126027016516 0ustar workwork#!perl use strict; use warnings; use Test::More; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; plan skip_all => "Test::More has no done_testing" if !defined &done_testing; $|=1; my $XDEBUG = 0; my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2); my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, SSL_server => 1, SSL_startHandshake => 0, SSL_version => 'SSLv23', # allow SSLv3 too SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', ) or BAIL_OUT("cannot listen on localhost: $!"); print "not ok\n", exit if !$server; my $saddr = $server->sockhost().':'.$server->sockport(); $XDEBUG && diag("server at $saddr"); defined( my $pid = fork() ) or BAIL_OUT("fork failed: $!"); if ($pid == 0) { close($server); my $check = sub { my ($ver,$expect) = @_; $XDEBUG && diag("try $ver, expect $expect"); # Hoping that this isn't necessary, but just in case we get a TCP # failure rather than SSL failure, wiping the previous value here # seems like it might be a useful precaution: $SSL_ERROR = ''; my $cl = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_startHandshake => 0, SSL_verify_mode => 0, SSL_version => $ver, ) or do { # Might bail out before the starttls if we provide a known-unsupported # version, for example SSLv3 on openssl 1.0.2+ if($SSL_ERROR =~ /$ver not supported/) { $XDEBUG && diag("SSL connect failed with $ver: $SSL_ERROR"); return; } die "TCP connection failed to server: $! (SSL error: $SSL_ERROR)"; }; $XDEBUG && diag("TCP connected"); print $cl "starttls $ver $expect\n"; <$cl>; if (!$cl->connect_SSL) { $XDEBUG && diag("SSL upgrade failed with $ver: $SSL_ERROR"); return; } $XDEBUG && diag("SSL connect done"); return $cl->get_sslversion(); }; my $stop = sub { my $cl = IO::Socket::INET->new($saddr) or return; print $cl "quit\n"; }; # find out the best protocol version the server can my %supported; my $ver = $check->('SSLv23','') or die "connect to server failed: $!"; $XDEBUG && diag("best protocol version: $ver"); for (@versions, 'foo') { $supported{$_} = 1; $ver eq $_ and last; } die "best protocol version server supports is $ver" if $supported{foo}; # Check if the OpenSSL was compiled without SSLv3 support if ( ! $check->('SSLv3','')) { diag("looks like OpenSSL was compiled without SSLv3 support"); delete $supported{SSLv3}; } for my $ver (@versions) { next if ! $supported{$ver}; # requesting only this version should be done with this version $check->($ver,$ver); # requesting SSLv23 and disallowing anything better should give $ver too my $sslver = "SSLv23"; for(reverse grep { $supported{$_} } @versions) { last if $_ eq $ver; $sslver .= ":!$_"; } $check->($sslver,$ver); } $stop->(); exit(0); } vec( my $vs = '',fileno($server),1) = 1; while (select( my $rvs = $vs,undef,undef,15 )) { $XDEBUG && diag("got read event"); my $cl = $server->accept or do { $XDEBUG && diag("accept failed: $!"); next; }; $XDEBUG && diag("TCP accept done"); my $cmd = <$cl>; $XDEBUG && diag("got command $cmd"); my ($ver,$expect) = $cmd =~m{^starttls (\S+) (\S*)} or do { $XDEBUG && diag("finish"); done_testing() if $cmd =~m/^quit/; last; }; print $cl "ok\n"; $cl->accept_SSL() or do { $XDEBUG && diag("accept_SSL failed: $SSL_ERROR"); if ($expect) { fail("accept $ver"); } else { diag("failed to accept $ver"); } next; }; $XDEBUG && diag("SSL accept done"); if ($expect) { is($expect,$cl->get_sslversion,"accept $ver with $expect"); } else { pass("accept $ver with any, got ".$cl->get_sslversion); } close($cl); } wait; IO-Socket-SSL-2.024/t/cert_no_file.t0000644000175100017510000000553412622126027015534 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/nonblock.t' # Tests the use if SSL_cert instead of SSL_cert_file # because Net::SSLeay does not implement the necessary functions # to create a X509 from file/string (PEM_read_bio_X509) I just # create a server with SSL_cert_file and get the X509 from it using # Net::SSLeay::get_certificate. # Test should also test if SSL_cert is an array of X509* # and if SSL_key is an EVP_PKEY* but with the current function in # Net::SSLeay I don't see a way to test it use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; use Test::More tests => 9; Test::More->builder->use_numbers(0); Test::More->builder->no_ending(1); my $ID = 'server'; my %server_args = ( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, SSL_server => 1, SSL_verify_mode => 0x00, SSL_ca_file => "certs/test-ca.pem", SSL_key_file => "certs/client-key.pem", ); my ($x509,@server); foreach my $test ( 1,2,3 ) { my %args = %server_args; my $spec; if ( $test == 1 ) { # 1st test: create server with SSL_cert_file $args{SSL_cert_file} = "certs/client-cert.pem"; $spec = 'Using SSL_cert_file'; } elsif ( $test == 2 ) { # 2nd test: use x509 from previous server # with SSL_cert instead of SSL_cert_file $args{SSL_cert} = $x509; $spec = 'Using SSL_cert'; } elsif ( $test == 3 ) { # 3rd test: empty SSL_cert, so that default # SSL_cert_file gets not used # server creation should fail $spec = 'Empty SSL_cert'; $args{SSL_cert} = undef; } # create server my $server = IO::Socket::SSL->new( %args ) || do { fail( "$spec: $!" ); next; }; my $saddr = $server->sockhost.':'.$server->sockport; pass("Server Initialization $spec"); push @server,$server; # then connect to it from a child defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { close($server); $ID = 'client'; my $to_server = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 0x00, ); if ( $test == 3 ) { ok( !$to_server, "$spec: connect succeeded" ); exit; } elsif ( ! $to_server ) { fail("connect failed: $!"); exit; } pass( "client connected $spec" ); <$to_server>; # wait for close from parent exit; } my $to_client = $server->accept; if ( $test == 3 ) { ok( !$to_client, "$spec: accept succeeded" ); } elsif ( ! $to_client ) { kill(9,$pid); fail("$spec: accept failed: $!"); exit; } else { pass( "Server accepted $spec" ); # save the X509 certificate from the server $x509 ||= Net::SSLeay::get_certificate($to_client->_get_ssl_object); } close($to_client) if $to_client; wait; } IO-Socket-SSL-2.024/t/public_suffix_lib_libidn.t0000644000175100017510000000016512622126027020110 0ustar workworkuse strict; use warnings; use FindBin; require "$FindBin::Bin/public_suffix_lib.pl"; run_with_lib( 'Net::LibIDN' ); IO-Socket-SSL-2.024/t/alpn.t0000644000175100017510000000342512622126027014033 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/alpn.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; # check if we have ALPN available # if it is available if ( ! IO::Socket::SSL->can_alpn ) { print "1..0 # Skipped: ALPN not available in Net::SSLeay\n"; exit; } print "1..5\n"; # first create simple ssl-server my $ID = 'server'; my $addr = '127.0.0.1'; my $server = IO::Socket::SSL->new( LocalAddr => $addr, Listen => 2, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', SSL_alpn_protocols => [qw(one two)], ) || do { ok(0,"server creation failed: $!"); exit; }; ok(1,"Server Initialization at $addr"); # add server port to addr $addr = "$addr:".$server->sockport; print "# server at $addr\n"; my $pid = fork(); if ( !defined $pid ) { die $!; # fork failed } elsif ( !$pid ) { ###### Client $ID = 'client'; close($server); my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, Domain => AF_INET, SSL_verify_mode => 0, SSL_alpn_protocols => [qw(two three)], ) or do { ok(0,"connect failed: ".IO::Socket::SSL->errstr()); exit; }; ok(1,"client connected" ); my $proto = $to_server->alpn_selected; ok($proto eq "two","negotiated $proto"); } else { ###### Server my $to_client = $server->accept or do { ok(0,"accept failed: ".$server->errstr()); kill(9,$pid); exit; }; ok(1,"Server accepted" ); my $proto = $to_client->alpn_selected; ok($proto eq "two","negotiated $proto"); wait; } sub ok { my $ok = shift; print $ok ? '' : 'not ', "ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/memleak_bad_handshake.t0000644000175100017510000000433712622126027017333 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/nonblock.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; use IO::Select; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; my $getsize; if ( -f "/proc/$$/statm" ) { $getsize = sub { my $pid = shift; open( my $fh,'<', "/proc/$pid/statm"); my $line = <$fh>; return (split(' ',$line))[0] * 4; }; } elsif ( ! grep { $^O =~m{$_}i } qw( MacOS VOS vmesa riscos amigaos mswin32) ) { $getsize = sub { my $pid = shift; open( my $ps,'-|',"ps -o vsize -p $pid 2>/dev/null" ) or return; $ps && <$ps> or return; # header return int(<$ps>); # size }; } else { print "1..0 # Skipped: ps not implemented on this platform\n"; exit } if ( $^O =~m{aix}i ) { print "1..0 # Skipped: might hang, see https://rt.cpan.org/Ticket/Display.html?id=72170\n"; exit } $|=1; if ( ! $getsize->($$) ) { print "1..0 # Skipped: no usable ps\n"; exit; } my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 200, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', ); my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork()) or die "fork failed: $!"; if ( $pid == 0 ) { # server while (1) { # socket accept, client handshake and client close $server->accept; } exit(0); } close($server); # plain non-SSL connect and close w/o sending data for(1..100) { IO::Socket::INET->new( $saddr ) or next; } my $size100 = $getsize->($pid); if ( ! $size100 ) { print "1..0 # Skipped: cannot get size of child process\n"; goto done; } for(100..200) { IO::Socket::INET->new( $saddr ) or next; } my $size200 = $getsize->($pid); for(200..300) { IO::Socket::INET->new( $saddr ) or next; } my $size300 = $getsize->($pid); if ($size100>$size200 or $size200<$size300) {; print "1..0 # skipped - do we measure the right thing?\n"; goto done; } print "1..1\n"; print "not " if $size100 < $size200 and $size200 < $size300; print "ok # check memleak failed handshake ($size100,$size200,$size300)\n"; done: kill(9,$pid); wait; exit; IO-Socket-SSL-2.024/t/startssl-failed.t0000644000175100017510000000327312653111107016200 0ustar workwork#!perl use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; use IO::Select; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; $|=1; print "1..9\n"; my $server = IO::Socket::INET->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, ); print("not ok\n"),exit if !$server; ok("Server Initialization"); my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { client(); } else { server(); #kill(9,$pid); wait; } sub client { close($server); my $client = IO::Socket::INET->new($saddr) or return fail("client tcp connect"); ok("client tcp connect"); IO::Socket::SSL->start_SSL($client, SSL_verify_mode => 0) and return fail('start ssl should fail'); ok("startssl client failed: $SSL_ERROR"); UNIVERSAL::isa($client,'IO::Socket::INET') or return fail('downgrade socket after error'); ok('downgrade socket after error'); print $client "foo\n" or return fail("send to server: $!"); ok("send to server"); my $l; while (defined($l = <$client>)) { if ( $l =~m{bar\n} ) { return ok('client receive non-ssl data'); } } fail("receive non-ssl data"); } sub server { my $csock = $server->accept or return fail('tcp accept'); ok('tcp accept'); print $csock "This is no SSL handshake\n"; ok('send non-ssl data'); alarm(10); my $l; while (defined( $l = <$csock>)) { if ($l =~m{foo\n} ) { print $csock "bar\n"; return ok("received non-ssl data"); } #warn "XXXXXXXXX $l"; } fail('no data from client'.$!); } sub ok { print "ok #$_[0]\n"; return 1 } sub fail { print "not ok #$_[0]\n"; return } IO-Socket-SSL-2.024/t/external/0000755000175100017510000000000012655445521014543 5ustar workworkIO-Socket-SSL-2.024/t/external/ocsp.t0000644000175100017510000001333312622126027015666 0ustar workwork#!/usr/bin/perl use strict; use warnings; use Test::More; use IO::Socket::SSL; plan skip_all => "no OCSP support" if ! IO::Socket::SSL->can_ocsp; #$Net::SSLeay::trace=3; my @tests = ( { # this should give us OCSP stapling host => 'www.live.com', port => 443, fingerprint => 'sha1$69e85345bfa05c1beb1352dad0b8c61abe42f26c', ocsp_staple => 1, }, { # no OCSP stapling yet host => 'www.google.com', port => 443, fingerprint => 'sha1$93125bb97d02aa4536b4ec9a7ca01ad8927314db', }, { # this is revoked host => 'revoked.grc.com', port => 443, fingerprint => 'sha1$34703c40093461ad3ce087e161c7b7f42abe770c', expect_revoked => 1 }, ); plan tests => 0+@tests; my $timeout = 10; my $proxy = ( $ENV{http_proxy} || '' ) =~m{^(?:\w+://)?([\w\-.:\[\]]+:\d+)/?$} && $1; my $have_httptiny = eval { require HTTP::Tiny }; my $ipclass = 'IO::Socket::INET'; for( qw( IO::Socket::IP IO::Socket::INET6 )) { eval { require $_ } or next; $ipclass = $_; last; } TEST: for my $test (@tests) { my $tcp_connect = sub { if ( ! $proxy ) { # direct connection return $ipclass->new( PeerAddr => $test->{host}, PeerPort => $test->{port}, Timeout => $timeout, ) || die "tcp connect to $test->{host}:$test->{port} failed: $!"; } my $cl = $ipclass->new( PeerAddr => $proxy, Timeout => $timeout, ) || die "tcp connect to proxy $proxy failed: $!"; # try to establish tunnel via proxy with CONNECT { local $SIG{ALRM} = sub { die "proxy HTTP tunnel creation timed out" }; alarm($timeout); print $cl "CONNECT $test->{host}:$test->{port} HTTP/1.0\r\n\r\n"; my $reply = ''; while (<$cl>) { $reply .= $_; last if m{\A\r?\n\Z}; } alarm(0); $reply =~m{\AHTTP/1\.[01] 200\b} or die "unexpected response from proxy: $reply"; } return $cl; }; SKIP: { # first check fingerprint in case of SSL interception my $cl = eval { &$tcp_connect } or skip "TCP connect#1 failed: $@",1; diag("tcp connect to $test->{host}:$test->{port} ok"); skip "SSL upgrade w/o validation failed: $SSL_ERROR",1 if ! IO::Socket::SSL->start_SSL($cl, SSL_verify_mode => 0); skip "fingerprints do not match",1 if $cl->get_fingerprint('sha1') ne $test->{fingerprint}; diag("fingerprint matches"); # then check if we can use the default CA path for successful # validation without OCSP yet $cl = eval { &$tcp_connect } or skip "TCP connect#2 failed: $@",1; skip "SSL upgrade w/o OCSP failed: $SSL_ERROR",1 if ! IO::Socket::SSL->start_SSL($cl, SSL_ocsp_mode => SSL_OCSP_NO_STAPLE ); diag("validation with default CA w/o OCSP ok"); # check with default settings $cl = eval { &$tcp_connect } or skip "TCP connect#3 failed: $@",1; my $ok = IO::Socket::SSL->start_SSL($cl); my $err = !$ok && $SSL_ERROR; if (!$ok && !$test->{expect_revoked}) { fail("SSL upgrade with OCSP stapling failed: $err"); next TEST; } # we got usable stapling if _SSL_ocsp_verify is defined if ($test->{ocsp_staple}) { if ( ! ${*$cl}{_SSL_ocsp_verify}) { fail("did not get expected OCSP response with stapling"); next TEST; } else { diag("got stapled response as expected"); } } if (!$err && !$${*$cl}{_SSL_ocsp_verify} && $have_httptiny) { # use OCSP resolver to resolve remaining certs, should be at most one my $ocsp_resolver = $cl->ocsp_resolver; my %rq = $ocsp_resolver->requests; if (keys(%rq)>1) { fail("got more open OCSP requests (".keys(%rq). ") than expected(1) in default mode"); next TEST; } $err = $ocsp_resolver->resolve_blocking(timeout => $timeout); } if ($test->{expect_revoked}) { if ($err =~m/revoked/) { my $where = ${*$cl}{_SSL_ocsp_verify} ? 'stapled':'asked OCSP server'; pass("revoked as expected ($where)"); } elsif ($err =~m/OCSP_basic_verify:certificate verify error/) { # badly signed OCSP record pass("maybe revoked, but got OCSP verification error: $SSL_ERROR"); } elsif ($err =~m/response not yet valid or expired/) { pass("maybe revoked, but got not yet valid/expired response from OCSP server"); } elsif ($err) { # some other error pass("maybe revoked, but got error: $err"); } elsif (!$have_httptiny && !$test->{ocsp_staple}) { # could not check because HTTP::Tiny is missing pass("maybe revoked, but could not check because HTTP::Tiny is missing"); } else { fail("expected revoked but connection ok"); } next TEST; } elsif ($err) { if ($err =~m/revoked/) { fail("expected ok but revoked"); } else { pass("probably ok, but got $err"); } next TEST; } diag("validation with default CA with OCSP defaults ok"); # now check with full chain $cl = eval { &$tcp_connect } or skip "TCP connect#4 failed: $@",1; my $cache = IO::Socket::SSL::OCSP_Cache->new; if (! IO::Socket::SSL->start_SSL($cl, SSL_ocsp_mode => SSL_OCSP_FULL_CHAIN, SSL_ocsp_cache => $cache )) { skip "unexpected fail of SSL connect: $SSL_ERROR",1 } my $chain_size = $cl->peer_certificates; if ( my $ocsp_resolver = $have_httptiny && $cl->ocsp_resolver ) { # there should be no hard error after resolving - unless an # intermediate certificate got revoked which I don't hope $err = $ocsp_resolver->resolve_blocking(timeout => $timeout); if ($err) { fail("fatal error in OCSP resolver: $err"); next TEST; } # we should now either have soft errors or the OCSP cache should # have chain_size entries if ( ! $ocsp_resolver->soft_error ) { my $cache_size = keys(%$cache)-1; if ($cache_size!=$chain_size) { fail("cache_size($cache_size) != chain_size($chain_size)"); next TEST; } } diag("validation with default CA with OCSP full chain ok"); } done: pass("OCSP tests $test->{host}:$test->{port} ok"); } } IO-Socket-SSL-2.024/t/external/usable_ca.t0000644000175100017510000001111712622126027016636 0ustar workworkuse strict; use warnings; use Test::More; use IO::Socket::SSL; use IO::Socket::SSL::Utils; my $ipclass = 'IO::Socket::INET'; for( qw( IO::Socket::IP IO::Socket::INET6 )) { eval { require $_ } or next; $ipclass = $_; last; } # host:port fingerprint_cert subject_hash_ca my @tests = qw( www.google.com:443 sha1$93125bb97d02aa4536b4ec9a7ca01ad8927314db 578d5c04 www.yahoo.com:443 sha1$71167492535fbdaa3ab6fec242ce183930d27603 415660c1 www.comdirect.de:443 sha1$ca16159c49de301ab1ae69ef1d3c0205f54ebaaa 415660c1 meine.deutsche-bank.de:443 sha1$1331596b6ecfe54f2018b6d16046c7046dc84048 415660c1 www.twitter.com:443 sha1$add53f6680fe66e383cbac3e60922e3b4c412bed b204d74a www.facebook.com:443 sha1$45bfee628eec0ba06dfb860c865ffdb71502a541 244b5494 www.live.com:443 sha1$69e85345bfa05c1beb1352dad0b8c61abe42f26c b204d74a ); my %ca = IO::Socket::SSL::default_ca(); plan skip_all => "no default CA store found" if ! %ca; my %have_ca; # some systems seems to have junk in the CA stores # so better wrap it into eval eval { for my $f ( ( $ca{SSL_ca_file} ? ($ca{SSL_ca_file}) : ()), ( $ca{SSL_ca_path} ? glob("$ca{SSL_ca_path}/*") :()), ) { open( my $fh,'<',$f ) or next; my $pem; while (<$fh>) { if ( m{^--+END} ) { my $cert = PEM_string2cert($pem.$_); $pem = undef; $cert or next; my $hash = Net::SSLeay::X509_subject_name_hash($cert); $have_ca{sprintf("%08x",$hash)} = 1; } elsif ( m{^--+BEGIN (TRUSTED |X509 |)CERTIFICATE-+} ) { $pem = $_; } elsif ( $pem ) { $pem .= $_; } } } }; diag( "found ".(0+keys %have_ca)." CA certs"); plan skip_all => "no CA certs found" if ! %have_ca; my $proxy = ( $ENV{https_proxy} || $ENV{http_proxy} || '' ) =~m{^(?:\w+://)?([\w\-.:\[\]]+:\d+)/?$} && $1; my @cap = ('SSL_verifycn_name'); push @cap, 'SSL_hostname' if IO::Socket::SSL->can_client_sni(); plan tests => (1+@cap)*(@tests/3); while ( @tests ) { my ($host,$fp,$ca_hash) = splice(@tests,0,3); my $port = $host =~s{:(\d+)$}{} && $1; SKIP: { # first check if we have the CA in store skip "no root CA $ca_hash for $host in store",1+@cap if ! $have_ca{$ca_hash}; diag("have root CA for $host in store"); # then build inet connections for later SSL upgrades my @cl; for my $cap ('fp','nocn',@cap,'noca') { my $cl; if ( ! $proxy ) { # direct connection $cl = $ipclass->new( PeerAddr => $host, PeerPort => $port, Timeout => 15, ) } elsif ( $cl = $ipclass->new( PeerAddr => $proxy, Timeout => 15 )) { # try to establish tunnel via proxy with CONNECT my $reply = ''; if ( eval { local $SIG{ALRM} = sub { die "timed out" }; alarm(15); print $cl "CONNECT $host:443 HTTP/1.0\r\n\r\n"; while (<$cl>) { $reply .= $_; last if m{\A\r?\n\Z}; } $reply =~m{\AHTTP/1\.[01] 200\b} or die "unexpected response from proxy: $reply"; }) { } else { $cl = undef } } skip "cannot connect to $host:443 with $ipclass: $!",1+@cap if ! $cl; push @cl,$cl; } diag(int(@cl)." connections to $host ok"); # check if we have SSL interception by comparing the fingerprint we get my $cl = shift(@cl); skip "ssl upgrade failed even without verification",1+@cap if ! IO::Socket::SSL->start_SSL($cl, SSL_verify_mode => 0 ); skip "fingerprint mismatch - probably SSL interception",1+@cap if $cl->get_fingerprint('sha1') ne $fp; diag("fingerprint $host matches"); # check if it can verify against builtin CA store $cl = shift(@cl); if ( ! IO::Socket::SSL->start_SSL($cl)) { skip "ssl upgrade failed with builtin CA store",1+@cap; } diag("check $host against builtin CA store ok"); for my $cap (@cap) { my $cl = shift(@cl); # try to upgrade with SSL using default CA path if ( IO::Socket::SSL->start_SSL($cl, SSL_verify_mode => 1, SSL_verifycn_scheme => 'http', $cap => $host, )) { pass("SSL upgrade $host with default CA and $cap"); } elsif ( $SSL_ERROR =~m{verify failed} ) { fail("SSL upgrade $host with default CA and $cap: $SSL_ERROR"); } else { pass("SSL upgrade $host with no CA failed but not because of verify problem: $SSL_ERROR"); } } # it should fail when we use no default ca, even on OS X # https://hynek.me/articles/apple-openssl-verification-surprises/ $cl = shift(@cl); if ( IO::Socket::SSL->start_SSL($cl, SSL_ca_file => \'' )) { fail("SSL upgrade $host with no CA succeeded"); } elsif ( $SSL_ERROR =~m{verify failed} ) { pass("SSL upgrade $host with no CA failed"); } else { pass("SSL upgrade $host with no CA failed but not because of verify problem: $SSL_ERROR"); } } } IO-Socket-SSL-2.024/t/sysread_write.t0000644000175100017510000000722112622126027015763 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/sysread_write.t' # This tests that sysread/syswrite behave different to read/write, e.g. # that the latter ones are blocking until they read/write everything while # the sys* function also can read/write partial data. use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; $|=1; print "1..9\n"; ################################################################# # create Server socket before forking client, so that it is # guaranteed to be listening ################################################################# # first create simple ssl-server my $ID = 'server'; my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, SSL_cert_file => "certs/client-cert.pem", SSL_key_file => "certs/client-key.pem", ); print "not ok: $!\n", exit if !$server; ok("Server Initialization"); my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { ############################################################ # CLIENT == child process ############################################################ close($server); $ID = 'client'; my $to_server = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_ca_file => "certs/test-ca.pem", ) || do { print "not ok: connect failed: $!\n"; exit }; ok( "client connected" ); # write 512 byte, server reads it in 66 byte chunks which # should cause at least the last read to be less then 66 bytes # (and not block). alarm(10); $SIG{ALRM} = sub { print "not ok: timed out\n"; exit; }; #DEBUG( "send 2x512 byte" ); unless ( syswrite( $to_server, 'x' x 512 ) == 512 and syswrite( $to_server, 'x' x 512 ) == 512 ) { print "not ok: write to small: $!\n"; exit; } sysread( $to_server,my $ack,1 ) || print "not "; ok( "received ack" ); alarm(0); ok( "send in time" ); # make a syswrite with a buffer length greater than the # ssl message block size (16k for sslv3). It should send # only a partial packet of 16k my $n = syswrite( $to_server, 'x' x 18000 ); #DEBUG( "send $n bytes" ); print "not " if $n != 16384; ok( "partial write in syswrite" ); # but write should send everything because it does ssl_write_all $n = $to_server->write( 'x' x 18000 ); #DEBUG( "send $n bytes" ); print "not " if $n != 18000; ok( "full write in write ($n)" ); exit; } else { ############################################################ # SERVER == parent process ############################################################ my $to_client = $server->accept || do { print "not ok: accept failed: $!\n"; kill(9,$pid); exit; }; ok( "Server accepted" ); my $total = 1024; my $partial; while ( $total > 0 ) { #DEBUG( "reading 66 of $total bytes pending=".$to_client->pending() ); my $n = sysread( $to_client, my $buf,66 ); #DEBUG( "read $n bytes" ); if ( !$n ) { print "not ok: read failed: $!\n"; kill(9,$pid); exit; } elsif ( $n != 66 ) { $partial++; } $total -= $n; } print "not " if !$partial; ok( "partial read in sysread" ); # send ack back print "not " if !syswrite( $to_client, 'x' ); ok( "send ack back" ); # just read so that the writes will not block $to_client->read( my $buf,18000 ); $to_client->read( $buf,18000 ); # wait until client exits wait; } exit; sub ok { print "ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/sni.t0000644000175100017510000000415612622126027013674 0ustar workwork#!perl use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; if ( ! IO::Socket::SSL->can_server_sni() ) { print "1..0 # skipped because no server side SNI support - openssl/Net::SSleay too old\n"; exit; } if ( ! IO::Socket::SSL->can_client_sni() ) { print "1..0 # skipped because no client side SNI support - openssl/Net::SSleay too old\n"; exit; } print "1..17\n"; my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', Listen => 2, ReuseAddr => 1, SSL_server => 1, SSL_ca_file => "certs/test-ca.pem", SSL_cert_file => { 'server.local' => 'certs/server-cert.pem', 'client.local' => 'certs/client-cert.pem', 'smtp.mydomain.local' => "certs/server-wildcard.pem", '' => "certs/server-wildcard.pem", }, SSL_key_file => { 'server.local' => 'certs/server-key.pem', 'client.local' => 'certs/client-key.pem', 'smtp.mydomain.local' => "certs/server-wildcard.pem", '' => "certs/server-wildcard.pem", }, ); warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; print "not ok\n", exit if !$server; print "ok # Server Initialization\n"; my $saddr = $server->sockhost.':'.$server->sockport; # www13.other.local should match default '' # all other should match the specific entries my @tests = qw( server.local client.local smtp.mydomain.local www13.other.local ); defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { close($server); for my $host (@tests) { my $client = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 1, SSL_hostname => $host, SSL_ca_file => 'certs/my-ca.pem', ) || print "not "; print "ok # client ssl connect $host\n"; $client->verify_hostname($host,'http') or print "not "; print "ok # client verify hostname in cert $host\n"; } exit; } for my $host (@tests) { my $csock = $server->accept or print "not "; print "ok # server accept\n"; my $name = $csock->get_servername; print "not " if ! $name or $name ne $host; print "ok # server got SNI name $host\n"; } wait; IO-Socket-SSL-2.024/t/plain_upgrade_downgrade.t0000644000175100017510000001117312622126027017744 0ustar workworkuse strict; use warnings; use Socket; use IO::Socket::SSL; use IO::Socket::SSL::Utils; use Test::More; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; # create listener IO::Socket::SSL::default_ca('certs/my-ca.pem'); my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', # start as plain and upgrade later SSL_startHandshake => 0, ) || die "not ok #tcp listen failed: $!\n"; my $saddr = $server->sockhost.':'.$server->sockport; #diag("listen at $saddr"); # fork child for server defined( my $pid = fork() ) || die $!; if ( ! $pid ) { $SIG{ALRM} = sub { die "server timed out" }; while (1) { alarm(30); my $cl = $server->accept; diag("server accepted new client"); #${*$cl}{_SSL_ctx} or die "accepted socket has no SSL context"; ${*$cl}{_SSL_object} and die "accepted socket is already SSL"; # try to find out if we start with TLS immediately (peek gets data from # client hello) or have some plain data initially (peek gets these # plain data) diag("wait for initial data from client"); my $buf = ''; while (length($buf)<3) { vec(my $rin='',fileno($cl),1) = 1; my $rv = select($rin,undef,undef,10); die "timeout waiting for data from client" if ! $rv; die "something wrong: $!" if $rv<0; $cl->peek($buf,3); $buf eq '' and die "eof from client"; diag("got 0x".unpack("H*",$buf)." from client"); } if ($buf eq "end") { # done diag("client requested end of tests"); exit(0); } if ($buf eq 'foo') { # initial plain dialog diag("server: got plain data at start of connection"); read($cl,$buf,3) or die "failed to read"; $buf eq 'foo' or die "read($buf) different from peek"; print $cl "bar"; # reply } # now we upgrade to TLS diag("server: TLS upgrade"); $cl->accept_SSL or die "failed to SSL upgrade server side: $SSL_ERROR"; ${*$cl}{_SSL_object} or die "no SSL object after accept_SSL"; read($cl,$buf,6) or die "failed to ssl read"; $buf eq 'sslfoo' or die "wrong data received from client '$buf'"; print $cl "sslbar"; # now we downgrade from TLS to plain and try to exchange some data diag("server: TLS downgrade"); $cl->stop_SSL or die "failed to stop SSL"; ${*$cl}{_SSL_object} and die "still SSL object after stop_SSL"; read($cl,$buf,3); $buf eq 'foo' or die "wrong data received from client '$buf'"; print $cl "bar"; # now we upgrade again to TLS diag("server: TLS upgrade#2"); $cl->accept_SSL or die "failed to SSL upgrade server side"; ${*$cl}{_SSL_object} or die "no SSL object after accept_SSL"; read($cl,$buf,6) or die "failed to ssl read"; $buf eq 'sslfoo' or die "wrong data received from client '$buf'"; print $cl "sslbar"; } } # client close($server); # close server in client $SIG{ALRM} = sub { die "client timed out" }; plan tests => 15; for my $test ( [qw(newINET start_SSL stop_SSL start_SSL)], [qw(newSSL stop_SSL connect_SSL)], [qw(newSSL:0 connect_SSL stop_SSL connect_SSL)], [qw(newSSL:0 start_SSL stop_SSL connect_SSL)], ) { my $cl; diag("-- test: @$test"); for my $act (@$test) { if (eval { if ($act =~m{newSSL(?::(.*))?$} ) { $cl = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, defined($1) ? (SSL_startHandshake => $1):(), ) or die "failed to connect: $!|$SSL_ERROR"; if ( ! defined($1) || $1 ) { ${*$cl}{_SSL_object} or die "no SSL object"; } else { ${*$cl}{_SSL_object} and die "have SSL object"; } } elsif ($act eq 'newINET') { $cl = IO::Socket::INET->new($saddr) or die "failed to connect: $!"; } elsif ($act eq 'stop_SSL') { $cl->stop_SSL or die "stop_SSL failed: $SSL_ERROR"; ${*$cl}{_SSL_object} and die "still having SSL object after stop_SSL"; } elsif ($act eq 'connect_SSL') { $cl->connect_SSL or die "connect_SSL failed: $SSL_ERROR"; ${*$cl}{_SSL_object} or die "no SSL object after connect_SSL"; } elsif ($act eq 'start_SSL') { IO::Socket::SSL->start_SSL($cl) or die "start_SSL failed: $SSL_ERROR"; ${*$cl}{_SSL_object} or die "no SSL object after start_SSL"; } else { die "unknown action $act" } if (${*$cl}{_SSL_object}) { print $cl "sslfoo"; read($cl, my $buf,6); $buf eq 'sslbar' or die "wrong response with ssl: $buf"; } else { print $cl "foo"; read($cl, my $buf,3); $buf eq 'bar' or die "wrong response without ssl: $buf"; } }) { pass($act); } else { fail("$act: $@"); last; # slip rest } } } # make server exit alarm(10); my $cl = IO::Socket::INET->new($saddr); print $cl "end" if $cl; wait; IO-Socket-SSL-2.024/t/io-socket-ip.t0000644000175100017510000000416212627645435015421 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/dhe.t' # make sure IO::Socket::INET6 will not be used BEGIN { $INC{'IO/Socket/INET6.pm'} = undef } use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; # check if we have loaded IO::Socket::IP, IO::Socket::SSL should do it by # itself if it is available unless( IO::Socket::SSL->CAN_IPV6 eq "IO::Socket::IP" ) { # not available or IO::Socket::SSL forgot to load it if ( ! eval { require IO::Socket::IP; IO::Socket::IP->VERSION(0.31) }) { print "1..0 # Skipped: usable IO::Socket::IP is not available\n"; } else { print "1..1\nnot ok # automatic use of IO::Socket::IP\n"; } exit } my $addr = '::1'; # check if we can use ::1, e.g if the computer has IPv6 enabled if ( ! IO::Socket::IP->new( Listen => 10, LocalAddr => $addr, )) { print "1..0 # no IPv6 enabled on this computer\n"; exit } $|=1; print "1..3\n"; print "# IO::Socket::IP version=$IO::Socket::IP::VERSION\n"; # first create simple ssl-server my $ID = 'server'; my $server = IO::Socket::SSL->new( LocalAddr => $addr, Listen => 2, SSL_cert_file => "certs/server-cert.pem", SSL_key_file => "certs/server-key.pem", ) || do { notok($!); exit }; ok("Server Initialization at $addr"); # add server port to addr $addr = "[$addr]:".$server->sockport; print "# server at $addr\n"; my $pid = fork(); if ( !defined $pid ) { die $!; # fork failed } elsif ( !$pid ) { ###### Client $ID = 'client'; close($server); my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, SSL_verify_mode => 0 ) || do { notok( "connect failed: ".IO::Socket::SSL->errstr() ); exit }; ok( "client connected" ); } else { ###### Server my $to_client = $server->accept || do { notok( "accept failed: ".$server->errstr() ); kill(9,$pid); exit; }; ok( "Server accepted" ); wait; } sub ok { print "ok # [$ID] @_\n"; } sub notok { print "not ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/public_suffix_lib_encode_idn.t0000644000175100017510000000017212622126027020734 0ustar workworkuse strict; use warnings; use FindBin; require "$FindBin::Bin/public_suffix_lib.pl"; run_with_lib( 'Net::IDN::Encode' ); IO-Socket-SSL-2.024/t/mitm.t0000644000175100017510000000542312622126027014047 0ustar workwork#!perl use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; use IO::Socket::SSL::Intercept; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; print "1..8\n"; my @pid; END { kill 9,@pid } my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, SSL_cert_file => 'certs/server-cert.pem', SSL_key_file => 'certs/server-key.pem', Listen => 10, ); ok($server,"server ssl socket"); my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork ) or die $!; exit( server()) if ! $pid; # child -> server() push @pid,$pid; close($server); my $proxy = IO::Socket::INET->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 10, Reuse => 1, ); sys_ok($proxy,"proxy tcp socket"); my $paddr = $proxy->sockhost.':'.$proxy->sockport; defined( $pid = fork ) or die $!; exit( proxy()) if ! $pid; # child -> proxy() push @pid,$pid; close($proxy); # connect to server, check certificate my $cl = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 1, SSL_ca_file => 'certs/my-ca.pem', ); ssl_ok($cl,"ssl connected to server"); ok( $cl->peer_certificate('subject') =~ m{server\.local}, "subject w/o mitm"); ok( $cl->peer_certificate('issuer') =~ m{IO::Socket::SSL Demo CA}, "issuer w/o mitm"); # connect to proxy, check certificate $cl = IO::Socket::SSL->new( PeerAddr => $paddr, Domain => AF_INET, SSL_verify_mode => 1, SSL_ca_file => 'certs/proxyca.pem', ); ssl_ok($cl,"ssl connected to proxy"); ok( $cl->peer_certificate('subject') =~ m{server\.local}, "subject w/ mitm"); ok( $cl->peer_certificate('issuer') =~ m{IO::Socket::SSL::Intercept}, "issuer w/ mitm"); sub server { while (1) { my $cl = $server->accept or next; sleep(1); } } sub proxy { my $mitm = IO::Socket::SSL::Intercept->new( proxy_cert_file => 'certs/proxyca.pem', proxy_key_file => 'certs/proxyca.pem', ); while (1) { my $toc = $proxy->accept or next; my $tos = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 1, SSL_ca_file => 'certs/my-ca.pem', ) or die "failed connect to server: $!, $SSL_ERROR"; my ($cert,$key) = $mitm->clone_cert($tos->peer_certificate); $toc = IO::Socket::SSL->start_SSL( $toc, SSL_server => 1, SSL_cert => $cert, SSL_key => $key, ) or die "ssl upgrade client failed: $SSL_ERROR"; sleep(1); } } sub ok { my ($what,$msg) = @_; print "not " if ! $what; print "ok # $msg\n"; } sub sys_ok { my ($what,$msg) = @_; if ( $what ) { print "ok # $msg\n"; } else { print "not ok # $msg - $!\n"; exit } } sub ssl_ok { my ($what,$msg) = @_; if ( $what ) { print "ok # $msg\n"; } else { print "not ok # $msg - $SSL_ERROR\n"; exit } } IO-Socket-SSL-2.024/t/auto_verify_hostname.t0000644000175100017510000000410012622126027017322 0ustar workwork#!perl use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; use Test::More; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; plan tests => 1 + 7 + 4 + 7*2 + 4; my @tests = qw( example.com www FAIL server.local ldap OK server.local www FAIL bla.server.local www OK www7.other.local www OK www7.other.local ldap FAIL bla.server.local ldap OK ); my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, ReuseAddr => 1, SSL_server => 1, SSL_cert_file => "certs/server-wildcard.pem", SSL_key_file => "certs/server-wildcard.pem", ); warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; ok( $server, "Server Initialization"); exit if !$server; my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork() ) || die $!; if ( $pid == 0 ) { while (1) { my $csock = $server->accept || next; print $csock "hallo\n"; } } close($server); IO::Socket::SSL::default_ca('certs/test-ca.pem'); for( my $i=0;$i<@tests;$i+=3 ) { my ($name,$scheme,$result) = @tests[$i,$i+1,$i+2]; my $cl = IO::Socket::SSL->new( PeerAddr => $saddr, Domain => AF_INET, SSL_verify_mode => 1, SSL_verifycn_scheme => $scheme, SSL_verifycn_name => $name, ); if ( $result eq 'FAIL' ) { ok( !$cl, "connection to $name/$scheme failed" ); } else { ok( $cl, "connection to $name/$scheme succeeded" ); } $cl || next; is( <$cl>, "hallo\n", "received hallo" ); } for( my $i=0;$i<@tests;$i+=3 ) { my ($name,$scheme,$result) = @tests[$i,$i+1,$i+2]; my $cl = IO::Socket::INET->new($saddr); ok( $cl, "tcp connect" ); $cl = IO::Socket::SSL->start_SSL( $cl, SSL_verify_mode => 1, SSL_verifycn_scheme => $scheme, SSL_verifycn_name => $name, ); if ( $result eq 'FAIL' ) { ok( !$cl, "ssl upgrade of connection to $name/$scheme failed" ); } else { ok( $cl, "ssl upgrade of connection to $name/$scheme succeeded" ); } $cl || next; is( <$cl>, "hallo\n", "received hallo" ); } kill(9,$pid); wait; IO-Socket-SSL-2.024/t/ecdhe.t0000644000175100017510000000321212622126027014143 0ustar workwork#!perl # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl t/ecdhe.t' use strict; use warnings; use Net::SSLeay; use Socket; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; if ( ! IO::Socket::SSL->can_ecdh ) { print "1..0 # Skipped: no support for ecdh with this openssl/Net::SSLeay\n"; exit } $|=1; print "1..4\n"; # first create simple ssl-server my $ID = 'server'; my $addr = '127.0.0.1'; my $server = IO::Socket::SSL->new( LocalAddr => $addr, Listen => 2, ReuseAddr => 1, SSL_cert_file => "certs/server-cert.pem", SSL_key_file => "certs/server-key.pem", SSL_ecdh_curve => 'prime256v1', ) || do { notok($!); exit }; ok("Server Initialization"); # add server port to addr $addr.= ':'.(sockaddr_in( getsockname( $server )))[0]; my $pid = fork(); if ( !defined $pid ) { die $!; # fork failed } elsif ( !$pid ) { ###### Client $ID = 'client'; close($server); my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, Domain => AF_INET, SSL_verify_mode => 0 ) || do { notok( "connect failed: $SSL_ERROR" ); exit }; ok( "client connected" ); my $cipher = $to_server->get_cipher(); if ( $cipher !~m/^ECDHE-/ ) { notok("bad key exchange: $cipher"); exit; } ok("ecdh key exchange: $cipher"); } else { ###### Server my $to_client = $server->accept || do { notok( "accept failed: $SSL_ERROR" ); kill(9,$pid); exit; }; ok( "Server accepted" ); wait; } sub ok { print "ok # [$ID] @_\n"; } sub notok { print "not ok # [$ID] @_\n"; } IO-Socket-SSL-2.024/t/start-stopssl.t0000644000175100017510000000601612622126027015742 0ustar workwork#!perl use strict; use warnings; use IO::Socket::INET; use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; $|=1; my @tests = qw( start stop start close ); print "1..16\n"; my $server = IO::Socket::INET->new( LocalAddr => '127.0.0.1', LocalPort => 0, Listen => 2, ) || die "not ok #tcp listen failed: $!\n"; print "ok #listen\n"; my $saddr = $server->sockhost.':'.$server->sockport; defined( my $pid = fork() ) || die $!; $pid ? server():client(); wait; exit(0); sub client { close($server); my $client = IO::Socket::INET->new($saddr) or die "not ok #client connect: $!\n"; $client->autoflush; print "ok #client connect\n"; for my $test (@tests) { alarm(15); #print STDERR "begin test $test\n"; if ( $test eq 'start' ) { print $client "start\n"; sleep(1); # avoid race condition, if client calls start but server is not yet available #print STDERR ">>$$(client) start\n"; IO::Socket::SSL->start_SSL($client, SSL_verify_mode => 0 ) || die "not ok #client::start_SSL: $SSL_ERROR\n"; #print STDERR "<<$$(client) start\n"; print "ok # client::start_SSL\n"; ref($client) eq "IO::Socket::SSL" or print "not "; print "ok # client::class=".ref($client)."\n"; } elsif ( $test eq 'stop' ) { print $client "stop\n"; $client->stop_SSL || die "not ok #client::stop_SSL\n"; print "ok # client::stop_SSL\n"; ref($client) eq "IO::Socket::INET" or print "not "; print "ok # client::class=".ref($client)."\n"; } elsif ( $test eq 'close' ) { print $client "close\n"; my $class = ref($client); $client->close || die "not ok # client::close\n"; print "ok # client::close\n"; ref($client) eq $class or print "not "; print "ok # client::class=".ref($client)."\n"; last; } #print STDERR "cont test $test\n"; defined( my $line = <$client> ) or return; die "'$line'" if $line ne "OK\n"; } } sub server { my $client = $server->accept || die $!; $client->autoflush; while (1) { alarm(15); defined( my $line = <$client> ) or last; chomp($line); if ( $line eq 'start' ) { #print STDERR ">>$$ start\n"; IO::Socket::SSL->start_SSL( $client, SSL_server => 1, SSL_cert_file => "certs/client-cert.pem", SSL_key_file => "certs/client-key.pem" ) || die "not ok #server::start_SSL: $SSL_ERROR\n"; #print STDERR "<<$$ start\n"; ref($client) eq "IO::Socket::SSL" or print "not "; print "ok # server::class=".ref($client)."\n"; print $client "OK\n"; } elsif ( $line eq 'stop' ) { $client->stop_SSL || die "not ok #server::stop_SSL\n"; print "ok #server::stop_SSL\n"; ref($client) eq "IO::Socket::INET" or print "not "; print "ok # class=".ref($client)."\n"; print $client "OK\n"; } elsif ( $line eq 'close' ) { my $class = ref($client); $client->close || die "not ok #server::close\n"; print "ok #server::close\n"; ref($client) eq $class or print "not "; print "ok # class=".ref($client)."\n"; last; } } } IO-Socket-SSL-2.024/lib/0000755000175100017510000000000012655445521013224 5ustar workworkIO-Socket-SSL-2.024/lib/IO/0000755000175100017510000000000012655445521013533 5ustar workworkIO-Socket-SSL-2.024/lib/IO/Socket/0000755000175100017510000000000012655445521014763 5ustar workworkIO-Socket-SSL-2.024/lib/IO/Socket/SSL/0000755000175100017510000000000012655445521015424 5ustar workworkIO-Socket-SSL-2.024/lib/IO/Socket/SSL/PublicSuffix.pm0000644000175100017510000056364012627646007020404 0ustar workwork use strict; use warnings; package IO::Socket::SSL::PublicSuffix; use Carp; # for updates use constant URL => 'http://publicsuffix.org/list/effective_tld_names.dat'; =head1 NAME IO::Socket::SSL::PublicSuffix - provide access to Mozilla's list of effective TLD names =head1 SYNOPSIS # use builtin default use IO::Socket::SSL::PublicSuffix; $ps = IO::Socket::SSL::PublicSuffix->default; # load from string $ps = IO::Socket::SSL::PublicSuffix->from_string("*.uk\n*"); # load from file or file handle $ps = IO::Socket::SSL::PublicSuffix->from_file($filename); $ps = IO::Socket::SSL::PublicSuffix->from_file(\*STDIN); # --- string in -> string out # $rest -> whatever.host # $tld -> co.uk my ($rest,$tld) = $ps->public_suffix('whatever.host.co.uk'); my $tld = $ps->public_suffix('whatever.host.co.uk'); # $root_domain -> host.co.uk my $root_domain = $ps->public_suffix('whatever.host.co.uk', 1); # --- array in -> array out # $rest -> [qw(whatever host)] # $tld -> [qw(co uk)] my ($rest,$tld) = $ps->public_suffix([qw(whatever host co uk)]); ---- # To update this file with the current list: perl -MIO::Socket::SSL::PublicSuffix -e 'IO::Socket::SSL::PublicSuffix::update_self_from_url()' =head1 DESCRIPTION This module uses the list of effective top level domain names from the mozilla project to determine the public top level domain for a given hostname. =head2 Method =over 4 =item class->default(%args) Returns object with builtin default. C can be given in C<%args> to specify the minimal suffix, default is 1. =item class->from_string(string,%args) Returns object with configuration from string. See method C for C<%args>. =item class->from_file( file name| file handle, %args ) Returns object with configuration from file or file handle. See method C for C<%args>. =item $self->public_suffix( $host|\@host, [ $add ] ) In array context the function returns the non-tld part and the tld part of the given hostname, in scalar context only the tld part. It adds C<$add> parts of the non-tld part to the tld, e.g. with C<$add=1> it will return the root domain. If there were no explicit matches against the public suffix configuration it will fall back to a suffix of length 1. The function accepts a string or an array-ref (e.g. host split by C<.>). In the first case it will return string(s), in the latter case array-ref(s). International hostnames or labels can be in ASCII (IDNA form starting with C) or unicode. In the latter case an IDNA handling library like L, L or recent versions of L need to be installed. =item ($self|class)->can_idn Returns true if IDN support is available. =back =head1 FILES http://publicsuffix.org/list/effective_tld_names.dat =head1 SEE ALSO Domain::PublicSuffix, Mozilla::PublicSuffix =head1 BUGS Q: Why yet another module, we already have L and L. A: Because the public suffix data change more often than these modules do, IO::Socket::SSL needs this list and it is more easy this way to keep it up-to-date. =head1 AUTHOR Steffen Ullrich =cut BEGIN { if ( eval { require URI::_idna; defined &URI::_idna::encode && defined &URI::_idna::decode }) { *idn_to_ascii = \&URI::_idna::encode; *idn_to_unicode = \&URI::_idna::decode; *can_idn = sub { 1 }; } elsif ( eval { require Net::IDN::Encode } ) { *idn_to_ascii = \&Net::IDN::Encode::domain_to_ascii; *idn_to_unicode = \&Net::IDN::Encode::domain_to_unicode; *can_idn = sub { 1 }; } elsif ( eval { require Net::LibIDN; require Encode } ) { # Net::LibIDN does not use utf-8 flag and expects raw data *idn_to_ascii = sub { Net::LibIDN::idn_to_ascii(Encode::encode('utf-8',$_[0]),'utf-8'); }, *idn_to_unicode = sub { Encode::decode('utf-8',Net::LibIDN::idn_to_unicode($_[0],'utf-8')); }, *can_idn = sub { 1 }; } else { *idn_to_ascii = sub { croak "idn_to_ascii(@_) - no IDNA library installed" }; *idn_to_unicode = sub { croak "idn_to_unicode(@_) - no IDNA library installed" }; *can_idn = sub { 0 }; } } { my %default; sub default { my (undef,%args) = @_; my $min_suffix = delete $args{min_suffix}; $min_suffix = 1 if ! defined $min_suffix; %args and die "unknown args: ".join(" ",sort keys %args); return $default{$min_suffix} ||= shift->from_string(_default_data(), min_suffix => $min_suffix); } } sub from_string { my $class = shift; my $data = shift; open( my $fh,'<', \$data ); return $class->from_file($fh,@_); } sub from_file { my ($class,$file,%args) = @_; my $min_suffix = delete $args{min_suffix}; $min_suffix = 1 if ! defined $min_suffix; %args and die "unknown args: ".join(" ",sort keys %args); my $fh; if ( ref($file)) { $fh = $file } elsif ( ! open($fh,'<',$file)) { die "failed to open $file: $!"; } my %tree; local $/ = "\n"; while ( my $line = <$fh>) { $line =~s{//.*}{}; $line =~s{\s+$}{}; $line eq '' and next; my $p = \%tree; $line = idn_to_ascii($line) if $line !~m{\A[\x00-\x7f]*\Z}; my $not = $line =~s{^!}{}; my @path = split(m{\.},$line); for(reverse @path) { $p = $p->{$_} ||= {} } $p->{'\0'} = $not ? -1:1; } return bless { tree => \%tree, min_suffix => $min_suffix },$class; } sub public_suffix { my ($self,$name,$add) = @_; my $want; # [a]rray, [s]tring, [u]nicode-string if ( ref($name)) { $want = 'a'; $name = [ @$name ]; # don't change input } else { return if ! defined $name; if ( $name !~m{\A[\x00-\x7f]*\Z} ) { $name = idn_to_ascii($name); $want = 'u'; } else { $want = 's'; } $name = lc($name); $name =~s{\.$}{}; $name = [ $name =~m{([^.]+)}g ]; } @$name or return; $_ = lc($_) for(@$name); my (%wild,%host,%xcept,@stack,$choices); my $p = $self->{tree}; for( my $i=0; $i<@$name; $i++ ) { $choices = []; if ( my $px = $p->{ $name->[$#$name-$i] } ) { # name match, continue with next path element push @$choices,$px; if ( my $end = $px->{'\0'} ) { ( $end>0 ? \%host : \%xcept )->{$i+1} = $end; } } if ( my $px = $p->{'*'} ) { # wildcard match, continue with next path element push @$choices,$px; if ( my $end = $px->{'\0'} ) { ( $end>0 ? \%wild : \%xcept )->{$i+1} = $end; } } next_choice: if ( @$choices ) { $p = shift(@$choices); push @stack, [ $choices, $i ] if @$choices; next; # go deeper } # backtrack @stack or last; ($choices,$i) = @{ pop(@stack) }; goto next_choice; } #warn Dumper([\%wild,\%host,\%xcept]); use Data::Dumper; # remove all exceptions from wildcards delete @wild{ keys %xcept } if %xcept; # get longest match my ($len) = sort { $b <=> $a } ( keys(%wild), keys(%host), map { $_-1 } keys(%xcept)); # if we have no matches use a minimum of min_suffix $len = $self->{min_suffix} if ! defined $len; $len += $add if $add; my $suffix; if ( $len < @$name ) { $suffix = [ splice( @$name, -$len, $len ) ]; } elsif ( $len > 0 ) { $suffix = $name; $name = [] } else { $suffix = [] } if ( $want ne 'a' ) { $suffix = join('.',@$suffix); $name = join('.',@$name); if ( $want eq 'u' ) { $suffix = idn_to_unicode($suffix); $name = idn_to_unicode($name); } } return wantarray ? ($name,$suffix):$suffix; } { my $data; sub _default_data { if ( ! defined $data ) { $data = _builtin_data(); $data =~s{^// ===END ICANN DOMAINS.*}{}ms or die "cannot find END ICANN DOMAINS"; } return $data; } } sub update_self_from_url { my $url = shift || URL(); my $dst = __FILE__; -w $dst or die "cannot write $dst"; open( my $fh,'<',$dst ) or die "open $dst: $!"; my $code = ''; local $/ = "\n"; while (<$fh>) { $code .= $_; m{<<\'END_BUILTIN_DATA\'} and last; } my $tail; while (<$fh>) { m{\AEND_BUILTIN_DATA\r?\n} or next; $tail = $_; last; } $tail .= do { local $/; <$fh> }; close($fh); require LWP::UserAgent; my $resp = LWP::UserAgent->new->get($url) or die "no response from $url"; die "no success url=$url code=".$resp->code." ".$resp->message if ! $resp->is_success; my $content = $resp->decoded_content; while ( $content =~m{(.*\n)}g ) { my $line = $1; if ( $line =~m{\S} && $line !~m{\A\s*//} ) { $line =~s{//.*}{}; $line =~s{\s+$}{}; $line eq '' and next; if ( $line !~m{\A[\x00-\x7f]+\Z} ) { $line = idn_to_ascii($line); } $code .= "$line\n"; } else { $code .= "$line"; } } open( $fh,'>:utf8',$dst ) or die "open $dst: $!"; print $fh $code.$tail; } sub _builtin_data { return <<'END_BUILTIN_DATA' } // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. // ===BEGIN ICANN DOMAINS=== // ac : http://en.wikipedia.org/wiki/.ac ac com.ac edu.ac gov.ac net.ac mil.ac org.ac // ad : http://en.wikipedia.org/wiki/.ad ad nom.ad // ae : http://en.wikipedia.org/wiki/.ae // see also: "Domain Name Eligibility Policy" at http://www.aeda.ae/eng/aepolicy.php ae co.ae net.ae org.ae sch.ae ac.ae gov.ae mil.ae // aero : see http://www.information.aero/index.php?id=66 aero accident-investigation.aero accident-prevention.aero aerobatic.aero aeroclub.aero aerodrome.aero agents.aero aircraft.aero airline.aero airport.aero air-surveillance.aero airtraffic.aero air-traffic-control.aero ambulance.aero amusement.aero association.aero author.aero ballooning.aero broker.aero caa.aero cargo.aero catering.aero certification.aero championship.aero charter.aero civilaviation.aero club.aero conference.aero consultant.aero consulting.aero control.aero council.aero crew.aero design.aero dgca.aero educator.aero emergency.aero engine.aero engineer.aero entertainment.aero equipment.aero exchange.aero express.aero federation.aero flight.aero freight.aero fuel.aero gliding.aero government.aero groundhandling.aero group.aero hanggliding.aero homebuilt.aero insurance.aero journal.aero journalist.aero leasing.aero logistics.aero magazine.aero maintenance.aero media.aero microlight.aero modelling.aero navigation.aero parachuting.aero paragliding.aero passenger-association.aero pilot.aero press.aero production.aero recreation.aero repbody.aero res.aero research.aero rotorcraft.aero safety.aero scientist.aero services.aero show.aero skydiving.aero software.aero student.aero trader.aero trading.aero trainer.aero union.aero workinggroup.aero works.aero // af : http://www.nic.af/help.jsp af gov.af com.af org.af net.af edu.af // ag : http://www.nic.ag/prices.htm ag com.ag org.ag net.ag co.ag nom.ag // ai : http://nic.com.ai/ ai off.ai com.ai net.ai org.ai // al : http://www.ert.gov.al/ert_alb/faq_det.html?Id=31 al com.al edu.al gov.al mil.al net.al org.al // am : http://en.wikipedia.org/wiki/.am am // ao : http://en.wikipedia.org/wiki/.ao // http://www.dns.ao/REGISTR.DOC ao ed.ao gv.ao og.ao co.ao pb.ao it.ao // aq : http://en.wikipedia.org/wiki/.aq aq // ar : https://nic.ar/normativa-vigente.xhtml ar com.ar edu.ar gob.ar gov.ar int.ar mil.ar net.ar org.ar tur.ar // arpa : http://en.wikipedia.org/wiki/.arpa // Confirmed by registry 2008-06-18 arpa e164.arpa in-addr.arpa ip6.arpa iris.arpa uri.arpa urn.arpa // as : http://en.wikipedia.org/wiki/.as as gov.as // asia : http://en.wikipedia.org/wiki/.asia asia // at : http://en.wikipedia.org/wiki/.at // Confirmed by registry 2008-06-17 at ac.at co.at gv.at or.at // au : http://en.wikipedia.org/wiki/.au // http://www.auda.org.au/ au // 2LDs com.au net.au org.au edu.au gov.au asn.au id.au // Historic 2LDs (closed to new registration, but sites still exist) info.au conf.au oz.au // CGDNs - http://www.cgdn.org.au/ act.au nsw.au nt.au qld.au sa.au tas.au vic.au wa.au // 3LDs act.edu.au nsw.edu.au nt.edu.au qld.edu.au sa.edu.au tas.edu.au vic.edu.au wa.edu.au // act.gov.au Bug 984824 - Removed at request of Greg Tankard // nsw.gov.au Bug 547985 - Removed at request of // nt.gov.au Bug 940478 - Removed at request of Greg Connors qld.gov.au sa.gov.au tas.gov.au vic.gov.au wa.gov.au // aw : http://en.wikipedia.org/wiki/.aw aw com.aw // ax : http://en.wikipedia.org/wiki/.ax ax // az : http://en.wikipedia.org/wiki/.az az com.az net.az int.az gov.az org.az edu.az info.az pp.az mil.az name.az pro.az biz.az // ba : http://en.wikipedia.org/wiki/.ba ba org.ba net.ba edu.ba gov.ba mil.ba unsa.ba unbi.ba co.ba com.ba rs.ba // bb : http://en.wikipedia.org/wiki/.bb bb biz.bb co.bb com.bb edu.bb gov.bb info.bb net.bb org.bb store.bb tv.bb // bd : http://en.wikipedia.org/wiki/.bd *.bd // be : http://en.wikipedia.org/wiki/.be // Confirmed by registry 2008-06-08 be ac.be // bf : http://en.wikipedia.org/wiki/.bf bf gov.bf // bg : http://en.wikipedia.org/wiki/.bg // https://www.register.bg/user/static/rules/en/index.html bg a.bg b.bg c.bg d.bg e.bg f.bg g.bg h.bg i.bg j.bg k.bg l.bg m.bg n.bg o.bg p.bg q.bg r.bg s.bg t.bg u.bg v.bg w.bg x.bg y.bg z.bg 0.bg 1.bg 2.bg 3.bg 4.bg 5.bg 6.bg 7.bg 8.bg 9.bg // bh : http://en.wikipedia.org/wiki/.bh bh com.bh edu.bh net.bh org.bh gov.bh // bi : http://en.wikipedia.org/wiki/.bi // http://whois.nic.bi/ bi co.bi com.bi edu.bi or.bi org.bi // biz : http://en.wikipedia.org/wiki/.biz biz // bj : http://en.wikipedia.org/wiki/.bj bj asso.bj barreau.bj gouv.bj // bm : http://www.bermudanic.bm/dnr-text.txt bm com.bm edu.bm gov.bm net.bm org.bm // bn : http://en.wikipedia.org/wiki/.bn *.bn // bo : http://www.nic.bo/ bo com.bo edu.bo gov.bo gob.bo int.bo org.bo net.bo mil.bo tv.bo // br : http://registro.br/dominio/categoria.html // Submitted by registry 2014-08-11 br adm.br adv.br agr.br am.br arq.br art.br ato.br b.br bio.br blog.br bmd.br cim.br cng.br cnt.br com.br coop.br ecn.br eco.br edu.br emp.br eng.br esp.br etc.br eti.br far.br flog.br fm.br fnd.br fot.br fst.br g12.br ggf.br gov.br imb.br ind.br inf.br jor.br jus.br leg.br lel.br mat.br med.br mil.br mp.br mus.br net.br *.nom.br not.br ntr.br odo.br org.br ppg.br pro.br psc.br psi.br qsl.br radio.br rec.br slg.br srv.br taxi.br teo.br tmp.br trd.br tur.br tv.br vet.br vlog.br wiki.br zlg.br // bs : http://www.nic.bs/rules.html bs com.bs net.bs org.bs edu.bs gov.bs // bt : http://en.wikipedia.org/wiki/.bt bt com.bt edu.bt gov.bt net.bt org.bt // bv : No registrations at this time. // Submitted by registry 2006-06-16 bv // bw : http://en.wikipedia.org/wiki/.bw // http://www.gobin.info/domainname/bw.doc // list of other 2nd level tlds ? bw co.bw org.bw // by : http://en.wikipedia.org/wiki/.by // http://tld.by/rules_2006_en.html // list of other 2nd level tlds ? by gov.by mil.by // Official information does not indicate that com.by is a reserved // second-level domain, but it's being used as one (see www.google.com.by and // www.yahoo.com.by, for example), so we list it here for safety's sake. com.by // http://hoster.by/ of.by // bz : http://en.wikipedia.org/wiki/.bz // http://www.belizenic.bz/ bz com.bz net.bz org.bz edu.bz gov.bz // ca : http://en.wikipedia.org/wiki/.ca ca // ca geographical names ab.ca bc.ca mb.ca nb.ca nf.ca nl.ca ns.ca nt.ca nu.ca on.ca pe.ca qc.ca sk.ca yk.ca // gc.ca: http://en.wikipedia.org/wiki/.gc.ca // see also: http://registry.gc.ca/en/SubdomainFAQ gc.ca // cat : http://en.wikipedia.org/wiki/.cat cat // cc : http://en.wikipedia.org/wiki/.cc cc // cd : http://en.wikipedia.org/wiki/.cd // see also: https://www.nic.cd/domain/insertDomain_2.jsp?act=1 cd gov.cd // cf : http://en.wikipedia.org/wiki/.cf cf // cg : http://en.wikipedia.org/wiki/.cg cg // ch : http://en.wikipedia.org/wiki/.ch ch // ci : http://en.wikipedia.org/wiki/.ci // http://www.nic.ci/index.php?page=charte ci org.ci or.ci com.ci co.ci edu.ci ed.ci ac.ci net.ci go.ci asso.ci xn--aroport-bya.ci int.ci presse.ci md.ci gouv.ci // ck : http://en.wikipedia.org/wiki/.ck *.ck !www.ck // cl : http://en.wikipedia.org/wiki/.cl cl gov.cl gob.cl co.cl mil.cl // cm : http://en.wikipedia.org/wiki/.cm plus bug 981927 cm co.cm com.cm gov.cm net.cm // cn : http://en.wikipedia.org/wiki/.cn // Submitted by registry 2008-06-11 cn ac.cn com.cn edu.cn gov.cn net.cn org.cn mil.cn xn--55qx5d.cn xn--io0a7i.cn xn--od0alg.cn // cn geographic names ah.cn bj.cn cq.cn fj.cn gd.cn gs.cn gz.cn gx.cn ha.cn hb.cn he.cn hi.cn hl.cn hn.cn jl.cn js.cn jx.cn ln.cn nm.cn nx.cn qh.cn sc.cn sd.cn sh.cn sn.cn sx.cn tj.cn xj.cn xz.cn yn.cn zj.cn hk.cn mo.cn tw.cn // co : http://en.wikipedia.org/wiki/.co // Submitted by registry 2008-06-11 co arts.co com.co edu.co firm.co gov.co info.co int.co mil.co net.co nom.co org.co rec.co web.co // com : http://en.wikipedia.org/wiki/.com com // coop : http://en.wikipedia.org/wiki/.coop coop // cr : http://www.nic.cr/niccr_publico/showRegistroDominiosScreen.do cr ac.cr co.cr ed.cr fi.cr go.cr or.cr sa.cr // cu : http://en.wikipedia.org/wiki/.cu cu com.cu edu.cu org.cu net.cu gov.cu inf.cu // cv : http://en.wikipedia.org/wiki/.cv cv // cw : http://www.una.cw/cw_registry/ // Confirmed by registry 2013-03-26 cw com.cw edu.cw net.cw org.cw // cx : http://en.wikipedia.org/wiki/.cx // list of other 2nd level tlds ? cx gov.cx // cy : http://en.wikipedia.org/wiki/.cy ac.cy biz.cy com.cy ekloges.cy gov.cy ltd.cy name.cy net.cy org.cy parliament.cy press.cy pro.cy tm.cy // cz : http://en.wikipedia.org/wiki/.cz cz // de : http://en.wikipedia.org/wiki/.de // Confirmed by registry (with technical // reservations) 2008-07-01 de // dj : http://en.wikipedia.org/wiki/.dj dj // dk : http://en.wikipedia.org/wiki/.dk // Confirmed by registry 2008-06-17 dk // dm : http://en.wikipedia.org/wiki/.dm dm com.dm net.dm org.dm edu.dm gov.dm // do : http://en.wikipedia.org/wiki/.do do art.do com.do edu.do gob.do gov.do mil.do net.do org.do sld.do web.do // dz : http://en.wikipedia.org/wiki/.dz dz com.dz org.dz net.dz gov.dz edu.dz asso.dz pol.dz art.dz // ec : http://www.nic.ec/reg/paso1.asp // Submitted by registry 2008-07-04 ec com.ec info.ec net.ec fin.ec k12.ec med.ec pro.ec org.ec edu.ec gov.ec gob.ec mil.ec // edu : http://en.wikipedia.org/wiki/.edu edu // ee : http://www.eenet.ee/EENet/dom_reeglid.html#lisa_B ee edu.ee gov.ee riik.ee lib.ee med.ee com.ee pri.ee aip.ee org.ee fie.ee // eg : http://en.wikipedia.org/wiki/.eg eg com.eg edu.eg eun.eg gov.eg mil.eg name.eg net.eg org.eg sci.eg // er : http://en.wikipedia.org/wiki/.er *.er // es : https://www.nic.es/site_ingles/ingles/dominios/index.html es com.es nom.es org.es gob.es edu.es // et : http://en.wikipedia.org/wiki/.et et com.et gov.et org.et edu.et biz.et name.et info.et net.et // eu : http://en.wikipedia.org/wiki/.eu eu // fi : http://en.wikipedia.org/wiki/.fi fi // aland.fi : http://en.wikipedia.org/wiki/.ax // This domain is being phased out in favor of .ax. As there are still many // domains under aland.fi, we still keep it on the list until aland.fi is // completely removed. // TODO: Check for updates (expected to be phased out around Q1/2009) aland.fi // fj : http://en.wikipedia.org/wiki/.fj *.fj // fk : http://en.wikipedia.org/wiki/.fk *.fk // fm : http://en.wikipedia.org/wiki/.fm fm // fo : http://en.wikipedia.org/wiki/.fo fo // fr : http://www.afnic.fr/ // domaines descriptifs : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-descriptifs fr com.fr asso.fr nom.fr prd.fr presse.fr tm.fr // domaines sectoriels : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-sectoriels aeroport.fr assedic.fr avocat.fr avoues.fr cci.fr chambagri.fr chirurgiens-dentistes.fr experts-comptables.fr geometre-expert.fr gouv.fr greta.fr huissier-justice.fr medecin.fr notaires.fr pharmacien.fr port.fr veterinaire.fr // ga : http://en.wikipedia.org/wiki/.ga ga // gb : This registry is effectively dormant // Submitted by registry 2008-06-12 gb // gd : http://en.wikipedia.org/wiki/.gd gd // ge : http://www.nic.net.ge/policy_en.pdf ge com.ge edu.ge gov.ge org.ge mil.ge net.ge pvt.ge // gf : http://en.wikipedia.org/wiki/.gf gf // gg : http://www.channelisles.net/register-domains/ // Confirmed by registry 2013-11-28 gg co.gg net.gg org.gg // gh : http://en.wikipedia.org/wiki/.gh // see also: http://www.nic.gh/reg_now.php // Although domains directly at second level are not possible at the moment, // they have been possible for some time and may come back. gh com.gh edu.gh gov.gh org.gh mil.gh // gi : http://www.nic.gi/rules.html gi com.gi ltd.gi gov.gi mod.gi edu.gi org.gi // gl : http://en.wikipedia.org/wiki/.gl // http://nic.gl gl co.gl com.gl edu.gl net.gl org.gl // gm : http://www.nic.gm/htmlpages%5Cgm-policy.htm gm // gn : http://psg.com/dns/gn/gn.txt // Submitted by registry 2008-06-17 gn ac.gn com.gn edu.gn gov.gn org.gn net.gn // gov : http://en.wikipedia.org/wiki/.gov gov // gp : http://www.nic.gp/index.php?lang=en gp com.gp net.gp mobi.gp edu.gp org.gp asso.gp // gq : http://en.wikipedia.org/wiki/.gq gq // gr : https://grweb.ics.forth.gr/english/1617-B-2005.html // Submitted by registry 2008-06-09 gr com.gr edu.gr net.gr org.gr gov.gr // gs : http://en.wikipedia.org/wiki/.gs gs // gt : http://www.gt/politicas_de_registro.html gt com.gt edu.gt gob.gt ind.gt mil.gt net.gt org.gt // gu : http://gadao.gov.gu/registration.txt *.gu // gw : http://en.wikipedia.org/wiki/.gw gw // gy : http://en.wikipedia.org/wiki/.gy // http://registry.gy/ gy co.gy com.gy net.gy // hk : https://www.hkdnr.hk // Submitted by registry 2008-06-11 hk com.hk edu.hk gov.hk idv.hk net.hk org.hk xn--55qx5d.hk xn--wcvs22d.hk xn--lcvr32d.hk xn--mxtq1m.hk xn--gmqw5a.hk xn--ciqpn.hk xn--gmq050i.hk xn--zf0avx.hk xn--io0a7i.hk xn--mk0axi.hk xn--od0alg.hk xn--od0aq3b.hk xn--tn0ag.hk xn--uc0atv.hk xn--uc0ay4a.hk // hm : http://en.wikipedia.org/wiki/.hm hm // hn : http://www.nic.hn/politicas/ps02,,05.html hn com.hn edu.hn org.hn net.hn mil.hn gob.hn // hr : http://www.dns.hr/documents/pdf/HRTLD-regulations.pdf hr iz.hr from.hr name.hr com.hr // ht : http://www.nic.ht/info/charte.cfm ht com.ht shop.ht firm.ht info.ht adult.ht net.ht pro.ht org.ht med.ht art.ht coop.ht pol.ht asso.ht edu.ht rel.ht gouv.ht perso.ht // hu : http://www.domain.hu/domain/English/sld.html // Confirmed by registry 2008-06-12 hu co.hu info.hu org.hu priv.hu sport.hu tm.hu 2000.hu agrar.hu bolt.hu casino.hu city.hu erotica.hu erotika.hu film.hu forum.hu games.hu hotel.hu ingatlan.hu jogasz.hu konyvelo.hu lakas.hu media.hu news.hu reklam.hu sex.hu shop.hu suli.hu szex.hu tozsde.hu utazas.hu video.hu // id : https://register.pandi.or.id/ id ac.id biz.id co.id desa.id go.id mil.id my.id net.id or.id sch.id web.id // ie : http://en.wikipedia.org/wiki/.ie ie gov.ie // il : http://www.isoc.org.il/domains/ il ac.il co.il gov.il idf.il k12.il muni.il net.il org.il // im : https://www.nic.im/ // Submitted by registry 2013-11-15 im ac.im co.im com.im ltd.co.im net.im org.im plc.co.im tt.im tv.im // in : http://en.wikipedia.org/wiki/.in // see also: https://registry.in/Policies // Please note, that nic.in is not an offical eTLD, but used by most // government institutions. in co.in firm.in net.in org.in gen.in ind.in nic.in ac.in edu.in res.in gov.in mil.in // info : http://en.wikipedia.org/wiki/.info info // int : http://en.wikipedia.org/wiki/.int // Confirmed by registry 2008-06-18 int eu.int // io : http://www.nic.io/rules.html // list of other 2nd level tlds ? io com.io // iq : http://www.cmc.iq/english/iq/iqregister1.htm iq gov.iq edu.iq mil.iq com.iq org.iq net.iq // ir : http://www.nic.ir/Terms_and_Conditions_ir,_Appendix_1_Domain_Rules // Also see http://www.nic.ir/Internationalized_Domain_Names // Two .ir entries added at request of , 2010-04-16 ir ac.ir co.ir gov.ir id.ir net.ir org.ir sch.ir // xn--mgba3a4f16a.ir (.ir, Persian YEH) xn--mgba3a4f16a.ir // xn--mgba3a4fra.ir (.ir, Arabic YEH) xn--mgba3a4fra.ir // is : http://www.isnic.is/domain/rules.php // Confirmed by registry 2008-12-06 is net.is com.is edu.is gov.is org.is int.is // it : http://en.wikipedia.org/wiki/.it it gov.it edu.it // Reserved geo-names: // http://www.nic.it/documenti/regolamenti-e-linee-guida/regolamento-assegnazione-versione-6.0.pdf // There is also a list of reserved geo-names corresponding to Italian municipalities // http://www.nic.it/documenti/appendice-c.pdf, but it is not included here. // Regions abr.it abruzzo.it aosta-valley.it aostavalley.it bas.it basilicata.it cal.it calabria.it cam.it campania.it emilia-romagna.it emiliaromagna.it emr.it friuli-v-giulia.it friuli-ve-giulia.it friuli-vegiulia.it friuli-venezia-giulia.it friuli-veneziagiulia.it friuli-vgiulia.it friuliv-giulia.it friulive-giulia.it friulivegiulia.it friulivenezia-giulia.it friuliveneziagiulia.it friulivgiulia.it fvg.it laz.it lazio.it lig.it liguria.it lom.it lombardia.it lombardy.it lucania.it mar.it marche.it mol.it molise.it piedmont.it piemonte.it pmn.it pug.it puglia.it sar.it sardegna.it sardinia.it sic.it sicilia.it sicily.it taa.it tos.it toscana.it trentino-a-adige.it trentino-aadige.it trentino-alto-adige.it trentino-altoadige.it trentino-s-tirol.it trentino-stirol.it trentino-sud-tirol.it trentino-sudtirol.it trentino-sued-tirol.it trentino-suedtirol.it trentinoa-adige.it trentinoaadige.it trentinoalto-adige.it trentinoaltoadige.it trentinos-tirol.it trentinostirol.it trentinosud-tirol.it trentinosudtirol.it trentinosued-tirol.it trentinosuedtirol.it tuscany.it umb.it umbria.it val-d-aosta.it val-daosta.it vald-aosta.it valdaosta.it valle-aosta.it valle-d-aosta.it valle-daosta.it valleaosta.it valled-aosta.it valledaosta.it vallee-aoste.it valleeaoste.it vao.it vda.it ven.it veneto.it // Provinces ag.it agrigento.it al.it alessandria.it alto-adige.it altoadige.it an.it ancona.it andria-barletta-trani.it andria-trani-barletta.it andriabarlettatrani.it andriatranibarletta.it ao.it aosta.it aoste.it ap.it aq.it aquila.it ar.it arezzo.it ascoli-piceno.it ascolipiceno.it asti.it at.it av.it avellino.it ba.it balsan.it bari.it barletta-trani-andria.it barlettatraniandria.it belluno.it benevento.it bergamo.it bg.it bi.it biella.it bl.it bn.it bo.it bologna.it bolzano.it bozen.it br.it brescia.it brindisi.it bs.it bt.it bz.it ca.it cagliari.it caltanissetta.it campidano-medio.it campidanomedio.it campobasso.it carbonia-iglesias.it carboniaiglesias.it carrara-massa.it carraramassa.it caserta.it catania.it catanzaro.it cb.it ce.it cesena-forli.it cesenaforli.it ch.it chieti.it ci.it cl.it cn.it co.it como.it cosenza.it cr.it cremona.it crotone.it cs.it ct.it cuneo.it cz.it dell-ogliastra.it dellogliastra.it en.it enna.it fc.it fe.it fermo.it ferrara.it fg.it fi.it firenze.it florence.it fm.it foggia.it forli-cesena.it forlicesena.it fr.it frosinone.it ge.it genoa.it genova.it go.it gorizia.it gr.it grosseto.it iglesias-carbonia.it iglesiascarbonia.it im.it imperia.it is.it isernia.it kr.it la-spezia.it laquila.it laspezia.it latina.it lc.it le.it lecce.it lecco.it li.it livorno.it lo.it lodi.it lt.it lu.it lucca.it macerata.it mantova.it massa-carrara.it massacarrara.it matera.it mb.it mc.it me.it medio-campidano.it mediocampidano.it messina.it mi.it milan.it milano.it mn.it mo.it modena.it monza-brianza.it monza-e-della-brianza.it monza.it monzabrianza.it monzaebrianza.it monzaedellabrianza.it ms.it mt.it na.it naples.it napoli.it no.it novara.it nu.it nuoro.it og.it ogliastra.it olbia-tempio.it olbiatempio.it or.it oristano.it ot.it pa.it padova.it padua.it palermo.it parma.it pavia.it pc.it pd.it pe.it perugia.it pesaro-urbino.it pesarourbino.it pescara.it pg.it pi.it piacenza.it pisa.it pistoia.it pn.it po.it pordenone.it potenza.it pr.it prato.it pt.it pu.it pv.it pz.it ra.it ragusa.it ravenna.it rc.it re.it reggio-calabria.it reggio-emilia.it reggiocalabria.it reggioemilia.it rg.it ri.it rieti.it rimini.it rm.it rn.it ro.it roma.it rome.it rovigo.it sa.it salerno.it sassari.it savona.it si.it siena.it siracusa.it so.it sondrio.it sp.it sr.it ss.it suedtirol.it sv.it ta.it taranto.it te.it tempio-olbia.it tempioolbia.it teramo.it terni.it tn.it to.it torino.it tp.it tr.it trani-andria-barletta.it trani-barletta-andria.it traniandriabarletta.it tranibarlettaandria.it trapani.it trentino.it trento.it treviso.it trieste.it ts.it turin.it tv.it ud.it udine.it urbino-pesaro.it urbinopesaro.it va.it varese.it vb.it vc.it ve.it venezia.it venice.it verbania.it vercelli.it verona.it vi.it vibo-valentia.it vibovalentia.it vicenza.it viterbo.it vr.it vs.it vt.it vv.it // je : http://www.channelisles.net/register-domains/ // Confirmed by registry 2013-11-28 je co.je net.je org.je // jm : http://www.com.jm/register.html *.jm // jo : http://www.dns.jo/Registration_policy.aspx jo com.jo org.jo net.jo edu.jo sch.jo gov.jo mil.jo name.jo // jobs : http://en.wikipedia.org/wiki/.jobs jobs // jp : http://en.wikipedia.org/wiki/.jp // http://jprs.co.jp/en/jpdomain.html // Submitted by registry 2014-10-30 jp // jp organizational type names ac.jp ad.jp co.jp ed.jp go.jp gr.jp lg.jp ne.jp or.jp // jp prefecture type names aichi.jp akita.jp aomori.jp chiba.jp ehime.jp fukui.jp fukuoka.jp fukushima.jp gifu.jp gunma.jp hiroshima.jp hokkaido.jp hyogo.jp ibaraki.jp ishikawa.jp iwate.jp kagawa.jp kagoshima.jp kanagawa.jp kochi.jp kumamoto.jp kyoto.jp mie.jp miyagi.jp miyazaki.jp nagano.jp nagasaki.jp nara.jp niigata.jp oita.jp okayama.jp okinawa.jp osaka.jp saga.jp saitama.jp shiga.jp shimane.jp shizuoka.jp tochigi.jp tokushima.jp tokyo.jp tottori.jp toyama.jp wakayama.jp yamagata.jp yamaguchi.jp yamanashi.jp xn--4pvxs.jp xn--vgu402c.jp xn--c3s14m.jp xn--f6qx53a.jp xn--8pvr4u.jp xn--uist22h.jp xn--djrs72d6uy.jp xn--mkru45i.jp xn--0trq7p7nn.jp xn--8ltr62k.jp xn--2m4a15e.jp xn--efvn9s.jp xn--32vp30h.jp xn--4it797k.jp xn--1lqs71d.jp xn--5rtp49c.jp xn--5js045d.jp xn--ehqz56n.jp xn--1lqs03n.jp xn--qqqt11m.jp xn--kbrq7o.jp xn--pssu33l.jp xn--ntsq17g.jp xn--uisz3g.jp xn--6btw5a.jp xn--1ctwo.jp xn--6orx2r.jp xn--rht61e.jp xn--rht27z.jp xn--djty4k.jp xn--nit225k.jp xn--rht3d.jp xn--klty5x.jp xn--kltx9a.jp xn--kltp7d.jp xn--uuwu58a.jp xn--zbx025d.jp xn--ntso0iqx3a.jp xn--elqq16h.jp xn--4it168d.jp xn--klt787d.jp xn--rny31h.jp xn--7t0a264c.jp xn--5rtq34k.jp xn--k7yn95e.jp xn--tor131o.jp xn--d5qv7z876c.jp // jp geographic type names // http://jprs.jp/doc/rule/saisoku-1.html *.kawasaki.jp *.kitakyushu.jp *.kobe.jp *.nagoya.jp *.sapporo.jp *.sendai.jp *.yokohama.jp !city.kawasaki.jp !city.kitakyushu.jp !city.kobe.jp !city.nagoya.jp !city.sapporo.jp !city.sendai.jp !city.yokohama.jp // 4th level registration aisai.aichi.jp ama.aichi.jp anjo.aichi.jp asuke.aichi.jp chiryu.aichi.jp chita.aichi.jp fuso.aichi.jp gamagori.aichi.jp handa.aichi.jp hazu.aichi.jp hekinan.aichi.jp higashiura.aichi.jp ichinomiya.aichi.jp inazawa.aichi.jp inuyama.aichi.jp isshiki.aichi.jp iwakura.aichi.jp kanie.aichi.jp kariya.aichi.jp kasugai.aichi.jp kira.aichi.jp kiyosu.aichi.jp komaki.aichi.jp konan.aichi.jp kota.aichi.jp mihama.aichi.jp miyoshi.aichi.jp nishio.aichi.jp nisshin.aichi.jp obu.aichi.jp oguchi.aichi.jp oharu.aichi.jp okazaki.aichi.jp owariasahi.aichi.jp seto.aichi.jp shikatsu.aichi.jp shinshiro.aichi.jp shitara.aichi.jp tahara.aichi.jp takahama.aichi.jp tobishima.aichi.jp toei.aichi.jp togo.aichi.jp tokai.aichi.jp tokoname.aichi.jp toyoake.aichi.jp toyohashi.aichi.jp toyokawa.aichi.jp toyone.aichi.jp toyota.aichi.jp tsushima.aichi.jp yatomi.aichi.jp akita.akita.jp daisen.akita.jp fujisato.akita.jp gojome.akita.jp hachirogata.akita.jp happou.akita.jp higashinaruse.akita.jp honjo.akita.jp honjyo.akita.jp ikawa.akita.jp kamikoani.akita.jp kamioka.akita.jp katagami.akita.jp kazuno.akita.jp kitaakita.akita.jp kosaka.akita.jp kyowa.akita.jp misato.akita.jp mitane.akita.jp moriyoshi.akita.jp nikaho.akita.jp noshiro.akita.jp odate.akita.jp oga.akita.jp ogata.akita.jp semboku.akita.jp yokote.akita.jp yurihonjo.akita.jp aomori.aomori.jp gonohe.aomori.jp hachinohe.aomori.jp hashikami.aomori.jp hiranai.aomori.jp hirosaki.aomori.jp itayanagi.aomori.jp kuroishi.aomori.jp misawa.aomori.jp mutsu.aomori.jp nakadomari.aomori.jp noheji.aomori.jp oirase.aomori.jp owani.aomori.jp rokunohe.aomori.jp sannohe.aomori.jp shichinohe.aomori.jp shingo.aomori.jp takko.aomori.jp towada.aomori.jp tsugaru.aomori.jp tsuruta.aomori.jp abiko.chiba.jp asahi.chiba.jp chonan.chiba.jp chosei.chiba.jp choshi.chiba.jp chuo.chiba.jp funabashi.chiba.jp futtsu.chiba.jp hanamigawa.chiba.jp ichihara.chiba.jp ichikawa.chiba.jp ichinomiya.chiba.jp inzai.chiba.jp isumi.chiba.jp kamagaya.chiba.jp kamogawa.chiba.jp kashiwa.chiba.jp katori.chiba.jp katsuura.chiba.jp kimitsu.chiba.jp kisarazu.chiba.jp kozaki.chiba.jp kujukuri.chiba.jp kyonan.chiba.jp matsudo.chiba.jp midori.chiba.jp mihama.chiba.jp minamiboso.chiba.jp mobara.chiba.jp mutsuzawa.chiba.jp nagara.chiba.jp nagareyama.chiba.jp narashino.chiba.jp narita.chiba.jp noda.chiba.jp oamishirasato.chiba.jp omigawa.chiba.jp onjuku.chiba.jp otaki.chiba.jp sakae.chiba.jp sakura.chiba.jp shimofusa.chiba.jp shirako.chiba.jp shiroi.chiba.jp shisui.chiba.jp sodegaura.chiba.jp sosa.chiba.jp tako.chiba.jp tateyama.chiba.jp togane.chiba.jp tohnosho.chiba.jp tomisato.chiba.jp urayasu.chiba.jp yachimata.chiba.jp yachiyo.chiba.jp yokaichiba.chiba.jp yokoshibahikari.chiba.jp yotsukaido.chiba.jp ainan.ehime.jp honai.ehime.jp ikata.ehime.jp imabari.ehime.jp iyo.ehime.jp kamijima.ehime.jp kihoku.ehime.jp kumakogen.ehime.jp masaki.ehime.jp matsuno.ehime.jp matsuyama.ehime.jp namikata.ehime.jp niihama.ehime.jp ozu.ehime.jp saijo.ehime.jp seiyo.ehime.jp shikokuchuo.ehime.jp tobe.ehime.jp toon.ehime.jp uchiko.ehime.jp uwajima.ehime.jp yawatahama.ehime.jp echizen.fukui.jp eiheiji.fukui.jp fukui.fukui.jp ikeda.fukui.jp katsuyama.fukui.jp mihama.fukui.jp minamiechizen.fukui.jp obama.fukui.jp ohi.fukui.jp ono.fukui.jp sabae.fukui.jp sakai.fukui.jp takahama.fukui.jp tsuruga.fukui.jp wakasa.fukui.jp ashiya.fukuoka.jp buzen.fukuoka.jp chikugo.fukuoka.jp chikuho.fukuoka.jp chikujo.fukuoka.jp chikushino.fukuoka.jp chikuzen.fukuoka.jp chuo.fukuoka.jp dazaifu.fukuoka.jp fukuchi.fukuoka.jp hakata.fukuoka.jp higashi.fukuoka.jp hirokawa.fukuoka.jp hisayama.fukuoka.jp iizuka.fukuoka.jp inatsuki.fukuoka.jp kaho.fukuoka.jp kasuga.fukuoka.jp kasuya.fukuoka.jp kawara.fukuoka.jp keisen.fukuoka.jp koga.fukuoka.jp kurate.fukuoka.jp kurogi.fukuoka.jp kurume.fukuoka.jp minami.fukuoka.jp miyako.fukuoka.jp miyama.fukuoka.jp miyawaka.fukuoka.jp mizumaki.fukuoka.jp munakata.fukuoka.jp nakagawa.fukuoka.jp nakama.fukuoka.jp nishi.fukuoka.jp nogata.fukuoka.jp ogori.fukuoka.jp okagaki.fukuoka.jp okawa.fukuoka.jp oki.fukuoka.jp omuta.fukuoka.jp onga.fukuoka.jp onojo.fukuoka.jp oto.fukuoka.jp saigawa.fukuoka.jp sasaguri.fukuoka.jp shingu.fukuoka.jp shinyoshitomi.fukuoka.jp shonai.fukuoka.jp soeda.fukuoka.jp sue.fukuoka.jp tachiarai.fukuoka.jp tagawa.fukuoka.jp takata.fukuoka.jp toho.fukuoka.jp toyotsu.fukuoka.jp tsuiki.fukuoka.jp ukiha.fukuoka.jp umi.fukuoka.jp usui.fukuoka.jp yamada.fukuoka.jp yame.fukuoka.jp yanagawa.fukuoka.jp yukuhashi.fukuoka.jp aizubange.fukushima.jp aizumisato.fukushima.jp aizuwakamatsu.fukushima.jp asakawa.fukushima.jp bandai.fukushima.jp date.fukushima.jp fukushima.fukushima.jp furudono.fukushima.jp futaba.fukushima.jp hanawa.fukushima.jp higashi.fukushima.jp hirata.fukushima.jp hirono.fukushima.jp iitate.fukushima.jp inawashiro.fukushima.jp ishikawa.fukushima.jp iwaki.fukushima.jp izumizaki.fukushima.jp kagamiishi.fukushima.jp kaneyama.fukushima.jp kawamata.fukushima.jp kitakata.fukushima.jp kitashiobara.fukushima.jp koori.fukushima.jp koriyama.fukushima.jp kunimi.fukushima.jp miharu.fukushima.jp mishima.fukushima.jp namie.fukushima.jp nango.fukushima.jp nishiaizu.fukushima.jp nishigo.fukushima.jp okuma.fukushima.jp omotego.fukushima.jp ono.fukushima.jp otama.fukushima.jp samegawa.fukushima.jp shimogo.fukushima.jp shirakawa.fukushima.jp showa.fukushima.jp soma.fukushima.jp sukagawa.fukushima.jp taishin.fukushima.jp tamakawa.fukushima.jp tanagura.fukushima.jp tenei.fukushima.jp yabuki.fukushima.jp yamato.fukushima.jp yamatsuri.fukushima.jp yanaizu.fukushima.jp yugawa.fukushima.jp anpachi.gifu.jp ena.gifu.jp gifu.gifu.jp ginan.gifu.jp godo.gifu.jp gujo.gifu.jp hashima.gifu.jp hichiso.gifu.jp hida.gifu.jp higashishirakawa.gifu.jp ibigawa.gifu.jp ikeda.gifu.jp kakamigahara.gifu.jp kani.gifu.jp kasahara.gifu.jp kasamatsu.gifu.jp kawaue.gifu.jp kitagata.gifu.jp mino.gifu.jp minokamo.gifu.jp mitake.gifu.jp mizunami.gifu.jp motosu.gifu.jp nakatsugawa.gifu.jp ogaki.gifu.jp sakahogi.gifu.jp seki.gifu.jp sekigahara.gifu.jp shirakawa.gifu.jp tajimi.gifu.jp takayama.gifu.jp tarui.gifu.jp toki.gifu.jp tomika.gifu.jp wanouchi.gifu.jp yamagata.gifu.jp yaotsu.gifu.jp yoro.gifu.jp annaka.gunma.jp chiyoda.gunma.jp fujioka.gunma.jp higashiagatsuma.gunma.jp isesaki.gunma.jp itakura.gunma.jp kanna.gunma.jp kanra.gunma.jp katashina.gunma.jp kawaba.gunma.jp kiryu.gunma.jp kusatsu.gunma.jp maebashi.gunma.jp meiwa.gunma.jp midori.gunma.jp minakami.gunma.jp naganohara.gunma.jp nakanojo.gunma.jp nanmoku.gunma.jp numata.gunma.jp oizumi.gunma.jp ora.gunma.jp ota.gunma.jp shibukawa.gunma.jp shimonita.gunma.jp shinto.gunma.jp showa.gunma.jp takasaki.gunma.jp takayama.gunma.jp tamamura.gunma.jp tatebayashi.gunma.jp tomioka.gunma.jp tsukiyono.gunma.jp tsumagoi.gunma.jp ueno.gunma.jp yoshioka.gunma.jp asaminami.hiroshima.jp daiwa.hiroshima.jp etajima.hiroshima.jp fuchu.hiroshima.jp fukuyama.hiroshima.jp hatsukaichi.hiroshima.jp higashihiroshima.hiroshima.jp hongo.hiroshima.jp jinsekikogen.hiroshima.jp kaita.hiroshima.jp kui.hiroshima.jp kumano.hiroshima.jp kure.hiroshima.jp mihara.hiroshima.jp miyoshi.hiroshima.jp naka.hiroshima.jp onomichi.hiroshima.jp osakikamijima.hiroshima.jp otake.hiroshima.jp saka.hiroshima.jp sera.hiroshima.jp seranishi.hiroshima.jp shinichi.hiroshima.jp shobara.hiroshima.jp takehara.hiroshima.jp abashiri.hokkaido.jp abira.hokkaido.jp aibetsu.hokkaido.jp akabira.hokkaido.jp akkeshi.hokkaido.jp asahikawa.hokkaido.jp ashibetsu.hokkaido.jp ashoro.hokkaido.jp assabu.hokkaido.jp atsuma.hokkaido.jp bibai.hokkaido.jp biei.hokkaido.jp bifuka.hokkaido.jp bihoro.hokkaido.jp biratori.hokkaido.jp chippubetsu.hokkaido.jp chitose.hokkaido.jp date.hokkaido.jp ebetsu.hokkaido.jp embetsu.hokkaido.jp eniwa.hokkaido.jp erimo.hokkaido.jp esan.hokkaido.jp esashi.hokkaido.jp fukagawa.hokkaido.jp fukushima.hokkaido.jp furano.hokkaido.jp furubira.hokkaido.jp haboro.hokkaido.jp hakodate.hokkaido.jp hamatonbetsu.hokkaido.jp hidaka.hokkaido.jp higashikagura.hokkaido.jp higashikawa.hokkaido.jp hiroo.hokkaido.jp hokuryu.hokkaido.jp hokuto.hokkaido.jp honbetsu.hokkaido.jp horokanai.hokkaido.jp horonobe.hokkaido.jp ikeda.hokkaido.jp imakane.hokkaido.jp ishikari.hokkaido.jp iwamizawa.hokkaido.jp iwanai.hokkaido.jp kamifurano.hokkaido.jp kamikawa.hokkaido.jp kamishihoro.hokkaido.jp kamisunagawa.hokkaido.jp kamoenai.hokkaido.jp kayabe.hokkaido.jp kembuchi.hokkaido.jp kikonai.hokkaido.jp kimobetsu.hokkaido.jp kitahiroshima.hokkaido.jp kitami.hokkaido.jp kiyosato.hokkaido.jp koshimizu.hokkaido.jp kunneppu.hokkaido.jp kuriyama.hokkaido.jp kuromatsunai.hokkaido.jp kushiro.hokkaido.jp kutchan.hokkaido.jp kyowa.hokkaido.jp mashike.hokkaido.jp matsumae.hokkaido.jp mikasa.hokkaido.jp minamifurano.hokkaido.jp mombetsu.hokkaido.jp moseushi.hokkaido.jp mukawa.hokkaido.jp muroran.hokkaido.jp naie.hokkaido.jp nakagawa.hokkaido.jp nakasatsunai.hokkaido.jp nakatombetsu.hokkaido.jp nanae.hokkaido.jp nanporo.hokkaido.jp nayoro.hokkaido.jp nemuro.hokkaido.jp niikappu.hokkaido.jp niki.hokkaido.jp nishiokoppe.hokkaido.jp noboribetsu.hokkaido.jp numata.hokkaido.jp obihiro.hokkaido.jp obira.hokkaido.jp oketo.hokkaido.jp okoppe.hokkaido.jp otaru.hokkaido.jp otobe.hokkaido.jp otofuke.hokkaido.jp otoineppu.hokkaido.jp oumu.hokkaido.jp ozora.hokkaido.jp pippu.hokkaido.jp rankoshi.hokkaido.jp rebun.hokkaido.jp rikubetsu.hokkaido.jp rishiri.hokkaido.jp rishirifuji.hokkaido.jp saroma.hokkaido.jp sarufutsu.hokkaido.jp shakotan.hokkaido.jp shari.hokkaido.jp shibecha.hokkaido.jp shibetsu.hokkaido.jp shikabe.hokkaido.jp shikaoi.hokkaido.jp shimamaki.hokkaido.jp shimizu.hokkaido.jp shimokawa.hokkaido.jp shinshinotsu.hokkaido.jp shintoku.hokkaido.jp shiranuka.hokkaido.jp shiraoi.hokkaido.jp shiriuchi.hokkaido.jp sobetsu.hokkaido.jp sunagawa.hokkaido.jp taiki.hokkaido.jp takasu.hokkaido.jp takikawa.hokkaido.jp takinoue.hokkaido.jp teshikaga.hokkaido.jp tobetsu.hokkaido.jp tohma.hokkaido.jp tomakomai.hokkaido.jp tomari.hokkaido.jp toya.hokkaido.jp toyako.hokkaido.jp toyotomi.hokkaido.jp toyoura.hokkaido.jp tsubetsu.hokkaido.jp tsukigata.hokkaido.jp urakawa.hokkaido.jp urausu.hokkaido.jp uryu.hokkaido.jp utashinai.hokkaido.jp wakkanai.hokkaido.jp wassamu.hokkaido.jp yakumo.hokkaido.jp yoichi.hokkaido.jp aioi.hyogo.jp akashi.hyogo.jp ako.hyogo.jp amagasaki.hyogo.jp aogaki.hyogo.jp asago.hyogo.jp ashiya.hyogo.jp awaji.hyogo.jp fukusaki.hyogo.jp goshiki.hyogo.jp harima.hyogo.jp himeji.hyogo.jp ichikawa.hyogo.jp inagawa.hyogo.jp itami.hyogo.jp kakogawa.hyogo.jp kamigori.hyogo.jp kamikawa.hyogo.jp kasai.hyogo.jp kasuga.hyogo.jp kawanishi.hyogo.jp miki.hyogo.jp minamiawaji.hyogo.jp nishinomiya.hyogo.jp nishiwaki.hyogo.jp ono.hyogo.jp sanda.hyogo.jp sannan.hyogo.jp sasayama.hyogo.jp sayo.hyogo.jp shingu.hyogo.jp shinonsen.hyogo.jp shiso.hyogo.jp sumoto.hyogo.jp taishi.hyogo.jp taka.hyogo.jp takarazuka.hyogo.jp takasago.hyogo.jp takino.hyogo.jp tamba.hyogo.jp tatsuno.hyogo.jp toyooka.hyogo.jp yabu.hyogo.jp yashiro.hyogo.jp yoka.hyogo.jp yokawa.hyogo.jp ami.ibaraki.jp asahi.ibaraki.jp bando.ibaraki.jp chikusei.ibaraki.jp daigo.ibaraki.jp fujishiro.ibaraki.jp hitachi.ibaraki.jp hitachinaka.ibaraki.jp hitachiomiya.ibaraki.jp hitachiota.ibaraki.jp ibaraki.ibaraki.jp ina.ibaraki.jp inashiki.ibaraki.jp itako.ibaraki.jp iwama.ibaraki.jp joso.ibaraki.jp kamisu.ibaraki.jp kasama.ibaraki.jp kashima.ibaraki.jp kasumigaura.ibaraki.jp koga.ibaraki.jp miho.ibaraki.jp mito.ibaraki.jp moriya.ibaraki.jp naka.ibaraki.jp namegata.ibaraki.jp oarai.ibaraki.jp ogawa.ibaraki.jp omitama.ibaraki.jp ryugasaki.ibaraki.jp sakai.ibaraki.jp sakuragawa.ibaraki.jp shimodate.ibaraki.jp shimotsuma.ibaraki.jp shirosato.ibaraki.jp sowa.ibaraki.jp suifu.ibaraki.jp takahagi.ibaraki.jp tamatsukuri.ibaraki.jp tokai.ibaraki.jp tomobe.ibaraki.jp tone.ibaraki.jp toride.ibaraki.jp tsuchiura.ibaraki.jp tsukuba.ibaraki.jp uchihara.ibaraki.jp ushiku.ibaraki.jp yachiyo.ibaraki.jp yamagata.ibaraki.jp yawara.ibaraki.jp yuki.ibaraki.jp anamizu.ishikawa.jp hakui.ishikawa.jp hakusan.ishikawa.jp kaga.ishikawa.jp kahoku.ishikawa.jp kanazawa.ishikawa.jp kawakita.ishikawa.jp komatsu.ishikawa.jp nakanoto.ishikawa.jp nanao.ishikawa.jp nomi.ishikawa.jp nonoichi.ishikawa.jp noto.ishikawa.jp shika.ishikawa.jp suzu.ishikawa.jp tsubata.ishikawa.jp tsurugi.ishikawa.jp uchinada.ishikawa.jp wajima.ishikawa.jp fudai.iwate.jp fujisawa.iwate.jp hanamaki.iwate.jp hiraizumi.iwate.jp hirono.iwate.jp ichinohe.iwate.jp ichinoseki.iwate.jp iwaizumi.iwate.jp iwate.iwate.jp joboji.iwate.jp kamaishi.iwate.jp kanegasaki.iwate.jp karumai.iwate.jp kawai.iwate.jp kitakami.iwate.jp kuji.iwate.jp kunohe.iwate.jp kuzumaki.iwate.jp miyako.iwate.jp mizusawa.iwate.jp morioka.iwate.jp ninohe.iwate.jp noda.iwate.jp ofunato.iwate.jp oshu.iwate.jp otsuchi.iwate.jp rikuzentakata.iwate.jp shiwa.iwate.jp shizukuishi.iwate.jp sumita.iwate.jp tanohata.iwate.jp tono.iwate.jp yahaba.iwate.jp yamada.iwate.jp ayagawa.kagawa.jp higashikagawa.kagawa.jp kanonji.kagawa.jp kotohira.kagawa.jp manno.kagawa.jp marugame.kagawa.jp mitoyo.kagawa.jp naoshima.kagawa.jp sanuki.kagawa.jp tadotsu.kagawa.jp takamatsu.kagawa.jp tonosho.kagawa.jp uchinomi.kagawa.jp utazu.kagawa.jp zentsuji.kagawa.jp akune.kagoshima.jp amami.kagoshima.jp hioki.kagoshima.jp isa.kagoshima.jp isen.kagoshima.jp izumi.kagoshima.jp kagoshima.kagoshima.jp kanoya.kagoshima.jp kawanabe.kagoshima.jp kinko.kagoshima.jp kouyama.kagoshima.jp makurazaki.kagoshima.jp matsumoto.kagoshima.jp minamitane.kagoshima.jp nakatane.kagoshima.jp nishinoomote.kagoshima.jp satsumasendai.kagoshima.jp soo.kagoshima.jp tarumizu.kagoshima.jp yusui.kagoshima.jp aikawa.kanagawa.jp atsugi.kanagawa.jp ayase.kanagawa.jp chigasaki.kanagawa.jp ebina.kanagawa.jp fujisawa.kanagawa.jp hadano.kanagawa.jp hakone.kanagawa.jp hiratsuka.kanagawa.jp isehara.kanagawa.jp kaisei.kanagawa.jp kamakura.kanagawa.jp kiyokawa.kanagawa.jp matsuda.kanagawa.jp minamiashigara.kanagawa.jp miura.kanagawa.jp nakai.kanagawa.jp ninomiya.kanagawa.jp odawara.kanagawa.jp oi.kanagawa.jp oiso.kanagawa.jp sagamihara.kanagawa.jp samukawa.kanagawa.jp tsukui.kanagawa.jp yamakita.kanagawa.jp yamato.kanagawa.jp yokosuka.kanagawa.jp yugawara.kanagawa.jp zama.kanagawa.jp zushi.kanagawa.jp aki.kochi.jp geisei.kochi.jp hidaka.kochi.jp higashitsuno.kochi.jp ino.kochi.jp kagami.kochi.jp kami.kochi.jp kitagawa.kochi.jp kochi.kochi.jp mihara.kochi.jp motoyama.kochi.jp muroto.kochi.jp nahari.kochi.jp nakamura.kochi.jp nankoku.kochi.jp nishitosa.kochi.jp niyodogawa.kochi.jp ochi.kochi.jp okawa.kochi.jp otoyo.kochi.jp otsuki.kochi.jp sakawa.kochi.jp sukumo.kochi.jp susaki.kochi.jp tosa.kochi.jp tosashimizu.kochi.jp toyo.kochi.jp tsuno.kochi.jp umaji.kochi.jp yasuda.kochi.jp yusuhara.kochi.jp amakusa.kumamoto.jp arao.kumamoto.jp aso.kumamoto.jp choyo.kumamoto.jp gyokuto.kumamoto.jp hitoyoshi.kumamoto.jp kamiamakusa.kumamoto.jp kashima.kumamoto.jp kikuchi.kumamoto.jp kosa.kumamoto.jp kumamoto.kumamoto.jp mashiki.kumamoto.jp mifune.kumamoto.jp minamata.kumamoto.jp minamioguni.kumamoto.jp nagasu.kumamoto.jp nishihara.kumamoto.jp oguni.kumamoto.jp ozu.kumamoto.jp sumoto.kumamoto.jp takamori.kumamoto.jp uki.kumamoto.jp uto.kumamoto.jp yamaga.kumamoto.jp yamato.kumamoto.jp yatsushiro.kumamoto.jp ayabe.kyoto.jp fukuchiyama.kyoto.jp higashiyama.kyoto.jp ide.kyoto.jp ine.kyoto.jp joyo.kyoto.jp kameoka.kyoto.jp kamo.kyoto.jp kita.kyoto.jp kizu.kyoto.jp kumiyama.kyoto.jp kyotamba.kyoto.jp kyotanabe.kyoto.jp kyotango.kyoto.jp maizuru.kyoto.jp minami.kyoto.jp minamiyamashiro.kyoto.jp miyazu.kyoto.jp muko.kyoto.jp nagaokakyo.kyoto.jp nakagyo.kyoto.jp nantan.kyoto.jp oyamazaki.kyoto.jp sakyo.kyoto.jp seika.kyoto.jp tanabe.kyoto.jp uji.kyoto.jp ujitawara.kyoto.jp wazuka.kyoto.jp yamashina.kyoto.jp yawata.kyoto.jp asahi.mie.jp inabe.mie.jp ise.mie.jp kameyama.mie.jp kawagoe.mie.jp kiho.mie.jp kisosaki.mie.jp kiwa.mie.jp komono.mie.jp kumano.mie.jp kuwana.mie.jp matsusaka.mie.jp meiwa.mie.jp mihama.mie.jp minamiise.mie.jp misugi.mie.jp miyama.mie.jp nabari.mie.jp shima.mie.jp suzuka.mie.jp tado.mie.jp taiki.mie.jp taki.mie.jp tamaki.mie.jp toba.mie.jp tsu.mie.jp udono.mie.jp ureshino.mie.jp watarai.mie.jp yokkaichi.mie.jp furukawa.miyagi.jp higashimatsushima.miyagi.jp ishinomaki.miyagi.jp iwanuma.miyagi.jp kakuda.miyagi.jp kami.miyagi.jp kawasaki.miyagi.jp kesennuma.miyagi.jp marumori.miyagi.jp matsushima.miyagi.jp minamisanriku.miyagi.jp misato.miyagi.jp murata.miyagi.jp natori.miyagi.jp ogawara.miyagi.jp ohira.miyagi.jp onagawa.miyagi.jp osaki.miyagi.jp rifu.miyagi.jp semine.miyagi.jp shibata.miyagi.jp shichikashuku.miyagi.jp shikama.miyagi.jp shiogama.miyagi.jp shiroishi.miyagi.jp tagajo.miyagi.jp taiwa.miyagi.jp tome.miyagi.jp tomiya.miyagi.jp wakuya.miyagi.jp watari.miyagi.jp yamamoto.miyagi.jp zao.miyagi.jp aya.miyazaki.jp ebino.miyazaki.jp gokase.miyazaki.jp hyuga.miyazaki.jp kadogawa.miyazaki.jp kawaminami.miyazaki.jp kijo.miyazaki.jp kitagawa.miyazaki.jp kitakata.miyazaki.jp kitaura.miyazaki.jp kobayashi.miyazaki.jp kunitomi.miyazaki.jp kushima.miyazaki.jp mimata.miyazaki.jp miyakonojo.miyazaki.jp miyazaki.miyazaki.jp morotsuka.miyazaki.jp nichinan.miyazaki.jp nishimera.miyazaki.jp nobeoka.miyazaki.jp saito.miyazaki.jp shiiba.miyazaki.jp shintomi.miyazaki.jp takaharu.miyazaki.jp takanabe.miyazaki.jp takazaki.miyazaki.jp tsuno.miyazaki.jp achi.nagano.jp agematsu.nagano.jp anan.nagano.jp aoki.nagano.jp asahi.nagano.jp azumino.nagano.jp chikuhoku.nagano.jp chikuma.nagano.jp chino.nagano.jp fujimi.nagano.jp hakuba.nagano.jp hara.nagano.jp hiraya.nagano.jp iida.nagano.jp iijima.nagano.jp iiyama.nagano.jp iizuna.nagano.jp ikeda.nagano.jp ikusaka.nagano.jp ina.nagano.jp karuizawa.nagano.jp kawakami.nagano.jp kiso.nagano.jp kisofukushima.nagano.jp kitaaiki.nagano.jp komagane.nagano.jp komoro.nagano.jp matsukawa.nagano.jp matsumoto.nagano.jp miasa.nagano.jp minamiaiki.nagano.jp minamimaki.nagano.jp minamiminowa.nagano.jp minowa.nagano.jp miyada.nagano.jp miyota.nagano.jp mochizuki.nagano.jp nagano.nagano.jp nagawa.nagano.jp nagiso.nagano.jp nakagawa.nagano.jp nakano.nagano.jp nozawaonsen.nagano.jp obuse.nagano.jp ogawa.nagano.jp okaya.nagano.jp omachi.nagano.jp omi.nagano.jp ookuwa.nagano.jp ooshika.nagano.jp otaki.nagano.jp otari.nagano.jp sakae.nagano.jp sakaki.nagano.jp saku.nagano.jp sakuho.nagano.jp shimosuwa.nagano.jp shinanomachi.nagano.jp shiojiri.nagano.jp suwa.nagano.jp suzaka.nagano.jp takagi.nagano.jp takamori.nagano.jp takayama.nagano.jp tateshina.nagano.jp tatsuno.nagano.jp togakushi.nagano.jp togura.nagano.jp tomi.nagano.jp ueda.nagano.jp wada.nagano.jp yamagata.nagano.jp yamanouchi.nagano.jp yasaka.nagano.jp yasuoka.nagano.jp chijiwa.nagasaki.jp futsu.nagasaki.jp goto.nagasaki.jp hasami.nagasaki.jp hirado.nagasaki.jp iki.nagasaki.jp isahaya.nagasaki.jp kawatana.nagasaki.jp kuchinotsu.nagasaki.jp matsuura.nagasaki.jp nagasaki.nagasaki.jp obama.nagasaki.jp omura.nagasaki.jp oseto.nagasaki.jp saikai.nagasaki.jp sasebo.nagasaki.jp seihi.nagasaki.jp shimabara.nagasaki.jp shinkamigoto.nagasaki.jp togitsu.nagasaki.jp tsushima.nagasaki.jp unzen.nagasaki.jp ando.nara.jp gose.nara.jp heguri.nara.jp higashiyoshino.nara.jp ikaruga.nara.jp ikoma.nara.jp kamikitayama.nara.jp kanmaki.nara.jp kashiba.nara.jp kashihara.nara.jp katsuragi.nara.jp kawai.nara.jp kawakami.nara.jp kawanishi.nara.jp koryo.nara.jp kurotaki.nara.jp mitsue.nara.jp miyake.nara.jp nara.nara.jp nosegawa.nara.jp oji.nara.jp ouda.nara.jp oyodo.nara.jp sakurai.nara.jp sango.nara.jp shimoichi.nara.jp shimokitayama.nara.jp shinjo.nara.jp soni.nara.jp takatori.nara.jp tawaramoto.nara.jp tenkawa.nara.jp tenri.nara.jp uda.nara.jp yamatokoriyama.nara.jp yamatotakada.nara.jp yamazoe.nara.jp yoshino.nara.jp aga.niigata.jp agano.niigata.jp gosen.niigata.jp itoigawa.niigata.jp izumozaki.niigata.jp joetsu.niigata.jp kamo.niigata.jp kariwa.niigata.jp kashiwazaki.niigata.jp minamiuonuma.niigata.jp mitsuke.niigata.jp muika.niigata.jp murakami.niigata.jp myoko.niigata.jp nagaoka.niigata.jp niigata.niigata.jp ojiya.niigata.jp omi.niigata.jp sado.niigata.jp sanjo.niigata.jp seiro.niigata.jp seirou.niigata.jp sekikawa.niigata.jp shibata.niigata.jp tagami.niigata.jp tainai.niigata.jp tochio.niigata.jp tokamachi.niigata.jp tsubame.niigata.jp tsunan.niigata.jp uonuma.niigata.jp yahiko.niigata.jp yoita.niigata.jp yuzawa.niigata.jp beppu.oita.jp bungoono.oita.jp bungotakada.oita.jp hasama.oita.jp hiji.oita.jp himeshima.oita.jp hita.oita.jp kamitsue.oita.jp kokonoe.oita.jp kuju.oita.jp kunisaki.oita.jp kusu.oita.jp oita.oita.jp saiki.oita.jp taketa.oita.jp tsukumi.oita.jp usa.oita.jp usuki.oita.jp yufu.oita.jp akaiwa.okayama.jp asakuchi.okayama.jp bizen.okayama.jp hayashima.okayama.jp ibara.okayama.jp kagamino.okayama.jp kasaoka.okayama.jp kibichuo.okayama.jp kumenan.okayama.jp kurashiki.okayama.jp maniwa.okayama.jp misaki.okayama.jp nagi.okayama.jp niimi.okayama.jp nishiawakura.okayama.jp okayama.okayama.jp satosho.okayama.jp setouchi.okayama.jp shinjo.okayama.jp shoo.okayama.jp soja.okayama.jp takahashi.okayama.jp tamano.okayama.jp tsuyama.okayama.jp wake.okayama.jp yakage.okayama.jp aguni.okinawa.jp ginowan.okinawa.jp ginoza.okinawa.jp gushikami.okinawa.jp haebaru.okinawa.jp higashi.okinawa.jp hirara.okinawa.jp iheya.okinawa.jp ishigaki.okinawa.jp ishikawa.okinawa.jp itoman.okinawa.jp izena.okinawa.jp kadena.okinawa.jp kin.okinawa.jp kitadaito.okinawa.jp kitanakagusuku.okinawa.jp kumejima.okinawa.jp kunigami.okinawa.jp minamidaito.okinawa.jp motobu.okinawa.jp nago.okinawa.jp naha.okinawa.jp nakagusuku.okinawa.jp nakijin.okinawa.jp nanjo.okinawa.jp nishihara.okinawa.jp ogimi.okinawa.jp okinawa.okinawa.jp onna.okinawa.jp shimoji.okinawa.jp taketomi.okinawa.jp tarama.okinawa.jp tokashiki.okinawa.jp tomigusuku.okinawa.jp tonaki.okinawa.jp urasoe.okinawa.jp uruma.okinawa.jp yaese.okinawa.jp yomitan.okinawa.jp yonabaru.okinawa.jp yonaguni.okinawa.jp zamami.okinawa.jp abeno.osaka.jp chihayaakasaka.osaka.jp chuo.osaka.jp daito.osaka.jp fujiidera.osaka.jp habikino.osaka.jp hannan.osaka.jp higashiosaka.osaka.jp higashisumiyoshi.osaka.jp higashiyodogawa.osaka.jp hirakata.osaka.jp ibaraki.osaka.jp ikeda.osaka.jp izumi.osaka.jp izumiotsu.osaka.jp izumisano.osaka.jp kadoma.osaka.jp kaizuka.osaka.jp kanan.osaka.jp kashiwara.osaka.jp katano.osaka.jp kawachinagano.osaka.jp kishiwada.osaka.jp kita.osaka.jp kumatori.osaka.jp matsubara.osaka.jp minato.osaka.jp minoh.osaka.jp misaki.osaka.jp moriguchi.osaka.jp neyagawa.osaka.jp nishi.osaka.jp nose.osaka.jp osakasayama.osaka.jp sakai.osaka.jp sayama.osaka.jp sennan.osaka.jp settsu.osaka.jp shijonawate.osaka.jp shimamoto.osaka.jp suita.osaka.jp tadaoka.osaka.jp taishi.osaka.jp tajiri.osaka.jp takaishi.osaka.jp takatsuki.osaka.jp tondabayashi.osaka.jp toyonaka.osaka.jp toyono.osaka.jp yao.osaka.jp ariake.saga.jp arita.saga.jp fukudomi.saga.jp genkai.saga.jp hamatama.saga.jp hizen.saga.jp imari.saga.jp kamimine.saga.jp kanzaki.saga.jp karatsu.saga.jp kashima.saga.jp kitagata.saga.jp kitahata.saga.jp kiyama.saga.jp kouhoku.saga.jp kyuragi.saga.jp nishiarita.saga.jp ogi.saga.jp omachi.saga.jp ouchi.saga.jp saga.saga.jp shiroishi.saga.jp taku.saga.jp tara.saga.jp tosu.saga.jp yoshinogari.saga.jp arakawa.saitama.jp asaka.saitama.jp chichibu.saitama.jp fujimi.saitama.jp fujimino.saitama.jp fukaya.saitama.jp hanno.saitama.jp hanyu.saitama.jp hasuda.saitama.jp hatogaya.saitama.jp hatoyama.saitama.jp hidaka.saitama.jp higashichichibu.saitama.jp higashimatsuyama.saitama.jp honjo.saitama.jp ina.saitama.jp iruma.saitama.jp iwatsuki.saitama.jp kamiizumi.saitama.jp kamikawa.saitama.jp kamisato.saitama.jp kasukabe.saitama.jp kawagoe.saitama.jp kawaguchi.saitama.jp kawajima.saitama.jp kazo.saitama.jp kitamoto.saitama.jp koshigaya.saitama.jp kounosu.saitama.jp kuki.saitama.jp kumagaya.saitama.jp matsubushi.saitama.jp minano.saitama.jp misato.saitama.jp miyashiro.saitama.jp miyoshi.saitama.jp moroyama.saitama.jp nagatoro.saitama.jp namegawa.saitama.jp niiza.saitama.jp ogano.saitama.jp ogawa.saitama.jp ogose.saitama.jp okegawa.saitama.jp omiya.saitama.jp otaki.saitama.jp ranzan.saitama.jp ryokami.saitama.jp saitama.saitama.jp sakado.saitama.jp satte.saitama.jp sayama.saitama.jp shiki.saitama.jp shiraoka.saitama.jp soka.saitama.jp sugito.saitama.jp toda.saitama.jp tokigawa.saitama.jp tokorozawa.saitama.jp tsurugashima.saitama.jp urawa.saitama.jp warabi.saitama.jp yashio.saitama.jp yokoze.saitama.jp yono.saitama.jp yorii.saitama.jp yoshida.saitama.jp yoshikawa.saitama.jp yoshimi.saitama.jp aisho.shiga.jp gamo.shiga.jp higashiomi.shiga.jp hikone.shiga.jp koka.shiga.jp konan.shiga.jp kosei.shiga.jp koto.shiga.jp kusatsu.shiga.jp maibara.shiga.jp moriyama.shiga.jp nagahama.shiga.jp nishiazai.shiga.jp notogawa.shiga.jp omihachiman.shiga.jp otsu.shiga.jp ritto.shiga.jp ryuoh.shiga.jp takashima.shiga.jp takatsuki.shiga.jp torahime.shiga.jp toyosato.shiga.jp yasu.shiga.jp akagi.shimane.jp ama.shimane.jp gotsu.shimane.jp hamada.shimane.jp higashiizumo.shimane.jp hikawa.shimane.jp hikimi.shimane.jp izumo.shimane.jp kakinoki.shimane.jp masuda.shimane.jp matsue.shimane.jp misato.shimane.jp nishinoshima.shimane.jp ohda.shimane.jp okinoshima.shimane.jp okuizumo.shimane.jp shimane.shimane.jp tamayu.shimane.jp tsuwano.shimane.jp unnan.shimane.jp yakumo.shimane.jp yasugi.shimane.jp yatsuka.shimane.jp arai.shizuoka.jp atami.shizuoka.jp fuji.shizuoka.jp fujieda.shizuoka.jp fujikawa.shizuoka.jp fujinomiya.shizuoka.jp fukuroi.shizuoka.jp gotemba.shizuoka.jp haibara.shizuoka.jp hamamatsu.shizuoka.jp higashiizu.shizuoka.jp ito.shizuoka.jp iwata.shizuoka.jp izu.shizuoka.jp izunokuni.shizuoka.jp kakegawa.shizuoka.jp kannami.shizuoka.jp kawanehon.shizuoka.jp kawazu.shizuoka.jp kikugawa.shizuoka.jp kosai.shizuoka.jp makinohara.shizuoka.jp matsuzaki.shizuoka.jp minamiizu.shizuoka.jp mishima.shizuoka.jp morimachi.shizuoka.jp nishiizu.shizuoka.jp numazu.shizuoka.jp omaezaki.shizuoka.jp shimada.shizuoka.jp shimizu.shizuoka.jp shimoda.shizuoka.jp shizuoka.shizuoka.jp susono.shizuoka.jp yaizu.shizuoka.jp yoshida.shizuoka.jp ashikaga.tochigi.jp bato.tochigi.jp haga.tochigi.jp ichikai.tochigi.jp iwafune.tochigi.jp kaminokawa.tochigi.jp kanuma.tochigi.jp karasuyama.tochigi.jp kuroiso.tochigi.jp mashiko.tochigi.jp mibu.tochigi.jp moka.tochigi.jp motegi.tochigi.jp nasu.tochigi.jp nasushiobara.tochigi.jp nikko.tochigi.jp nishikata.tochigi.jp nogi.tochigi.jp ohira.tochigi.jp ohtawara.tochigi.jp oyama.tochigi.jp sakura.tochigi.jp sano.tochigi.jp shimotsuke.tochigi.jp shioya.tochigi.jp takanezawa.tochigi.jp tochigi.tochigi.jp tsuga.tochigi.jp ujiie.tochigi.jp utsunomiya.tochigi.jp yaita.tochigi.jp aizumi.tokushima.jp anan.tokushima.jp ichiba.tokushima.jp itano.tokushima.jp kainan.tokushima.jp komatsushima.tokushima.jp matsushige.tokushima.jp mima.tokushima.jp minami.tokushima.jp miyoshi.tokushima.jp mugi.tokushima.jp nakagawa.tokushima.jp naruto.tokushima.jp sanagochi.tokushima.jp shishikui.tokushima.jp tokushima.tokushima.jp wajiki.tokushima.jp adachi.tokyo.jp akiruno.tokyo.jp akishima.tokyo.jp aogashima.tokyo.jp arakawa.tokyo.jp bunkyo.tokyo.jp chiyoda.tokyo.jp chofu.tokyo.jp chuo.tokyo.jp edogawa.tokyo.jp fuchu.tokyo.jp fussa.tokyo.jp hachijo.tokyo.jp hachioji.tokyo.jp hamura.tokyo.jp higashikurume.tokyo.jp higashimurayama.tokyo.jp higashiyamato.tokyo.jp hino.tokyo.jp hinode.tokyo.jp hinohara.tokyo.jp inagi.tokyo.jp itabashi.tokyo.jp katsushika.tokyo.jp kita.tokyo.jp kiyose.tokyo.jp kodaira.tokyo.jp koganei.tokyo.jp kokubunji.tokyo.jp komae.tokyo.jp koto.tokyo.jp kouzushima.tokyo.jp kunitachi.tokyo.jp machida.tokyo.jp meguro.tokyo.jp minato.tokyo.jp mitaka.tokyo.jp mizuho.tokyo.jp musashimurayama.tokyo.jp musashino.tokyo.jp nakano.tokyo.jp nerima.tokyo.jp ogasawara.tokyo.jp okutama.tokyo.jp ome.tokyo.jp oshima.tokyo.jp ota.tokyo.jp setagaya.tokyo.jp shibuya.tokyo.jp shinagawa.tokyo.jp shinjuku.tokyo.jp suginami.tokyo.jp sumida.tokyo.jp tachikawa.tokyo.jp taito.tokyo.jp tama.tokyo.jp toshima.tokyo.jp chizu.tottori.jp hino.tottori.jp kawahara.tottori.jp koge.tottori.jp kotoura.tottori.jp misasa.tottori.jp nanbu.tottori.jp nichinan.tottori.jp sakaiminato.tottori.jp tottori.tottori.jp wakasa.tottori.jp yazu.tottori.jp yonago.tottori.jp asahi.toyama.jp fuchu.toyama.jp fukumitsu.toyama.jp funahashi.toyama.jp himi.toyama.jp imizu.toyama.jp inami.toyama.jp johana.toyama.jp kamiichi.toyama.jp kurobe.toyama.jp nakaniikawa.toyama.jp namerikawa.toyama.jp nanto.toyama.jp nyuzen.toyama.jp oyabe.toyama.jp taira.toyama.jp takaoka.toyama.jp tateyama.toyama.jp toga.toyama.jp tonami.toyama.jp toyama.toyama.jp unazuki.toyama.jp uozu.toyama.jp yamada.toyama.jp arida.wakayama.jp aridagawa.wakayama.jp gobo.wakayama.jp hashimoto.wakayama.jp hidaka.wakayama.jp hirogawa.wakayama.jp inami.wakayama.jp iwade.wakayama.jp kainan.wakayama.jp kamitonda.wakayama.jp katsuragi.wakayama.jp kimino.wakayama.jp kinokawa.wakayama.jp kitayama.wakayama.jp koya.wakayama.jp koza.wakayama.jp kozagawa.wakayama.jp kudoyama.wakayama.jp kushimoto.wakayama.jp mihama.wakayama.jp misato.wakayama.jp nachikatsuura.wakayama.jp shingu.wakayama.jp shirahama.wakayama.jp taiji.wakayama.jp tanabe.wakayama.jp wakayama.wakayama.jp yuasa.wakayama.jp yura.wakayama.jp asahi.yamagata.jp funagata.yamagata.jp higashine.yamagata.jp iide.yamagata.jp kahoku.yamagata.jp kaminoyama.yamagata.jp kaneyama.yamagata.jp kawanishi.yamagata.jp mamurogawa.yamagata.jp mikawa.yamagata.jp murayama.yamagata.jp nagai.yamagata.jp nakayama.yamagata.jp nanyo.yamagata.jp nishikawa.yamagata.jp obanazawa.yamagata.jp oe.yamagata.jp oguni.yamagata.jp ohkura.yamagata.jp oishida.yamagata.jp sagae.yamagata.jp sakata.yamagata.jp sakegawa.yamagata.jp shinjo.yamagata.jp shirataka.yamagata.jp shonai.yamagata.jp takahata.yamagata.jp tendo.yamagata.jp tozawa.yamagata.jp tsuruoka.yamagata.jp yamagata.yamagata.jp yamanobe.yamagata.jp yonezawa.yamagata.jp yuza.yamagata.jp abu.yamaguchi.jp hagi.yamaguchi.jp hikari.yamaguchi.jp hofu.yamaguchi.jp iwakuni.yamaguchi.jp kudamatsu.yamaguchi.jp mitou.yamaguchi.jp nagato.yamaguchi.jp oshima.yamaguchi.jp shimonoseki.yamaguchi.jp shunan.yamaguchi.jp tabuse.yamaguchi.jp tokuyama.yamaguchi.jp toyota.yamaguchi.jp ube.yamaguchi.jp yuu.yamaguchi.jp chuo.yamanashi.jp doshi.yamanashi.jp fuefuki.yamanashi.jp fujikawa.yamanashi.jp fujikawaguchiko.yamanashi.jp fujiyoshida.yamanashi.jp hayakawa.yamanashi.jp hokuto.yamanashi.jp ichikawamisato.yamanashi.jp kai.yamanashi.jp kofu.yamanashi.jp koshu.yamanashi.jp kosuge.yamanashi.jp minami-alps.yamanashi.jp minobu.yamanashi.jp nakamichi.yamanashi.jp nanbu.yamanashi.jp narusawa.yamanashi.jp nirasaki.yamanashi.jp nishikatsura.yamanashi.jp oshino.yamanashi.jp otsuki.yamanashi.jp showa.yamanashi.jp tabayama.yamanashi.jp tsuru.yamanashi.jp uenohara.yamanashi.jp yamanakako.yamanashi.jp yamanashi.yamanashi.jp // ke : http://www.kenic.or.ke/index.php?option=com_content&task=view&id=117&Itemid=145 *.ke // kg : http://www.domain.kg/dmn_n.html kg org.kg net.kg com.kg edu.kg gov.kg mil.kg // kh : http://www.mptc.gov.kh/dns_registration.htm *.kh // ki : http://www.ki/dns/index.html ki edu.ki biz.ki net.ki org.ki gov.ki info.ki com.ki // km : http://en.wikipedia.org/wiki/.km // http://www.domaine.km/documents/charte.doc km org.km nom.km gov.km prd.km tm.km edu.km mil.km ass.km com.km // These are only mentioned as proposed suggestions at domaine.km, but // http://en.wikipedia.org/wiki/.km says they're available for registration: coop.km asso.km presse.km medecin.km notaires.km pharmaciens.km veterinaire.km gouv.km // kn : http://en.wikipedia.org/wiki/.kn // http://www.dot.kn/domainRules.html kn net.kn org.kn edu.kn gov.kn // kp : http://www.kcce.kp/en_index.php kp com.kp edu.kp gov.kp org.kp rep.kp tra.kp // kr : http://en.wikipedia.org/wiki/.kr // see also: http://domain.nida.or.kr/eng/registration.jsp kr ac.kr co.kr es.kr go.kr hs.kr kg.kr mil.kr ms.kr ne.kr or.kr pe.kr re.kr sc.kr // kr geographical names busan.kr chungbuk.kr chungnam.kr daegu.kr daejeon.kr gangwon.kr gwangju.kr gyeongbuk.kr gyeonggi.kr gyeongnam.kr incheon.kr jeju.kr jeonbuk.kr jeonnam.kr seoul.kr ulsan.kr // kw : http://en.wikipedia.org/wiki/.kw *.kw // ky : http://www.icta.ky/da_ky_reg_dom.php // Confirmed by registry 2008-06-17 ky edu.ky gov.ky com.ky org.ky net.ky // kz : http://en.wikipedia.org/wiki/.kz // see also: http://www.nic.kz/rules/index.jsp kz org.kz edu.kz net.kz gov.kz mil.kz com.kz // la : http://en.wikipedia.org/wiki/.la // Submitted by registry 2008-06-10 la int.la net.la info.la edu.la gov.la per.la com.la org.la // lb : http://en.wikipedia.org/wiki/.lb // Submitted by registry 2008-06-17 lb com.lb edu.lb gov.lb net.lb org.lb // lc : http://en.wikipedia.org/wiki/.lc // see also: http://www.nic.lc/rules.htm lc com.lc net.lc co.lc org.lc edu.lc gov.lc // li : http://en.wikipedia.org/wiki/.li li // lk : http://www.nic.lk/seclevpr.html lk gov.lk sch.lk net.lk int.lk com.lk org.lk edu.lk ngo.lk soc.lk web.lk ltd.lk assn.lk grp.lk hotel.lk ac.lk // lr : http://psg.com/dns/lr/lr.txt // Submitted by registry 2008-06-17 lr com.lr edu.lr gov.lr org.lr net.lr // ls : http://en.wikipedia.org/wiki/.ls ls co.ls org.ls // lt : http://en.wikipedia.org/wiki/.lt lt // gov.lt : http://www.gov.lt/index_en.php gov.lt // lu : http://www.dns.lu/en/ lu // lv : http://www.nic.lv/DNS/En/generic.php lv com.lv edu.lv gov.lv org.lv mil.lv id.lv net.lv asn.lv conf.lv // ly : http://www.nic.ly/regulations.php ly com.ly net.ly gov.ly plc.ly edu.ly sch.ly med.ly org.ly id.ly // ma : http://en.wikipedia.org/wiki/.ma // http://www.anrt.ma/fr/admin/download/upload/file_fr782.pdf ma co.ma net.ma gov.ma org.ma ac.ma press.ma // mc : http://www.nic.mc/ mc tm.mc asso.mc // md : http://en.wikipedia.org/wiki/.md md // me : http://en.wikipedia.org/wiki/.me me co.me net.me org.me edu.me ac.me gov.me its.me priv.me // mg : http://nic.mg/nicmg/?page_id=39 mg org.mg nom.mg gov.mg prd.mg tm.mg edu.mg mil.mg com.mg co.mg // mh : http://en.wikipedia.org/wiki/.mh mh // mil : http://en.wikipedia.org/wiki/.mil mil // mk : http://en.wikipedia.org/wiki/.mk // see also: http://dns.marnet.net.mk/postapka.php mk com.mk org.mk net.mk edu.mk gov.mk inf.mk name.mk // ml : http://www.gobin.info/domainname/ml-template.doc // see also: http://en.wikipedia.org/wiki/.ml ml com.ml edu.ml gouv.ml gov.ml net.ml org.ml presse.ml // mm : http://en.wikipedia.org/wiki/.mm *.mm // mn : http://en.wikipedia.org/wiki/.mn mn gov.mn edu.mn org.mn // mo : http://www.monic.net.mo/ mo com.mo net.mo org.mo edu.mo gov.mo // mobi : http://en.wikipedia.org/wiki/.mobi mobi // mp : http://www.dot.mp/ // Confirmed by registry 2008-06-17 mp // mq : http://en.wikipedia.org/wiki/.mq mq // mr : http://en.wikipedia.org/wiki/.mr mr gov.mr // ms : http://www.nic.ms/pdf/MS_Domain_Name_Rules.pdf ms com.ms edu.ms gov.ms net.ms org.ms // mt : https://www.nic.org.mt/go/policy // Submitted by registry 2013-11-19 mt com.mt edu.mt net.mt org.mt // mu : http://en.wikipedia.org/wiki/.mu mu com.mu net.mu org.mu gov.mu ac.mu co.mu or.mu // museum : http://about.museum/naming/ // http://index.museum/ museum academy.museum agriculture.museum air.museum airguard.museum alabama.museum alaska.museum amber.museum ambulance.museum american.museum americana.museum americanantiques.museum americanart.museum amsterdam.museum and.museum annefrank.museum anthro.museum anthropology.museum antiques.museum aquarium.museum arboretum.museum archaeological.museum archaeology.museum architecture.museum art.museum artanddesign.museum artcenter.museum artdeco.museum arteducation.museum artgallery.museum arts.museum artsandcrafts.museum asmatart.museum assassination.museum assisi.museum association.museum astronomy.museum atlanta.museum austin.museum australia.museum automotive.museum aviation.museum axis.museum badajoz.museum baghdad.museum bahn.museum bale.museum baltimore.museum barcelona.museum baseball.museum basel.museum baths.museum bauern.museum beauxarts.museum beeldengeluid.museum bellevue.museum bergbau.museum berkeley.museum berlin.museum bern.museum bible.museum bilbao.museum bill.museum birdart.museum birthplace.museum bonn.museum boston.museum botanical.museum botanicalgarden.museum botanicgarden.museum botany.museum brandywinevalley.museum brasil.museum bristol.museum british.museum britishcolumbia.museum broadcast.museum brunel.museum brussel.museum brussels.museum bruxelles.museum building.museum burghof.museum bus.museum bushey.museum cadaques.museum california.museum cambridge.museum can.museum canada.museum capebreton.museum carrier.museum cartoonart.museum casadelamoneda.museum castle.museum castres.museum celtic.museum center.museum chattanooga.museum cheltenham.museum chesapeakebay.museum chicago.museum children.museum childrens.museum childrensgarden.museum chiropractic.museum chocolate.museum christiansburg.museum cincinnati.museum cinema.museum circus.museum civilisation.museum civilization.museum civilwar.museum clinton.museum clock.museum coal.museum coastaldefence.museum cody.museum coldwar.museum collection.museum colonialwilliamsburg.museum coloradoplateau.museum columbia.museum columbus.museum communication.museum communications.museum community.museum computer.museum computerhistory.museum xn--comunicaes-v6a2o.museum contemporary.museum contemporaryart.museum convent.museum copenhagen.museum corporation.museum xn--correios-e-telecomunicaes-ghc29a.museum corvette.museum costume.museum countryestate.museum county.museum crafts.museum cranbrook.museum creation.museum cultural.museum culturalcenter.museum culture.museum cyber.museum cymru.museum dali.museum dallas.museum database.museum ddr.museum decorativearts.museum delaware.museum delmenhorst.museum denmark.museum depot.museum design.museum detroit.museum dinosaur.museum discovery.museum dolls.museum donostia.museum durham.museum eastafrica.museum eastcoast.museum education.museum educational.museum egyptian.museum eisenbahn.museum elburg.museum elvendrell.museum embroidery.museum encyclopedic.museum england.museum entomology.museum environment.museum environmentalconservation.museum epilepsy.museum essex.museum estate.museum ethnology.museum exeter.museum exhibition.museum family.museum farm.museum farmequipment.museum farmers.museum farmstead.museum field.museum figueres.museum filatelia.museum film.museum fineart.museum finearts.museum finland.museum flanders.museum florida.museum force.museum fortmissoula.museum fortworth.museum foundation.museum francaise.museum frankfurt.museum franziskaner.museum freemasonry.museum freiburg.museum fribourg.museum frog.museum fundacio.museum furniture.museum gallery.museum garden.museum gateway.museum geelvinck.museum gemological.museum geology.museum georgia.museum giessen.museum glas.museum glass.museum gorge.museum grandrapids.museum graz.museum guernsey.museum halloffame.museum hamburg.museum handson.museum harvestcelebration.museum hawaii.museum health.museum heimatunduhren.museum hellas.museum helsinki.museum hembygdsforbund.museum heritage.museum histoire.museum historical.museum historicalsociety.museum historichouses.museum historisch.museum historisches.museum history.museum historyofscience.museum horology.museum house.museum humanities.museum illustration.museum imageandsound.museum indian.museum indiana.museum indianapolis.museum indianmarket.museum intelligence.museum interactive.museum iraq.museum iron.museum isleofman.museum jamison.museum jefferson.museum jerusalem.museum jewelry.museum jewish.museum jewishart.museum jfk.museum journalism.museum judaica.museum judygarland.museum juedisches.museum juif.museum karate.museum karikatur.museum kids.museum koebenhavn.museum koeln.museum kunst.museum kunstsammlung.museum kunstunddesign.museum labor.museum labour.museum lajolla.museum lancashire.museum landes.museum lans.museum xn--lns-qla.museum larsson.museum lewismiller.museum lincoln.museum linz.museum living.museum livinghistory.museum localhistory.museum london.museum losangeles.museum louvre.museum loyalist.museum lucerne.museum luxembourg.museum luzern.museum mad.museum madrid.museum mallorca.museum manchester.museum mansion.museum mansions.museum manx.museum marburg.museum maritime.museum maritimo.museum maryland.museum marylhurst.museum media.museum medical.museum medizinhistorisches.museum meeres.museum memorial.museum mesaverde.museum michigan.museum midatlantic.museum military.museum mill.museum miners.museum mining.museum minnesota.museum missile.museum missoula.museum modern.museum moma.museum money.museum monmouth.museum monticello.museum montreal.museum moscow.museum motorcycle.museum muenchen.museum muenster.museum mulhouse.museum muncie.museum museet.museum museumcenter.museum museumvereniging.museum music.museum national.museum nationalfirearms.museum nationalheritage.museum nativeamerican.museum naturalhistory.museum naturalhistorymuseum.museum naturalsciences.museum nature.museum naturhistorisches.museum natuurwetenschappen.museum naumburg.museum naval.museum nebraska.museum neues.museum newhampshire.museum newjersey.museum newmexico.museum newport.museum newspaper.museum newyork.museum niepce.museum norfolk.museum north.museum nrw.museum nuernberg.museum nuremberg.museum nyc.museum nyny.museum oceanographic.museum oceanographique.museum omaha.museum online.museum ontario.museum openair.museum oregon.museum oregontrail.museum otago.museum oxford.museum pacific.museum paderborn.museum palace.museum paleo.museum palmsprings.museum panama.museum paris.museum pasadena.museum pharmacy.museum philadelphia.museum philadelphiaarea.museum philately.museum phoenix.museum photography.museum pilots.museum pittsburgh.museum planetarium.museum plantation.museum plants.museum plaza.museum portal.museum portland.museum portlligat.museum posts-and-telecommunications.museum preservation.museum presidio.museum press.museum project.museum public.museum pubol.museum quebec.museum railroad.museum railway.museum research.museum resistance.museum riodejaneiro.museum rochester.museum rockart.museum roma.museum russia.museum saintlouis.museum salem.museum salvadordali.museum salzburg.museum sandiego.museum sanfrancisco.museum santabarbara.museum santacruz.museum santafe.museum saskatchewan.museum satx.museum savannahga.museum schlesisches.museum schoenbrunn.museum schokoladen.museum school.museum schweiz.museum science.museum scienceandhistory.museum scienceandindustry.museum sciencecenter.museum sciencecenters.museum science-fiction.museum sciencehistory.museum sciences.museum sciencesnaturelles.museum scotland.museum seaport.museum settlement.museum settlers.museum shell.museum sherbrooke.museum sibenik.museum silk.museum ski.museum skole.museum society.museum sologne.museum soundandvision.museum southcarolina.museum southwest.museum space.museum spy.museum square.museum stadt.museum stalbans.museum starnberg.museum state.museum stateofdelaware.museum station.museum steam.museum steiermark.museum stjohn.museum stockholm.museum stpetersburg.museum stuttgart.museum suisse.museum surgeonshall.museum surrey.museum svizzera.museum sweden.museum sydney.museum tank.museum tcm.museum technology.museum telekommunikation.museum television.museum texas.museum textile.museum theater.museum time.museum timekeeping.museum topology.museum torino.museum touch.museum town.museum transport.museum tree.museum trolley.museum trust.museum trustee.museum uhren.museum ulm.museum undersea.museum university.museum usa.museum usantiques.museum usarts.museum uscountryestate.museum usculture.museum usdecorativearts.museum usgarden.museum ushistory.museum ushuaia.museum uslivinghistory.museum utah.museum uvic.museum valley.museum vantaa.museum versailles.museum viking.museum village.museum virginia.museum virtual.museum virtuel.museum vlaanderen.museum volkenkunde.museum wales.museum wallonie.museum war.museum washingtondc.museum watchandclock.museum watch-and-clock.museum western.museum westfalen.museum whaling.museum wildlife.museum williamsburg.museum windmill.museum workshop.museum york.museum yorkshire.museum yosemite.museum youth.museum zoological.museum zoology.museum xn--9dbhblg6di.museum xn--h1aegh.museum // mv : http://en.wikipedia.org/wiki/.mv // "mv" included because, contra Wikipedia, google.mv exists. mv aero.mv biz.mv com.mv coop.mv edu.mv gov.mv info.mv int.mv mil.mv museum.mv name.mv net.mv org.mv pro.mv // mw : http://www.registrar.mw/ mw ac.mw biz.mw co.mw com.mw coop.mw edu.mw gov.mw int.mw museum.mw net.mw org.mw // mx : http://www.nic.mx/ // Submitted by registry 2008-06-19 mx com.mx org.mx gob.mx edu.mx net.mx // my : http://www.mynic.net.my/ my com.my net.my org.my gov.my edu.my mil.my name.my // mz : http://www.gobin.info/domainname/mz-template.doc *.mz !teledata.mz // na : http://www.na-nic.com.na/ // http://www.info.na/domain/ na info.na pro.na name.na school.na or.na dr.na us.na mx.na ca.na in.na cc.na tv.na ws.na mobi.na co.na com.na org.na // name : has 2nd-level tlds, but there's no list of them name // nc : http://www.cctld.nc/ nc asso.nc // ne : http://en.wikipedia.org/wiki/.ne ne // net : http://en.wikipedia.org/wiki/.net net // nf : http://en.wikipedia.org/wiki/.nf nf com.nf net.nf per.nf rec.nf web.nf arts.nf firm.nf info.nf other.nf store.nf // ng : http://psg.com/dns/ng/ ng com.ng edu.ng name.ng net.ng org.ng sch.ng gov.ng mil.ng mobi.ng // ni : http://www.nic.ni/ com.ni gob.ni edu.ni org.ni nom.ni net.ni mil.ni co.ni biz.ni web.ni int.ni ac.ni in.ni info.ni // nl : http://en.wikipedia.org/wiki/.nl // https://www.sidn.nl/ // ccTLD for the Netherlands nl // BV.nl will be a registry for dutch BV's (besloten vennootschap) bv.nl // no : http://www.norid.no/regelverk/index.en.html // The Norwegian registry has declined to notify us of updates. The web pages // referenced below are the official source of the data. There is also an // announce mailing list: // https://postlister.uninett.no/sympa/info/norid-diskusjon no // Norid generic domains : http://www.norid.no/regelverk/vedlegg-c.en.html fhs.no vgs.no fylkesbibl.no folkebibl.no museum.no idrett.no priv.no // Non-Norid generic domains : http://www.norid.no/regelverk/vedlegg-d.en.html mil.no stat.no dep.no kommune.no herad.no // no geographical names : http://www.norid.no/regelverk/vedlegg-b.en.html // counties aa.no ah.no bu.no fm.no hl.no hm.no jan-mayen.no mr.no nl.no nt.no of.no ol.no oslo.no rl.no sf.no st.no svalbard.no tm.no tr.no va.no vf.no // primary and lower secondary schools per county gs.aa.no gs.ah.no gs.bu.no gs.fm.no gs.hl.no gs.hm.no gs.jan-mayen.no gs.mr.no gs.nl.no gs.nt.no gs.of.no gs.ol.no gs.oslo.no gs.rl.no gs.sf.no gs.st.no gs.svalbard.no gs.tm.no gs.tr.no gs.va.no gs.vf.no // cities akrehamn.no xn--krehamn-dxa.no algard.no xn--lgrd-poac.no arna.no brumunddal.no bryne.no bronnoysund.no xn--brnnysund-m8ac.no drobak.no xn--drbak-wua.no egersund.no fetsund.no floro.no xn--flor-jra.no fredrikstad.no hokksund.no honefoss.no xn--hnefoss-q1a.no jessheim.no jorpeland.no xn--jrpeland-54a.no kirkenes.no kopervik.no krokstadelva.no langevag.no xn--langevg-jxa.no leirvik.no mjondalen.no xn--mjndalen-64a.no mo-i-rana.no mosjoen.no xn--mosjen-eya.no nesoddtangen.no orkanger.no osoyro.no xn--osyro-wua.no raholt.no xn--rholt-mra.no sandnessjoen.no xn--sandnessjen-ogb.no skedsmokorset.no slattum.no spjelkavik.no stathelle.no stavern.no stjordalshalsen.no xn--stjrdalshalsen-sqb.no tananger.no tranby.no vossevangen.no // communities afjord.no xn--fjord-lra.no agdenes.no al.no xn--l-1fa.no alesund.no xn--lesund-hua.no alstahaug.no alta.no xn--lt-liac.no alaheadju.no xn--laheadju-7ya.no alvdal.no amli.no xn--mli-tla.no amot.no xn--mot-tla.no andebu.no andoy.no xn--andy-ira.no andasuolo.no ardal.no xn--rdal-poa.no aremark.no arendal.no xn--s-1fa.no aseral.no xn--seral-lra.no asker.no askim.no askvoll.no askoy.no xn--asky-ira.no asnes.no xn--snes-poa.no audnedaln.no aukra.no aure.no aurland.no aurskog-holand.no xn--aurskog-hland-jnb.no austevoll.no austrheim.no averoy.no xn--avery-yua.no balestrand.no ballangen.no balat.no xn--blt-elab.no balsfjord.no bahccavuotna.no xn--bhccavuotna-k7a.no bamble.no bardu.no beardu.no beiarn.no bajddar.no xn--bjddar-pta.no baidar.no xn--bidr-5nac.no berg.no bergen.no berlevag.no xn--berlevg-jxa.no bearalvahki.no xn--bearalvhki-y4a.no bindal.no birkenes.no bjarkoy.no xn--bjarky-fya.no bjerkreim.no bjugn.no bodo.no xn--bod-2na.no badaddja.no xn--bdddj-mrabd.no budejju.no bokn.no bremanger.no bronnoy.no xn--brnny-wuac.no bygland.no bykle.no barum.no xn--brum-voa.no bo.telemark.no xn--b-5ga.telemark.no bo.nordland.no xn--b-5ga.nordland.no bievat.no xn--bievt-0qa.no bomlo.no xn--bmlo-gra.no batsfjord.no xn--btsfjord-9za.no bahcavuotna.no xn--bhcavuotna-s4a.no dovre.no drammen.no drangedal.no dyroy.no xn--dyry-ira.no donna.no xn--dnna-gra.no eid.no eidfjord.no eidsberg.no eidskog.no eidsvoll.no eigersund.no elverum.no enebakk.no engerdal.no etne.no etnedal.no evenes.no evenassi.no xn--eveni-0qa01ga.no evje-og-hornnes.no farsund.no fauske.no fuossko.no fuoisku.no fedje.no fet.no finnoy.no xn--finny-yua.no fitjar.no fjaler.no fjell.no flakstad.no flatanger.no flekkefjord.no flesberg.no flora.no fla.no xn--fl-zia.no folldal.no forsand.no fosnes.no frei.no frogn.no froland.no frosta.no frana.no xn--frna-woa.no froya.no xn--frya-hra.no fusa.no fyresdal.no forde.no xn--frde-gra.no gamvik.no gangaviika.no xn--ggaviika-8ya47h.no gaular.no gausdal.no gildeskal.no xn--gildeskl-g0a.no giske.no gjemnes.no gjerdrum.no gjerstad.no gjesdal.no gjovik.no xn--gjvik-wua.no gloppen.no gol.no gran.no grane.no granvin.no gratangen.no grimstad.no grong.no kraanghke.no xn--kranghke-b0a.no grue.no gulen.no hadsel.no halden.no halsa.no hamar.no hamaroy.no habmer.no xn--hbmer-xqa.no hapmir.no xn--hpmir-xqa.no hammerfest.no hammarfeasta.no xn--hmmrfeasta-s4ac.no haram.no hareid.no harstad.no hasvik.no aknoluokta.no xn--koluokta-7ya57h.no hattfjelldal.no aarborte.no haugesund.no hemne.no hemnes.no hemsedal.no heroy.more-og-romsdal.no xn--hery-ira.xn--mre-og-romsdal-qqb.no heroy.nordland.no xn--hery-ira.nordland.no hitra.no hjartdal.no hjelmeland.no hobol.no xn--hobl-ira.no hof.no hol.no hole.no holmestrand.no holtalen.no xn--holtlen-hxa.no hornindal.no horten.no hurdal.no hurum.no hvaler.no hyllestad.no hagebostad.no xn--hgebostad-g3a.no hoyanger.no xn--hyanger-q1a.no hoylandet.no xn--hylandet-54a.no ha.no xn--h-2fa.no ibestad.no inderoy.no xn--indery-fya.no iveland.no jevnaker.no jondal.no jolster.no xn--jlster-bya.no karasjok.no karasjohka.no xn--krjohka-hwab49j.no karlsoy.no galsa.no xn--gls-elac.no karmoy.no xn--karmy-yua.no kautokeino.no guovdageaidnu.no klepp.no klabu.no xn--klbu-woa.no kongsberg.no kongsvinger.no kragero.no xn--krager-gya.no kristiansand.no kristiansund.no krodsherad.no xn--krdsherad-m8a.no kvalsund.no rahkkeravju.no xn--rhkkervju-01af.no kvam.no kvinesdal.no kvinnherad.no kviteseid.no kvitsoy.no xn--kvitsy-fya.no kvafjord.no xn--kvfjord-nxa.no giehtavuoatna.no kvanangen.no xn--kvnangen-k0a.no navuotna.no xn--nvuotna-hwa.no kafjord.no xn--kfjord-iua.no gaivuotna.no xn--givuotna-8ya.no larvik.no lavangen.no lavagis.no loabat.no xn--loabt-0qa.no lebesby.no davvesiida.no leikanger.no leirfjord.no leka.no leksvik.no lenvik.no leangaviika.no xn--leagaviika-52b.no lesja.no levanger.no lier.no lierne.no lillehammer.no lillesand.no lindesnes.no lindas.no xn--linds-pra.no lom.no loppa.no lahppi.no xn--lhppi-xqa.no lund.no lunner.no luroy.no xn--lury-ira.no luster.no lyngdal.no lyngen.no ivgu.no lardal.no lerdal.no xn--lrdal-sra.no lodingen.no xn--ldingen-q1a.no lorenskog.no xn--lrenskog-54a.no loten.no xn--lten-gra.no malvik.no masoy.no xn--msy-ula0h.no muosat.no xn--muost-0qa.no mandal.no marker.no marnardal.no masfjorden.no meland.no meldal.no melhus.no meloy.no xn--mely-ira.no meraker.no xn--merker-kua.no moareke.no xn--moreke-jua.no midsund.no midtre-gauldal.no modalen.no modum.no molde.no moskenes.no moss.no mosvik.no malselv.no xn--mlselv-iua.no malatvuopmi.no xn--mlatvuopmi-s4a.no namdalseid.no aejrie.no namsos.no namsskogan.no naamesjevuemie.no xn--nmesjevuemie-tcba.no laakesvuemie.no nannestad.no narvik.no narviika.no naustdal.no nedre-eiker.no nes.akershus.no nes.buskerud.no nesna.no nesodden.no nesseby.no unjarga.no xn--unjrga-rta.no nesset.no nissedal.no nittedal.no nord-aurdal.no nord-fron.no nord-odal.no norddal.no nordkapp.no davvenjarga.no xn--davvenjrga-y4a.no nordre-land.no nordreisa.no raisa.no xn--risa-5na.no nore-og-uvdal.no notodden.no naroy.no xn--nry-yla5g.no notteroy.no xn--nttery-byae.no odda.no oksnes.no xn--ksnes-uua.no oppdal.no oppegard.no xn--oppegrd-ixa.no orkdal.no orland.no xn--rland-uua.no orskog.no xn--rskog-uua.no orsta.no xn--rsta-fra.no os.hedmark.no os.hordaland.no osen.no osteroy.no xn--ostery-fya.no ostre-toten.no xn--stre-toten-zcb.no overhalla.no ovre-eiker.no xn--vre-eiker-k8a.no oyer.no xn--yer-zna.no oygarden.no xn--ygarden-p1a.no oystre-slidre.no xn--ystre-slidre-ujb.no porsanger.no porsangu.no xn--porsgu-sta26f.no porsgrunn.no radoy.no xn--rady-ira.no rakkestad.no rana.no ruovat.no randaberg.no rauma.no rendalen.no rennebu.no rennesoy.no xn--rennesy-v1a.no rindal.no ringebu.no ringerike.no ringsaker.no rissa.no risor.no xn--risr-ira.no roan.no rollag.no rygge.no ralingen.no xn--rlingen-mxa.no rodoy.no xn--rdy-0nab.no romskog.no xn--rmskog-bya.no roros.no xn--rros-gra.no rost.no xn--rst-0na.no royken.no xn--ryken-vua.no royrvik.no xn--ryrvik-bya.no rade.no xn--rde-ula.no salangen.no siellak.no saltdal.no salat.no xn--slt-elab.no xn--slat-5na.no samnanger.no sande.more-og-romsdal.no sande.xn--mre-og-romsdal-qqb.no sande.vestfold.no sandefjord.no sandnes.no sandoy.no xn--sandy-yua.no sarpsborg.no sauda.no sauherad.no sel.no selbu.no selje.no seljord.no sigdal.no siljan.no sirdal.no skaun.no skedsmo.no ski.no skien.no skiptvet.no skjervoy.no xn--skjervy-v1a.no skierva.no xn--skierv-uta.no skjak.no xn--skjk-soa.no skodje.no skanland.no xn--sknland-fxa.no skanit.no xn--sknit-yqa.no smola.no xn--smla-hra.no snillfjord.no snasa.no xn--snsa-roa.no snoasa.no snaase.no xn--snase-nra.no sogndal.no sokndal.no sola.no solund.no songdalen.no sortland.no spydeberg.no stange.no stavanger.no steigen.no steinkjer.no stjordal.no xn--stjrdal-s1a.no stokke.no stor-elvdal.no stord.no stordal.no storfjord.no omasvuotna.no strand.no stranda.no stryn.no sula.no suldal.no sund.no sunndal.no surnadal.no sveio.no svelvik.no sykkylven.no sogne.no xn--sgne-gra.no somna.no xn--smna-gra.no sondre-land.no xn--sndre-land-0cb.no sor-aurdal.no xn--sr-aurdal-l8a.no sor-fron.no xn--sr-fron-q1a.no sor-odal.no xn--sr-odal-q1a.no sor-varanger.no xn--sr-varanger-ggb.no matta-varjjat.no xn--mtta-vrjjat-k7af.no sorfold.no xn--srfold-bya.no sorreisa.no xn--srreisa-q1a.no sorum.no xn--srum-gra.no tana.no deatnu.no time.no tingvoll.no tinn.no tjeldsund.no dielddanuorri.no tjome.no xn--tjme-hra.no tokke.no tolga.no torsken.no tranoy.no xn--trany-yua.no tromso.no xn--troms-zua.no tromsa.no romsa.no trondheim.no troandin.no trysil.no trana.no xn--trna-woa.no trogstad.no xn--trgstad-r1a.no tvedestrand.no tydal.no tynset.no tysfjord.no divtasvuodna.no divttasvuotna.no tysnes.no tysvar.no xn--tysvr-vra.no tonsberg.no xn--tnsberg-q1a.no ullensaker.no ullensvang.no ulvik.no utsira.no vadso.no xn--vads-jra.no cahcesuolo.no xn--hcesuolo-7ya35b.no vaksdal.no valle.no vang.no vanylven.no vardo.no xn--vard-jra.no varggat.no xn--vrggt-xqad.no vefsn.no vaapste.no vega.no vegarshei.no xn--vegrshei-c0a.no vennesla.no verdal.no verran.no vestby.no vestnes.no vestre-slidre.no vestre-toten.no vestvagoy.no xn--vestvgy-ixa6o.no vevelstad.no vik.no vikna.no vindafjord.no volda.no voss.no varoy.no xn--vry-yla5g.no vagan.no xn--vgan-qoa.no voagat.no vagsoy.no xn--vgsy-qoa0j.no vaga.no xn--vg-yiab.no valer.ostfold.no xn--vler-qoa.xn--stfold-9xa.no valer.hedmark.no xn--vler-qoa.hedmark.no // np : http://www.mos.com.np/register.html *.np // nr : http://cenpac.net.nr/dns/index.html // Confirmed by registry 2008-06-17 nr biz.nr info.nr gov.nr edu.nr org.nr net.nr com.nr // nu : http://en.wikipedia.org/wiki/.nu nu // nz : http://en.wikipedia.org/wiki/.nz // Confirmed by registry 2014-05-19 nz ac.nz co.nz cri.nz geek.nz gen.nz govt.nz health.nz iwi.nz kiwi.nz maori.nz mil.nz xn--mori-qsa.nz net.nz org.nz parliament.nz school.nz // om : http://en.wikipedia.org/wiki/.om om co.om com.om edu.om gov.om med.om museum.om net.om org.om pro.om // org : http://en.wikipedia.org/wiki/.org org // pa : http://www.nic.pa/ // Some additional second level "domains" resolve directly as hostnames, such as // pannet.pa, so we add a rule for "pa". pa ac.pa gob.pa com.pa org.pa sld.pa edu.pa net.pa ing.pa abo.pa med.pa nom.pa // pe : https://www.nic.pe/InformeFinalComision.pdf pe edu.pe gob.pe nom.pe mil.pe org.pe com.pe net.pe // pf : http://www.gobin.info/domainname/formulaire-pf.pdf pf com.pf org.pf edu.pf // pg : http://en.wikipedia.org/wiki/.pg *.pg // ph : http://www.domains.ph/FAQ2.asp // Submitted by registry 2008-06-13 ph com.ph net.ph org.ph gov.ph edu.ph ngo.ph mil.ph i.ph // pk : http://pk5.pknic.net.pk/pk5/msgNamepk.PK pk com.pk net.pk edu.pk org.pk fam.pk biz.pk web.pk gov.pk gob.pk gok.pk gon.pk gop.pk gos.pk info.pk // pl http://www.dns.pl/english/index.html // updated by .PL registry on 2015-04-28 pl com.pl net.pl org.pl // pl functional domains (http://www.dns.pl/english/index.html) aid.pl agro.pl atm.pl auto.pl biz.pl edu.pl gmina.pl gsm.pl info.pl mail.pl miasta.pl media.pl mil.pl nieruchomosci.pl nom.pl pc.pl powiat.pl priv.pl realestate.pl rel.pl sex.pl shop.pl sklep.pl sos.pl szkola.pl targi.pl tm.pl tourism.pl travel.pl turystyka.pl // Government domains gov.pl ap.gov.pl ic.gov.pl is.gov.pl us.gov.pl kmpsp.gov.pl kppsp.gov.pl kwpsp.gov.pl psp.gov.pl wskr.gov.pl kwp.gov.pl mw.gov.pl ug.gov.pl um.gov.pl umig.gov.pl ugim.gov.pl upow.gov.pl uw.gov.pl starostwo.gov.pl pa.gov.pl po.gov.pl psse.gov.pl pup.gov.pl rzgw.gov.pl sa.gov.pl so.gov.pl sr.gov.pl wsa.gov.pl sko.gov.pl uzs.gov.pl wiih.gov.pl winb.gov.pl pinb.gov.pl wios.gov.pl witd.gov.pl wzmiuw.gov.pl piw.gov.pl wiw.gov.pl griw.gov.pl wif.gov.pl oum.gov.pl sdn.gov.pl zp.gov.pl uppo.gov.pl mup.gov.pl wuoz.gov.pl konsulat.gov.pl oirm.gov.pl // pl regional domains (http://www.dns.pl/english/index.html) augustow.pl babia-gora.pl bedzin.pl beskidy.pl bialowieza.pl bialystok.pl bielawa.pl bieszczady.pl boleslawiec.pl bydgoszcz.pl bytom.pl cieszyn.pl czeladz.pl czest.pl dlugoleka.pl elblag.pl elk.pl glogow.pl gniezno.pl gorlice.pl grajewo.pl ilawa.pl jaworzno.pl jelenia-gora.pl jgora.pl kalisz.pl kazimierz-dolny.pl karpacz.pl kartuzy.pl kaszuby.pl katowice.pl kepno.pl ketrzyn.pl klodzko.pl kobierzyce.pl kolobrzeg.pl konin.pl konskowola.pl kutno.pl lapy.pl lebork.pl legnica.pl lezajsk.pl limanowa.pl lomza.pl lowicz.pl lubin.pl lukow.pl malbork.pl malopolska.pl mazowsze.pl mazury.pl mielec.pl mielno.pl mragowo.pl naklo.pl nowaruda.pl nysa.pl olawa.pl olecko.pl olkusz.pl olsztyn.pl opoczno.pl opole.pl ostroda.pl ostroleka.pl ostrowiec.pl ostrowwlkp.pl pila.pl pisz.pl podhale.pl podlasie.pl polkowice.pl pomorze.pl pomorskie.pl prochowice.pl pruszkow.pl przeworsk.pl pulawy.pl radom.pl rawa-maz.pl rybnik.pl rzeszow.pl sanok.pl sejny.pl slask.pl slupsk.pl sosnowiec.pl stalowa-wola.pl skoczow.pl starachowice.pl stargard.pl suwalki.pl swidnica.pl swiebodzin.pl swinoujscie.pl szczecin.pl szczytno.pl tarnobrzeg.pl tgory.pl turek.pl tychy.pl ustka.pl walbrzych.pl warmia.pl warszawa.pl waw.pl wegrow.pl wielun.pl wlocl.pl wloclawek.pl wodzislaw.pl wolomin.pl wroclaw.pl zachpomor.pl zagan.pl zarow.pl zgora.pl zgorzelec.pl // pm : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf pm // pn : http://www.government.pn/PnRegistry/policies.htm pn gov.pn co.pn org.pn edu.pn net.pn // post : http://en.wikipedia.org/wiki/.post post // pr : http://www.nic.pr/index.asp?f=1 pr com.pr net.pr org.pr gov.pr edu.pr isla.pr pro.pr biz.pr info.pr name.pr // these aren't mentioned on nic.pr, but on http://en.wikipedia.org/wiki/.pr est.pr prof.pr ac.pr // pro : http://www.nic.pro/support_faq.htm pro aca.pro bar.pro cpa.pro jur.pro law.pro med.pro eng.pro // ps : http://en.wikipedia.org/wiki/.ps // http://www.nic.ps/registration/policy.html#reg ps edu.ps gov.ps sec.ps plo.ps com.ps org.ps net.ps // pt : http://online.dns.pt/dns/start_dns pt net.pt gov.pt org.pt edu.pt int.pt publ.pt com.pt nome.pt // pw : http://en.wikipedia.org/wiki/.pw pw co.pw ne.pw or.pw ed.pw go.pw belau.pw // py : http://www.nic.py/pautas.html#seccion_9 // Confirmed by registry 2012-10-03 py com.py coop.py edu.py gov.py mil.py net.py org.py // qa : http://domains.qa/en/ qa com.qa edu.qa gov.qa mil.qa name.qa net.qa org.qa sch.qa // re : http://www.afnic.re/obtenir/chartes/nommage-re/annexe-descriptifs re com.re asso.re nom.re // ro : http://www.rotld.ro/ ro com.ro org.ro tm.ro nt.ro nom.ro info.ro rec.ro arts.ro firm.ro store.ro www.ro // rs : http://en.wikipedia.org/wiki/.rs rs co.rs org.rs edu.rs ac.rs gov.rs in.rs // ru : http://www.cctld.ru/ru/docs/aktiv_8.php // Industry domains ru ac.ru com.ru edu.ru int.ru net.ru org.ru pp.ru // Geographical domains adygeya.ru altai.ru amur.ru arkhangelsk.ru astrakhan.ru bashkiria.ru belgorod.ru bir.ru bryansk.ru buryatia.ru cbg.ru chel.ru chelyabinsk.ru chita.ru chukotka.ru chuvashia.ru dagestan.ru dudinka.ru e-burg.ru grozny.ru irkutsk.ru ivanovo.ru izhevsk.ru jar.ru joshkar-ola.ru kalmykia.ru kaluga.ru kamchatka.ru karelia.ru kazan.ru kchr.ru kemerovo.ru khabarovsk.ru khakassia.ru khv.ru kirov.ru koenig.ru komi.ru kostroma.ru krasnoyarsk.ru kuban.ru kurgan.ru kursk.ru lipetsk.ru magadan.ru mari.ru mari-el.ru marine.ru mordovia.ru // mosreg.ru Bug 1090800 - removed at request of Aleksey Konstantinov msk.ru murmansk.ru nalchik.ru nnov.ru nov.ru novosibirsk.ru nsk.ru omsk.ru orenburg.ru oryol.ru palana.ru penza.ru perm.ru ptz.ru rnd.ru ryazan.ru sakhalin.ru samara.ru saratov.ru simbirsk.ru smolensk.ru spb.ru stavropol.ru stv.ru surgut.ru tambov.ru tatarstan.ru tom.ru tomsk.ru tsaritsyn.ru tsk.ru tula.ru tuva.ru tver.ru tyumen.ru udm.ru udmurtia.ru ulan-ude.ru vladikavkaz.ru vladimir.ru vladivostok.ru volgograd.ru vologda.ru voronezh.ru vrn.ru vyatka.ru yakutia.ru yamal.ru yaroslavl.ru yekaterinburg.ru yuzhno-sakhalinsk.ru // More geographical domains amursk.ru baikal.ru cmw.ru fareast.ru jamal.ru kms.ru k-uralsk.ru kustanai.ru kuzbass.ru mytis.ru nakhodka.ru nkz.ru norilsk.ru oskol.ru pyatigorsk.ru rubtsovsk.ru snz.ru syzran.ru vdonsk.ru zgrad.ru // State domains gov.ru mil.ru // Technical domains test.ru // rw : http://www.nic.rw/cgi-bin/policy.pl rw gov.rw net.rw edu.rw ac.rw com.rw co.rw int.rw mil.rw gouv.rw // sa : http://www.nic.net.sa/ sa com.sa net.sa org.sa gov.sa med.sa pub.sa edu.sa sch.sa // sb : http://www.sbnic.net.sb/ // Submitted by registry 2008-06-08 sb com.sb edu.sb gov.sb net.sb org.sb // sc : http://www.nic.sc/ sc com.sc gov.sc net.sc org.sc edu.sc // sd : http://www.isoc.sd/sudanic.isoc.sd/billing_pricing.htm // Submitted by registry 2008-06-17 sd com.sd net.sd org.sd edu.sd med.sd tv.sd gov.sd info.sd // se : http://en.wikipedia.org/wiki/.se // Submitted by registry 2014-03-18 se a.se ac.se b.se bd.se brand.se c.se d.se e.se f.se fh.se fhsk.se fhv.se g.se h.se i.se k.se komforb.se kommunalforbund.se komvux.se l.se lanbib.se m.se n.se naturbruksgymn.se o.se org.se p.se parti.se pp.se press.se r.se s.se t.se tm.se u.se w.se x.se y.se z.se // sg : http://www.nic.net.sg/page/registration-policies-procedures-and-guidelines sg com.sg net.sg org.sg gov.sg edu.sg per.sg // sh : http://www.nic.sh/registrar.html sh com.sh net.sh gov.sh org.sh mil.sh // si : http://en.wikipedia.org/wiki/.si si // sj : No registrations at this time. // Submitted by registry 2008-06-16 sj // sk : http://en.wikipedia.org/wiki/.sk // list of 2nd level domains ? sk // sl : http://www.nic.sl // Submitted by registry 2008-06-12 sl com.sl net.sl edu.sl gov.sl org.sl // sm : http://en.wikipedia.org/wiki/.sm sm // sn : http://en.wikipedia.org/wiki/.sn sn art.sn com.sn edu.sn gouv.sn org.sn perso.sn univ.sn // so : http://www.soregistry.com/ so com.so net.so org.so // sr : http://en.wikipedia.org/wiki/.sr sr // st : http://www.nic.st/html/policyrules/ st co.st com.st consulado.st edu.st embaixada.st gov.st mil.st net.st org.st principe.st saotome.st store.st // su : http://en.wikipedia.org/wiki/.su su adygeya.su arkhangelsk.su balashov.su bashkiria.su bryansk.su dagestan.su grozny.su ivanovo.su kalmykia.su kaluga.su karelia.su khakassia.su krasnodar.su kurgan.su lenug.su mordovia.su msk.su murmansk.su nalchik.su nov.su obninsk.su penza.su pokrovsk.su sochi.su spb.su togliatti.su troitsk.su tula.su tuva.su vladikavkaz.su vladimir.su vologda.su // sv : http://www.svnet.org.sv/niveldos.pdf sv com.sv edu.sv gob.sv org.sv red.sv // sx : http://en.wikipedia.org/wiki/.sx // Confirmed by registry 2012-05-31 sx gov.sx // sy : http://en.wikipedia.org/wiki/.sy // see also: http://www.gobin.info/domainname/sy.doc sy edu.sy gov.sy net.sy mil.sy com.sy org.sy // sz : http://en.wikipedia.org/wiki/.sz // http://www.sispa.org.sz/ sz co.sz ac.sz org.sz // tc : http://en.wikipedia.org/wiki/.tc tc // td : http://en.wikipedia.org/wiki/.td td // tel: http://en.wikipedia.org/wiki/.tel // http://www.telnic.org/ tel // tf : http://en.wikipedia.org/wiki/.tf tf // tg : http://en.wikipedia.org/wiki/.tg // http://www.nic.tg/ tg // th : http://en.wikipedia.org/wiki/.th // Submitted by registry 2008-06-17 th ac.th co.th go.th in.th mi.th net.th or.th // tj : http://www.nic.tj/policy.html tj ac.tj biz.tj co.tj com.tj edu.tj go.tj gov.tj int.tj mil.tj name.tj net.tj nic.tj org.tj test.tj web.tj // tk : http://en.wikipedia.org/wiki/.tk tk // tl : http://en.wikipedia.org/wiki/.tl tl gov.tl // tm : http://www.nic.tm/local.html tm com.tm co.tm org.tm net.tm nom.tm gov.tm mil.tm edu.tm // tn : http://en.wikipedia.org/wiki/.tn // http://whois.ati.tn/ tn com.tn ens.tn fin.tn gov.tn ind.tn intl.tn nat.tn net.tn org.tn info.tn perso.tn tourism.tn edunet.tn rnrt.tn rns.tn rnu.tn mincom.tn agrinet.tn defense.tn turen.tn // to : http://en.wikipedia.org/wiki/.to // Submitted by registry 2008-06-17 to com.to gov.to net.to org.to edu.to mil.to // tp : No registrations at this time. // Submitted by Ryan Sleevi 2014-01-03 tp // subTLDs: https://www.nic.tr/forms/eng/policies.pdf // and: https://www.nic.tr/forms/politikalar.pdf // Submitted by 2014-07-19 tr com.tr info.tr biz.tr net.tr org.tr web.tr gen.tr tv.tr av.tr dr.tr bbs.tr name.tr tel.tr gov.tr bel.tr pol.tr mil.tr k12.tr edu.tr kep.tr // Used by Northern Cyprus nc.tr // Used by government agencies of Northern Cyprus gov.nc.tr // travel : http://en.wikipedia.org/wiki/.travel travel // tt : http://www.nic.tt/ tt co.tt com.tt org.tt net.tt biz.tt info.tt pro.tt int.tt coop.tt jobs.tt mobi.tt travel.tt museum.tt aero.tt name.tt gov.tt edu.tt // tv : http://en.wikipedia.org/wiki/.tv // Not listing any 2LDs as reserved since none seem to exist in practice, // Wikipedia notwithstanding. tv // tw : http://en.wikipedia.org/wiki/.tw tw edu.tw gov.tw mil.tw com.tw net.tw org.tw idv.tw game.tw ebiz.tw club.tw xn--zf0ao64a.tw xn--uc0atv.tw xn--czrw28b.tw // tz : http://www.tznic.or.tz/index.php/domains // Confirmed by registry 2013-01-22 tz ac.tz co.tz go.tz hotel.tz info.tz me.tz mil.tz mobi.tz ne.tz or.tz sc.tz tv.tz // ua : https://hostmaster.ua/policy/?ua // Submitted by registry 2012-04-27 ua // ua 2LD com.ua edu.ua gov.ua in.ua net.ua org.ua // ua geographic names // https://hostmaster.ua/2ld/ cherkassy.ua cherkasy.ua chernigov.ua chernihiv.ua chernivtsi.ua chernovtsy.ua ck.ua cn.ua cr.ua crimea.ua cv.ua dn.ua dnepropetrovsk.ua dnipropetrovsk.ua dominic.ua donetsk.ua dp.ua if.ua ivano-frankivsk.ua kh.ua kharkiv.ua kharkov.ua kherson.ua khmelnitskiy.ua khmelnytskyi.ua kiev.ua kirovograd.ua km.ua kr.ua krym.ua ks.ua kv.ua kyiv.ua lg.ua lt.ua lugansk.ua lutsk.ua lv.ua lviv.ua mk.ua mykolaiv.ua nikolaev.ua od.ua odesa.ua odessa.ua pl.ua poltava.ua rivne.ua rovno.ua rv.ua sb.ua sebastopol.ua sevastopol.ua sm.ua sumy.ua te.ua ternopil.ua uz.ua uzhgorod.ua vinnica.ua vinnytsia.ua vn.ua volyn.ua yalta.ua zaporizhzhe.ua zaporizhzhia.ua zhitomir.ua zhytomyr.ua zp.ua zt.ua // ug : https://www.registry.co.ug/ ug co.ug or.ug ac.ug sc.ug go.ug ne.ug com.ug org.ug // uk : http://en.wikipedia.org/wiki/.uk // Submitted by registry uk ac.uk co.uk gov.uk ltd.uk me.uk net.uk nhs.uk org.uk plc.uk police.uk *.sch.uk // us : http://en.wikipedia.org/wiki/.us us dni.us fed.us isa.us kids.us nsn.us // us geographic names ak.us al.us ar.us as.us az.us ca.us co.us ct.us dc.us de.us fl.us ga.us gu.us hi.us ia.us id.us il.us in.us ks.us ky.us la.us ma.us md.us me.us mi.us mn.us mo.us ms.us mt.us nc.us nd.us ne.us nh.us nj.us nm.us nv.us ny.us oh.us ok.us or.us pa.us pr.us ri.us sc.us sd.us tn.us tx.us ut.us vi.us vt.us va.us wa.us wi.us wv.us wy.us // The registrar notes several more specific domains available in each state, // such as state.*.us, dst.*.us, etc., but resolution of these is somewhat // haphazard; in some states these domains resolve as addresses, while in others // only subdomains are available, or even nothing at all. We include the // most common ones where it's clear that different sites are different // entities. k12.ak.us k12.al.us k12.ar.us k12.as.us k12.az.us k12.ca.us k12.co.us k12.ct.us k12.dc.us k12.de.us k12.fl.us k12.ga.us k12.gu.us // k12.hi.us Bug 614565 - Hawaii has a state-wide DOE login k12.ia.us k12.id.us k12.il.us k12.in.us k12.ks.us k12.ky.us k12.la.us k12.ma.us k12.md.us k12.me.us k12.mi.us k12.mn.us k12.mo.us k12.ms.us k12.mt.us k12.nc.us // k12.nd.us Bug 1028347 - Removed at request of Travis Rosso k12.ne.us k12.nh.us k12.nj.us k12.nm.us k12.nv.us k12.ny.us k12.oh.us k12.ok.us k12.or.us k12.pa.us k12.pr.us k12.ri.us k12.sc.us // k12.sd.us Bug 934131 - Removed at request of James Booze k12.tn.us k12.tx.us k12.ut.us k12.vi.us k12.vt.us k12.va.us k12.wa.us k12.wi.us // k12.wv.us Bug 947705 - Removed at request of Verne Britton k12.wy.us cc.ak.us cc.al.us cc.ar.us cc.as.us cc.az.us cc.ca.us cc.co.us cc.ct.us cc.dc.us cc.de.us cc.fl.us cc.ga.us cc.gu.us cc.hi.us cc.ia.us cc.id.us cc.il.us cc.in.us cc.ks.us cc.ky.us cc.la.us cc.ma.us cc.md.us cc.me.us cc.mi.us cc.mn.us cc.mo.us cc.ms.us cc.mt.us cc.nc.us cc.nd.us cc.ne.us cc.nh.us cc.nj.us cc.nm.us cc.nv.us cc.ny.us cc.oh.us cc.ok.us cc.or.us cc.pa.us cc.pr.us cc.ri.us cc.sc.us cc.sd.us cc.tn.us cc.tx.us cc.ut.us cc.vi.us cc.vt.us cc.va.us cc.wa.us cc.wi.us cc.wv.us cc.wy.us lib.ak.us lib.al.us lib.ar.us lib.as.us lib.az.us lib.ca.us lib.co.us lib.ct.us lib.dc.us lib.de.us lib.fl.us lib.ga.us lib.gu.us lib.hi.us lib.ia.us lib.id.us lib.il.us lib.in.us lib.ks.us lib.ky.us lib.la.us lib.ma.us lib.md.us lib.me.us lib.mi.us lib.mn.us lib.mo.us lib.ms.us lib.mt.us lib.nc.us lib.nd.us lib.ne.us lib.nh.us lib.nj.us lib.nm.us lib.nv.us lib.ny.us lib.oh.us lib.ok.us lib.or.us lib.pa.us lib.pr.us lib.ri.us lib.sc.us lib.sd.us lib.tn.us lib.tx.us lib.ut.us lib.vi.us lib.vt.us lib.va.us lib.wa.us lib.wi.us // lib.wv.us Bug 941670 - Removed at request of Larry W Arnold lib.wy.us // k12.ma.us contains school districts in Massachusetts. The 4LDs are // managed indepedently except for private (PVT), charter (CHTR) and // parochial (PAROCH) schools. Those are delegated dorectly to the // 5LD operators. pvt.k12.ma.us chtr.k12.ma.us paroch.k12.ma.us // uy : http://www.nic.org.uy/ uy com.uy edu.uy gub.uy mil.uy net.uy org.uy // uz : http://www.reg.uz/ uz co.uz com.uz net.uz org.uz // va : http://en.wikipedia.org/wiki/.va va // vc : http://en.wikipedia.org/wiki/.vc // Submitted by registry 2008-06-13 vc com.vc net.vc org.vc gov.vc mil.vc edu.vc // ve : https://registro.nic.ve/ // Confirmed by registry 2012-10-04 // Updated 2014-05-20 - Bug 940478 ve arts.ve co.ve com.ve e12.ve edu.ve firm.ve gob.ve gov.ve info.ve int.ve mil.ve net.ve org.ve rec.ve store.ve tec.ve web.ve // vg : http://en.wikipedia.org/wiki/.vg vg // vi : http://www.nic.vi/newdomainform.htm // http://www.nic.vi/Domain_Rules/body_domain_rules.html indicates some other // TLDs are "reserved", such as edu.vi and gov.vi, but doesn't actually say they // are available for registration (which they do not seem to be). vi co.vi com.vi k12.vi net.vi org.vi // vn : https://www.dot.vn/vnnic/vnnic/domainregistration.jsp vn com.vn net.vn org.vn edu.vn gov.vn int.vn ac.vn biz.vn info.vn name.vn pro.vn health.vn // vu : http://en.wikipedia.org/wiki/.vu // http://www.vunic.vu/ vu com.vu edu.vu net.vu org.vu // wf : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf wf // ws : http://en.wikipedia.org/wiki/.ws // http://samoanic.ws/index.dhtml ws com.ws net.ws org.ws gov.ws edu.ws // yt : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf yt // IDN ccTLDs // When submitting patches, please maintain a sort by ISO 3166 ccTLD, then // U-label, and follow this format: // // A-Label ("", [, variant info]) : // // [sponsoring org] // U-Label // xn--mgbaam7a8h ("Emerat", Arabic) : AE // http://nic.ae/english/arabicdomain/rules.jsp xn--mgbaam7a8h // xn--y9a3aq ("hye", Armenian) : AM // ISOC AM (operated by .am Registry) xn--y9a3aq // xn--54b7fta0cc ("Bangla", Bangla) : BD xn--54b7fta0cc // xn--90ais ("bel", Belarusian/Russian Cyrillic) : BY // Operated by .by registry xn--90ais // xn--fiqs8s ("Zhongguo/China", Chinese, Simplified) : CN // CNNIC // http://cnnic.cn/html/Dir/2005/10/11/3218.htm xn--fiqs8s // xn--fiqz9s ("Zhongguo/China", Chinese, Traditional) : CN // CNNIC // http://cnnic.cn/html/Dir/2005/10/11/3218.htm xn--fiqz9s // xn--lgbbat1ad8j ("Algeria/Al Jazair", Arabic) : DZ xn--lgbbat1ad8j // xn--wgbh1c ("Egypt/Masr", Arabic) : EG // http://www.dotmasr.eg/ xn--wgbh1c // xn--node ("ge", Georgian Mkhedruli) : GE xn--node // xn--qxam ("el", Greek) : GR // Hellenic Ministry of Infrastructure, Transport, and Networks xn--qxam // xn--j6w193g ("Hong Kong", Chinese) : HK // https://www2.hkirc.hk/register/rules.jsp xn--j6w193g // xn--h2brj9c ("Bharat", Devanagari) : IN // India xn--h2brj9c // xn--mgbbh1a71e ("Bharat", Arabic) : IN // India xn--mgbbh1a71e // xn--fpcrj9c3d ("Bharat", Telugu) : IN // India xn--fpcrj9c3d // xn--gecrj9c ("Bharat", Gujarati) : IN // India xn--gecrj9c // xn--s9brj9c ("Bharat", Gurmukhi) : IN // India xn--s9brj9c // xn--45brj9c ("Bharat", Bengali) : IN // India xn--45brj9c // xn--xkc2dl3a5ee0h ("India", Tamil) : IN // India xn--xkc2dl3a5ee0h // xn--mgba3a4f16a ("Iran", Persian) : IR xn--mgba3a4f16a // xn--mgba3a4fra ("Iran", Arabic) : IR xn--mgba3a4fra // xn--mgbtx2b ("Iraq", Arabic) : IQ // Communications and Media Commission xn--mgbtx2b // xn--mgbayh7gpa ("al-Ordon", Arabic) : JO // National Information Technology Center (NITC) // Royal Scientific Society, Al-Jubeiha xn--mgbayh7gpa // xn--3e0b707e ("Republic of Korea", Hangul) : KR xn--3e0b707e // xn--80ao21a ("Kaz", Kazakh) : KZ xn--80ao21a // xn--fzc2c9e2c ("Lanka", Sinhalese-Sinhala) : LK // http://nic.lk xn--fzc2c9e2c // xn--xkc2al3hye2a ("Ilangai", Tamil) : LK // http://nic.lk xn--xkc2al3hye2a // xn--mgbc0a9azcg ("Morocco/al-Maghrib", Arabic) : MA xn--mgbc0a9azcg // xn--d1alf ("mkd", Macedonian) : MK // MARnet xn--d1alf // xn--l1acc ("mon", Mongolian) : MN xn--l1acc // xn--mix891f ("Macao", Chinese, Traditional) : MO // MONIC / HNET Asia (Registry Operator for .mo) xn--mix891f // xn--mix082f ("Macao", Chinese, Simplified) : MO xn--mix082f // xn--mgbx4cd0ab ("Malaysia", Malay) : MY xn--mgbx4cd0ab // xn--mgb9awbf ("Oman", Arabic) : OM xn--mgb9awbf // xn--mgbai9azgqp6j ("Pakistan", Urdu/Arabic) : PK xn--mgbai9azgqp6j // xn--mgbai9a5eva00b ("Pakistan", Urdu/Arabic, variant) : PK xn--mgbai9a5eva00b // xn--ygbi2ammx ("Falasteen", Arabic) : PS // The Palestinian National Internet Naming Authority (PNINA) // http://www.pnina.ps xn--ygbi2ammx // xn--90a3ac ("srb", Cyrillic) : RS // http://www.rnids.rs/en/the-.Ñрб-domain xn--90a3ac xn--o1ac.xn--90a3ac xn--c1avg.xn--90a3ac xn--90azh.xn--90a3ac xn--d1at.xn--90a3ac xn--o1ach.xn--90a3ac xn--80au.xn--90a3ac // xn--p1ai ("rf", Russian-Cyrillic) : RU // http://www.cctld.ru/en/docs/rulesrf.php xn--p1ai // xn--wgbl6a ("Qatar", Arabic) : QA // http://www.ict.gov.qa/ xn--wgbl6a // xn--mgberp4a5d4ar ("AlSaudiah", Arabic) : SA // http://www.nic.net.sa/ xn--mgberp4a5d4ar // xn--mgberp4a5d4a87g ("AlSaudiah", Arabic, variant) : SA xn--mgberp4a5d4a87g // xn--mgbqly7c0a67fbc ("AlSaudiah", Arabic, variant) : SA xn--mgbqly7c0a67fbc // xn--mgbqly7cvafr ("AlSaudiah", Arabic, variant) : SA xn--mgbqly7cvafr // xn--mgbpl2fh ("sudan", Arabic) : SD // Operated by .sd registry xn--mgbpl2fh // xn--yfro4i67o Singapore ("Singapore", Chinese) : SG xn--yfro4i67o // xn--clchc0ea0b2g2a9gcd ("Singapore", Tamil) : SG xn--clchc0ea0b2g2a9gcd // xn--ogbpf8fl ("Syria", Arabic) : SY xn--ogbpf8fl // xn--mgbtf8fl ("Syria", Arabic, variant) : SY xn--mgbtf8fl // xn--o3cw4h ("Thai", Thai) : TH // http://www.thnic.co.th xn--o3cw4h // xn--pgbs0dh ("Tunisia", Arabic) : TN // http://nic.tn xn--pgbs0dh // xn--kpry57d ("Taiwan", Chinese, Traditional) : TW // http://www.twnic.net/english/dn/dn_07a.htm xn--kpry57d // xn--kprw13d ("Taiwan", Chinese, Simplified) : TW // http://www.twnic.net/english/dn/dn_07a.htm xn--kprw13d // xn--nnx388a ("Taiwan", Chinese, variant) : TW xn--nnx388a // xn--j1amh ("ukr", Cyrillic) : UA xn--j1amh // xn--mgb2ddes ("AlYemen", Arabic) : YE xn--mgb2ddes // xxx : http://icmregistry.com xxx // ye : http://www.y.net.ye/services/domain_name.htm *.ye // za : http://www.zadna.org.za/content/page/domain-information ac.za agrica.za alt.za co.za edu.za gov.za grondar.za law.za mil.za net.za ngo.za nis.za nom.za org.za school.za tm.za web.za // zm : http://en.wikipedia.org/wiki/.zm *.zm // zw : http://en.wikipedia.org/wiki/.zw *.zw // List of new gTLDs imported from https://newgtlds.icann.org/newgtlds.csv on 2015-11-12T22:43:48Z // aaa : 2015-02-26 American Automobile Association, Inc. aaa // aarp : 2015-05-21 AARP aarp // abarth : 2015-07-30 Fiat Chrysler Automobiles N.V. abarth // abb : 2014-10-24 ABB Ltd abb // abbott : 2014-07-24 Abbott Laboratories, Inc. abbott // abbvie : 2015-07-30 AbbVie Inc. abbvie // abc : 2015-07-30 Disney Enterprises, Inc. abc // able : 2015-06-25 Able Inc. able // abogado : 2014-04-24 Top Level Domain Holdings Limited abogado // abudhabi : 2015-07-30 Abu Dhabi Systems and Information Centre abudhabi // academy : 2013-11-07 Half Oaks, LLC academy // accenture : 2014-08-15 Accenture plc accenture // accountant : 2014-11-20 dot Accountant Limited accountant // accountants : 2014-03-20 Knob Town, LLC accountants // aco : 2015-01-08 ACO Severin Ahlmann GmbH & Co. KG aco // active : 2014-05-01 The Active Network, Inc active // actor : 2013-12-12 United TLD Holdco Ltd. actor // adac : 2015-07-16 Allgemeiner Deutscher Automobil-Club e.V. (ADAC) adac // ads : 2014-12-04 Charleston Road Registry Inc. ads // adult : 2014-10-16 ICM Registry AD LLC adult // aeg : 2015-03-19 Aktiebolaget Electrolux aeg // aetna : 2015-05-21 Aetna Life Insurance Company aetna // afamilycompany : 2015-07-23 Johnson Shareholdings, Inc. afamilycompany // afl : 2014-10-02 Australian Football League afl // africa : 2014-03-24 ZA Central Registry NPC trading as Registry.Africa africa // africamagic : 2015-03-05 Electronic Media Network (Pty) Ltd africamagic // agakhan : 2015-04-23 Fondation Aga Khan (Aga Khan Foundation) agakhan // agency : 2013-11-14 Steel Falls, LLC agency // aig : 2014-12-18 American International Group, Inc. aig // aigo : 2015-08-06 aigo Digital Technology Co,Ltd. aigo // airbus : 2015-07-30 Airbus S.A.S. airbus // airforce : 2014-03-06 United TLD Holdco Ltd. airforce // airtel : 2014-10-24 Bharti Airtel Limited airtel // akdn : 2015-04-23 Fondation Aga Khan (Aga Khan Foundation) akdn // alfaromeo : 2015-07-31 Fiat Chrysler Automobiles N.V. alfaromeo // alibaba : 2015-01-15 Alibaba Group Holding Limited alibaba // alipay : 2015-01-15 Alibaba Group Holding Limited alipay // allfinanz : 2014-07-03 Allfinanz Deutsche Vermögensberatung Aktiengesellschaft allfinanz // allstate : 2015-07-31 Allstate Fire and Casualty Insurance Company allstate // ally : 2015-06-18 Ally Financial Inc. ally // alsace : 2014-07-02 REGION D ALSACE alsace // alstom : 2015-07-30 ALSTOM alstom // americanexpress : 2015-07-31 American Express Travel Related Services Company, Inc. americanexpress // americanfamily : 2015-07-23 AmFam, Inc. americanfamily // amex : 2015-07-31 American Express Travel Related Services Company, Inc. amex // amfam : 2015-07-23 AmFam, Inc. amfam // amica : 2015-05-28 Amica Mutual Insurance Company amica // amsterdam : 2014-07-24 Gemeente Amsterdam amsterdam // analytics : 2014-12-18 Campus IP LLC analytics // android : 2014-08-07 Charleston Road Registry Inc. android // anquan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. anquan // anz : 2015-07-31 Australia and New Zealand Banking Group Limited anz // aol : 2015-09-17 AOL Inc. aol // apartments : 2014-12-11 June Maple, LLC apartments // app : 2015-05-14 Charleston Road Registry Inc. app // apple : 2015-05-14 Apple Inc. apple // aquarelle : 2014-07-24 Aquarelle.com aquarelle // aramco : 2014-11-20 Aramco Services Company aramco // archi : 2014-02-06 STARTING DOT LIMITED archi // army : 2014-03-06 United TLD Holdco Ltd. army // arte : 2014-12-11 Association Relative à la Télévision Européenne G.E.I.E. arte // asda : 2015-07-31 Wal-Mart Stores, Inc. asda // associates : 2014-03-06 Baxter Hill, LLC associates // athleta : 2015-07-30 The Gap, Inc. athleta // attorney : 2014-03-20 attorney // auction : 2014-03-20 auction // audi : 2015-05-21 AUDI Aktiengesellschaft audi // audible : 2015-06-25 Amazon EU S.à r.l. audible // audio : 2014-03-20 Uniregistry, Corp. audio // auspost : 2015-08-13 Australian Postal Corporation auspost // author : 2014-12-18 Amazon EU S.à r.l. author // auto : 2014-11-13 auto // autos : 2014-01-09 DERAutos, LLC autos // avianca : 2015-01-08 Aerovias del Continente Americano S.A. Avianca avianca // aws : 2015-06-25 Amazon EU S.à r.l. aws // axa : 2013-12-19 AXA SA axa // azure : 2014-12-18 Microsoft Corporation azure // baby : 2015-04-09 Johnson & Johnson Services, Inc. baby // baidu : 2015-01-08 Baidu, Inc. baidu // banamex : 2015-07-30 Citigroup Inc. banamex // bananarepublic : 2015-07-31 The Gap, Inc. bananarepublic // band : 2014-06-12 band // bank : 2014-09-25 fTLD Registry Services LLC bank // bar : 2013-12-12 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable bar // barcelona : 2014-07-24 Municipi de Barcelona barcelona // barclaycard : 2014-11-20 Barclays Bank PLC barclaycard // barclays : 2014-11-20 Barclays Bank PLC barclays // barefoot : 2015-06-11 Gallo Vineyards, Inc. barefoot // bargains : 2013-11-14 Half Hallow, LLC bargains // baseball : 2015-10-29 MLB Advanced Media DH, LLC baseball // basketball : 2015-08-20 Fédération Internationale de Basketball (FIBA) basketball // bauhaus : 2014-04-17 Werkhaus GmbH bauhaus // bayern : 2014-01-23 Bayern Connect GmbH bayern // bbc : 2014-12-18 British Broadcasting Corporation bbc // bbt : 2015-07-23 BB&T Corporation bbt // bbva : 2014-10-02 BANCO BILBAO VIZCAYA ARGENTARIA, S.A. bbva // bcg : 2015-04-02 The Boston Consulting Group, Inc. bcg // bcn : 2014-07-24 Municipi de Barcelona bcn // beats : 2015-05-14 Beats Electronics, LLC beats // beer : 2014-01-09 Top Level Domain Holdings Limited beer // bentley : 2014-12-18 Bentley Motors Limited bentley // berlin : 2013-10-31 dotBERLIN GmbH & Co. KG berlin // best : 2013-12-19 BestTLD Pty Ltd best // bestbuy : 2015-07-31 BBY Solutions, Inc. bestbuy // bet : 2015-05-07 Afilias plc bet // bharti : 2014-01-09 Bharti Enterprises (Holding) Private Limited bharti // bible : 2014-06-19 American Bible Society bible // bid : 2013-12-19 dot Bid Limited bid // bike : 2013-08-27 Grand Hollow, LLC bike // bing : 2014-12-18 Microsoft Corporation bing // bingo : 2014-12-04 Sand Cedar, LLC bingo // bio : 2014-03-06 STARTING DOT LIMITED bio // black : 2014-01-16 Afilias Limited black // blackfriday : 2014-01-16 Uniregistry, Corp. blackfriday // blanco : 2015-07-16 BLANCO GmbH + Co KG blanco // blockbuster : 2015-07-30 Dish DBS Corporation blockbuster // blog : 2015-05-14 PRIMER NIVEL S.A. blog // bloomberg : 2014-07-17 Bloomberg IP Holdings LLC bloomberg // blue : 2013-11-07 Afilias Limited blue // bms : 2014-10-30 Bristol-Myers Squibb Company bms // bmw : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft bmw // bnl : 2014-07-24 Banca Nazionale del Lavoro bnl // bnpparibas : 2014-05-29 BNP Paribas bnpparibas // boats : 2014-12-04 DERBoats, LLC boats // boehringer : 2015-07-09 Boehringer Ingelheim International GmbH boehringer // bofa : 2015-07-31 NMS Services, Inc. bofa // bom : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br bom // bond : 2014-06-05 Bond University Limited bond // boo : 2014-01-30 Charleston Road Registry Inc. boo // book : 2015-08-27 Amazon EU S.à r.l. book // booking : 2015-07-16 Booking.com B.V. booking // boots : 2015-01-08 THE BOOTS COMPANY PLC boots // bosch : 2015-06-18 Robert Bosch GMBH bosch // bostik : 2015-05-28 Bostik SA bostik // bot : 2014-12-18 Amazon EU S.à r.l. bot // boutique : 2013-11-14 Over Galley, LLC boutique // bradesco : 2014-12-18 Banco Bradesco S.A. bradesco // bridgestone : 2014-12-18 Bridgestone Corporation bridgestone // broadway : 2014-12-22 Celebrate Broadway, Inc. broadway // broker : 2014-12-11 IG Group Holdings PLC broker // brother : 2015-01-29 Brother Industries, Ltd. brother // brussels : 2014-02-06 DNS.be vzw brussels // budapest : 2013-11-21 Top Level Domain Holdings Limited budapest // bugatti : 2015-07-23 Bugatti International SA bugatti // build : 2013-11-07 Plan Bee LLC build // builders : 2013-11-07 Atomic Madison, LLC builders // business : 2013-11-07 Spring Cross, LLC business // buy : 2014-12-18 Amazon EU S.à r.l. buy // buzz : 2013-10-02 DOTSTRATEGY CO. buzz // bzh : 2014-02-27 Association www.bzh bzh // cab : 2013-10-24 Half Sunset, LLC cab // cafe : 2015-02-11 Pioneer Canyon, LLC cafe // cal : 2014-07-24 Charleston Road Registry Inc. cal // call : 2014-12-18 Amazon EU S.à r.l. call // calvinklein : 2015-07-30 PVH gTLD Holdings LLC calvinklein // camera : 2013-08-27 Atomic Maple, LLC camera // camp : 2013-11-07 Delta Dynamite, LLC camp // cancerresearch : 2014-05-15 Australian Cancer Research Foundation cancerresearch // canon : 2014-09-12 Canon Inc. canon // capetown : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry capetown // capital : 2014-03-06 Delta Mill, LLC capital // capitalone : 2015-08-06 Capital One Financial Corporation capitalone // car : 2015-01-22 car // caravan : 2013-12-12 Caravan International, Inc. caravan // cards : 2013-12-05 Foggy Hollow, LLC cards // care : 2014-03-06 Goose Cross care // career : 2013-10-09 dotCareer LLC career // careers : 2013-10-02 Wild Corner, LLC careers // cars : 2014-11-13 cars // cartier : 2014-06-23 Richemont DNS Inc. cartier // casa : 2013-11-21 Top Level Domain Holdings Limited casa // case : 2015-09-03 CNH Industrial N.V. case // caseih : 2015-09-03 CNH Industrial N.V. caseih // cash : 2014-03-06 Delta Lake, LLC cash // casino : 2014-12-18 Binky Sky, LLC casino // catering : 2013-12-05 New Falls. LLC catering // catholic : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) catholic // cba : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA cba // cbn : 2014-08-22 The Christian Broadcasting Network, Inc. cbn // cbre : 2015-07-02 CBRE, Inc. cbre // cbs : 2015-08-06 CBS Domains Inc. cbs // ceb : 2015-04-09 The Corporate Executive Board Company ceb // center : 2013-11-07 Tin Mill, LLC center // ceo : 2013-11-07 CEOTLD Pty Ltd ceo // cern : 2014-06-05 European Organization for Nuclear Research ("CERN") cern // cfa : 2014-08-28 CFA Institute cfa // cfd : 2014-12-11 IG Group Holdings PLC cfd // chanel : 2015-04-09 Chanel International B.V. chanel // channel : 2014-05-08 Charleston Road Registry Inc. channel // chase : 2015-04-30 JPMorgan Chase & Co. chase // chat : 2014-12-04 Sand Fields, LLC chat // cheap : 2013-11-14 Sand Cover, LLC cheap // chintai : 2015-06-11 CHINTAI Corporation chintai // chloe : 2014-10-16 Richemont DNS Inc. chloe // christmas : 2013-11-21 Uniregistry, Corp. christmas // chrome : 2014-07-24 Charleston Road Registry Inc. chrome // chrysler : 2015-07-30 FCA US LLC. chrysler // church : 2014-02-06 Holly Fields, LLC church // cipriani : 2015-02-19 Hotel Cipriani Srl cipriani // circle : 2014-12-18 Amazon EU S.à r.l. circle // cisco : 2014-12-22 Cisco Technology, Inc. cisco // citadel : 2015-07-23 Citadel Domain LLC citadel // citi : 2015-07-30 Citigroup Inc. citi // citic : 2014-01-09 CITIC Group Corporation citic // city : 2014-05-29 Snow Sky, LLC city // cityeats : 2014-12-11 Lifestyle Domain Holdings, Inc. cityeats // claims : 2014-03-20 Black Corner, LLC claims // cleaning : 2013-12-05 Fox Shadow, LLC cleaning // click : 2014-06-05 Uniregistry, Corp. click // clinic : 2014-03-20 Goose Park, LLC clinic // clinique : 2015-10-01 The Estée Lauder Companies Inc. clinique // clothing : 2013-08-27 Steel Lake, LLC clothing // cloud : 2015-04-16 ARUBA S.p.A. cloud // club : 2013-11-08 .CLUB DOMAINS, LLC club // clubmed : 2015-06-25 Club Méditerranée S.A. clubmed // coach : 2014-10-09 Koko Island, LLC coach // codes : 2013-10-31 Puff Willow, LLC codes // coffee : 2013-10-17 Trixy Cover, LLC coffee // college : 2014-01-16 XYZ.COM LLC college // cologne : 2014-02-05 NetCologne Gesellschaft für Telekommunikation mbH cologne // comcast : 2015-07-23 Comcast IP Holdings I, LLC comcast // commbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA commbank // community : 2013-12-05 Fox Orchard, LLC community // company : 2013-11-07 Silver Avenue, LLC company // compare : 2015-10-08 iSelect Ltd compare // computer : 2013-10-24 Pine Mill, LLC computer // comsec : 2015-01-08 VeriSign, Inc. comsec // condos : 2013-12-05 Pine House, LLC condos // construction : 2013-09-16 Fox Dynamite, LLC construction // consulting : 2013-12-05 consulting // contact : 2015-01-08 Top Level Spectrum, Inc. contact // contractors : 2013-09-10 Magic Woods, LLC contractors // cooking : 2013-11-21 Top Level Domain Holdings Limited cooking // cookingchannel : 2015-07-02 Lifestyle Domain Holdings, Inc. cookingchannel // cool : 2013-11-14 Koko Lake, LLC cool // corsica : 2014-09-25 Collectivité Territoriale de Corse corsica // country : 2013-12-19 Top Level Domain Holdings Limited country // coupon : 2015-02-26 Amazon EU S.à r.l. coupon // coupons : 2015-03-26 Black Island, LLC coupons // courses : 2014-12-04 OPEN UNIVERSITIES AUSTRALIA PTY LTD courses // credit : 2014-03-20 Snow Shadow, LLC credit // creditcard : 2014-03-20 Binky Frostbite, LLC creditcard // creditunion : 2015-01-22 CUNA Performance Resources, LLC creditunion // cricket : 2014-10-09 dot Cricket Limited cricket // crown : 2014-10-24 Crown Equipment Corporation crown // crs : 2014-04-03 Federated Co-operatives Limited crs // cruises : 2013-12-05 Spring Way, LLC cruises // csc : 2014-09-25 Alliance-One Services, Inc. csc // cuisinella : 2014-04-03 SALM S.A.S. cuisinella // cymru : 2014-05-08 Nominet UK cymru // cyou : 2015-01-22 Beijing Gamease Age Digital Technology Co., Ltd. cyou // dabur : 2014-02-06 Dabur India Limited dabur // dad : 2014-01-23 Charleston Road Registry Inc. dad // dance : 2013-10-24 United TLD Holdco Ltd. dance // date : 2014-11-20 dot Date Limited date // dating : 2013-12-05 Pine Fest, LLC dating // datsun : 2014-03-27 NISSAN MOTOR CO., LTD. datsun // day : 2014-01-30 Charleston Road Registry Inc. day // dclk : 2014-11-20 Charleston Road Registry Inc. dclk // dds : 2015-05-07 Top Level Domain Holdings Limited dds // deal : 2015-06-25 Amazon EU S.à r.l. deal // dealer : 2014-12-22 Dealer Dot Com, Inc. dealer // deals : 2014-05-22 Sand Sunset, LLC deals // degree : 2014-03-06 degree // delivery : 2014-09-11 Steel Station, LLC delivery // dell : 2014-10-24 Dell Inc. dell // deloitte : 2015-07-31 Deloitte Touche Tohmatsu deloitte // delta : 2015-02-19 Delta Air Lines, Inc. delta // democrat : 2013-10-24 United TLD Holdco Ltd. democrat // dental : 2014-03-20 Tin Birch, LLC dental // dentist : 2014-03-20 dentist // desi : 2013-11-14 Desi Networks LLC desi // design : 2014-11-07 Top Level Design, LLC design // dev : 2014-10-16 Charleston Road Registry Inc. dev // dhl : 2015-07-23 Deutsche Post AG dhl // diamonds : 2013-09-22 John Edge, LLC diamonds // diet : 2014-06-26 Uniregistry, Corp. diet // digital : 2014-03-06 Dash Park, LLC digital // direct : 2014-04-10 Half Trail, LLC direct // directory : 2013-09-20 Extra Madison, LLC directory // discount : 2014-03-06 Holly Hill, LLC discount // discover : 2015-07-23 Discover Financial Services discover // dish : 2015-07-30 Dish DBS Corporation dish // diy : 2015-11-05 Lifestyle Domain Holdings, Inc. diy // dnp : 2013-12-13 Dai Nippon Printing Co., Ltd. dnp // docs : 2014-10-16 Charleston Road Registry Inc. docs // dodge : 2015-07-30 FCA US LLC. dodge // dog : 2014-12-04 Koko Mill, LLC dog // doha : 2014-09-18 Communications Regulatory Authority (CRA) doha // domains : 2013-10-17 Sugar Cross, LLC domains // doosan : 2014-04-03 Doosan Corporation doosan // dot : 2015-05-21 Dish DBS Corporation dot // download : 2014-11-20 dot Support Limited download // drive : 2015-03-05 Charleston Road Registry Inc. drive // dstv : 2015-03-12 MultiChoice (Proprietary) Limited dstv // dtv : 2015-06-04 Dish DBS Corporation dtv // dubai : 2015-01-01 Dubai Smart Government Department dubai // duck : 2015-07-23 Johnson Shareholdings, Inc. duck // dunlop : 2015-07-02 The Goodyear Tire & Rubber Company dunlop // duns : 2015-08-06 The Dun & Bradstreet Corporation duns // dupont : 2015-06-25 E.I. du Pont de Nemours and Company dupont // durban : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry durban // dvag : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG dvag // dwg : 2015-07-23 Autodesk, Inc. dwg // earth : 2014-12-04 Interlink Co., Ltd. earth // eat : 2014-01-23 Charleston Road Registry Inc. eat // edeka : 2014-12-18 EDEKA Verband kaufmännischer Genossenschaften e.V. edeka // education : 2013-11-07 Brice Way, LLC education // email : 2013-10-31 Spring Madison, LLC email // emerck : 2014-04-03 Merck KGaA emerck // emerson : 2015-07-23 Emerson Electric Co. emerson // energy : 2014-09-11 Binky Birch, LLC energy // engineer : 2014-03-06 United TLD Holdco Ltd. engineer // engineering : 2014-03-06 Romeo Canyon engineering // enterprises : 2013-09-20 Snow Oaks, LLC enterprises // epost : 2015-07-23 Deutsche Post AG epost // epson : 2014-12-04 Seiko Epson Corporation epson // equipment : 2013-08-27 Corn Station, LLC equipment // ericsson : 2015-07-09 Telefonaktiebolaget L M Ericsson ericsson // erni : 2014-04-03 ERNI Group Holding AG erni // esq : 2014-05-08 Charleston Road Registry Inc. esq // estate : 2013-08-27 Trixy Park, LLC estate // esurance : 2015-07-23 Esurance Insurance Company esurance // etisalat : 2015-09-03 Emirates Telecommunications Corporation (trading as Etisalat) etisalat // eurovision : 2014-04-24 European Broadcasting Union (EBU) eurovision // eus : 2013-12-12 Puntueus Fundazioa eus // events : 2013-12-05 Pioneer Maple, LLC events // everbank : 2014-05-15 EverBank everbank // exchange : 2014-03-06 Spring Falls, LLC exchange // expert : 2013-11-21 Magic Pass, LLC expert // exposed : 2013-12-05 Victor Beach, LLC exposed // express : 2015-02-11 Sea Sunset, LLC express // extraspace : 2015-05-14 Extra Space Storage LLC extraspace // fage : 2014-12-18 Fage International S.A. fage // fail : 2014-03-06 Atomic Pipe, LLC fail // fairwinds : 2014-11-13 FairWinds Partners, LLC fairwinds // faith : 2014-11-20 dot Faith Limited faith // family : 2015-04-02 family // fan : 2014-03-06 fan // fans : 2014-11-07 Asiamix Digital Limited fans // farm : 2013-11-07 Just Maple, LLC farm // farmers : 2015-07-09 Farmers Insurance Exchange farmers // fashion : 2014-07-03 Top Level Domain Holdings Limited fashion // fast : 2014-12-18 Amazon EU S.à r.l. fast // fedex : 2015-08-06 Federal Express Corporation fedex // feedback : 2013-12-19 Top Level Spectrum, Inc. feedback // ferrari : 2015-07-31 Fiat Chrysler Automobiles N.V. ferrari // ferrero : 2014-12-18 Ferrero Trading Lux S.A. ferrero // fiat : 2015-07-31 Fiat Chrysler Automobiles N.V. fiat // fidelity : 2015-07-30 Fidelity Brokerage Services LLC fidelity // fido : 2015-08-06 Rogers Communications Partnership fido // film : 2015-01-08 Motion Picture Domain Registry Pty Ltd film // final : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br final // finance : 2014-03-20 Cotton Cypress, LLC finance // financial : 2014-03-06 Just Cover, LLC financial // fire : 2015-06-25 Amazon EU S.à r.l. fire // firestone : 2014-12-18 Bridgestone Corporation firestone // firmdale : 2014-03-27 Firmdale Holdings Limited firmdale // fish : 2013-12-12 Fox Woods, LLC fish // fishing : 2013-11-21 Top Level Domain Holdings Limited fishing // fit : 2014-11-07 Top Level Domain Holdings Limited fit // fitness : 2014-03-06 Brice Orchard, LLC fitness // flickr : 2015-04-02 Yahoo! Domain Services Inc. flickr // flights : 2013-12-05 Fox Station, LLC flights // flir : 2015-07-23 FLIR Systems, Inc. flir // florist : 2013-11-07 Half Cypress, LLC florist // flowers : 2014-10-09 Uniregistry, Corp. flowers // flsmidth : 2014-07-24 FLSmidth A/S flsmidth // fly : 2014-05-08 Charleston Road Registry Inc. fly // foo : 2014-01-23 Charleston Road Registry Inc. foo // foodnetwork : 2015-07-02 Lifestyle Domain Holdings, Inc. foodnetwork // football : 2014-12-18 Foggy Farms, LLC football // ford : 2014-11-13 Ford Motor Company ford // forex : 2014-12-11 IG Group Holdings PLC forex // forsale : 2014-05-22 forsale // forum : 2015-04-02 Fegistry, LLC forum // foundation : 2013-12-05 John Dale, LLC foundation // fox : 2015-09-11 FOX Registry, LLC fox // fresenius : 2015-07-30 Fresenius Immobilien-Verwaltungs-GmbH fresenius // frl : 2014-05-15 FRLregistry B.V. frl // frogans : 2013-12-19 OP3FT frogans // frontdoor : 2015-07-02 Lifestyle Domain Holdings, Inc. frontdoor // frontier : 2015-02-05 Frontier Communications Corporation frontier // ftr : 2015-07-16 Frontier Communications Corporation ftr // fujitsu : 2015-07-30 Fujitsu Limited fujitsu // fujixerox : 2015-07-23 Xerox DNHC LLC fujixerox // fund : 2014-03-20 John Castle, LLC fund // furniture : 2014-03-20 Lone Fields, LLC furniture // futbol : 2013-09-20 futbol // fyi : 2015-04-02 Silver Tigers, LLC fyi // gal : 2013-11-07 Asociación puntoGAL gal // gallery : 2013-09-13 Sugar House, LLC gallery // gallo : 2015-06-11 Gallo Vineyards, Inc. gallo // gallup : 2015-02-19 Gallup, Inc. gallup // game : 2015-05-28 Uniregistry, Corp. game // games : 2015-05-28 Foggy Beach, LLC games // gap : 2015-07-31 The Gap, Inc. gap // garden : 2014-06-26 Top Level Domain Holdings Limited garden // gbiz : 2014-07-17 Charleston Road Registry Inc. gbiz // gdn : 2014-07-31 Joint Stock Company "Navigation-information systems" gdn // gea : 2014-12-04 GEA Group Aktiengesellschaft gea // gent : 2014-01-23 COMBELL GROUP NV/SA gent // genting : 2015-03-12 Resorts World Inc Pte. Ltd. genting // george : 2015-07-31 Wal-Mart Stores, Inc. george // ggee : 2014-01-09 GMO Internet, Inc. ggee // gift : 2013-10-17 Uniregistry, Corp. gift // gifts : 2014-07-03 Goose Sky, LLC gifts // gives : 2014-03-06 United TLD Holdco Ltd. gives // giving : 2014-11-13 Giving Limited giving // glade : 2015-07-23 Johnson Shareholdings, Inc. glade // glass : 2013-11-07 Black Cover, LLC glass // gle : 2014-07-24 Charleston Road Registry Inc. gle // global : 2014-04-17 Dot GLOBAL AS global // globo : 2013-12-19 Globo Comunicação e Participações S.A globo // gmail : 2014-05-01 Charleston Road Registry Inc. gmail // gmo : 2014-01-09 GMO Internet, Inc. gmo // gmx : 2014-04-24 1&1 Mail & Media GmbH gmx // godaddy : 2015-07-23 Go Daddy East, LLC godaddy // gold : 2015-01-22 June Edge, LLC gold // goldpoint : 2014-11-20 YODOBASHI CAMERA CO.,LTD. goldpoint // golf : 2014-12-18 Lone falls, LLC golf // goo : 2014-12-18 NTT Resonant Inc. goo // goodhands : 2015-07-31 Allstate Fire and Casualty Insurance Company goodhands // goodyear : 2015-07-02 The Goodyear Tire & Rubber Company goodyear // goog : 2014-11-20 Charleston Road Registry Inc. goog // google : 2014-07-24 Charleston Road Registry Inc. google // gop : 2014-01-16 Republican State Leadership Committee, Inc. gop // got : 2014-12-18 Amazon EU S.à r.l. got // gotv : 2015-03-12 MultiChoice (Proprietary) Limited gotv // grainger : 2015-05-07 Grainger Registry Services, LLC grainger // graphics : 2013-09-13 Over Madison, LLC graphics // gratis : 2014-03-20 Pioneer Tigers, LLC gratis // green : 2014-05-08 Afilias Limited green // gripe : 2014-03-06 Corn Sunset, LLC gripe // group : 2014-08-15 Romeo Town, LLC group // guardian : 2015-07-30 The Guardian Life Insurance Company of America guardian // gucci : 2014-11-13 Guccio Gucci S.p.a. gucci // guge : 2014-08-28 Charleston Road Registry Inc. guge // guide : 2013-09-13 Snow Moon, LLC guide // guitars : 2013-11-14 Uniregistry, Corp. guitars // guru : 2013-08-27 Pioneer Cypress, LLC guru // hamburg : 2014-02-20 Hamburg Top-Level-Domain GmbH hamburg // hangout : 2014-11-13 Charleston Road Registry Inc. hangout // haus : 2013-12-05 haus // hbo : 2015-07-30 HBO Registry Services, Inc. hbo // hdfc : 2015-07-30 HOUSING DEVELOPMENT FINANCE CORPORATION LIMITED hdfc // hdfcbank : 2015-02-12 HDFC Bank Limited hdfcbank // health : 2015-02-11 DotHealth, LLC health // healthcare : 2014-06-12 Silver Glen, LLC healthcare // help : 2014-06-26 Uniregistry, Corp. help // helsinki : 2015-02-05 City of Helsinki helsinki // here : 2014-02-06 Charleston Road Registry Inc. here // hermes : 2014-07-10 HERMES INTERNATIONAL hermes // hgtv : 2015-07-02 Lifestyle Domain Holdings, Inc. hgtv // hiphop : 2014-03-06 Uniregistry, Corp. hiphop // hisamitsu : 2015-07-16 Hisamitsu Pharmaceutical Co.,Inc. hisamitsu // hitachi : 2014-10-31 Hitachi, Ltd. hitachi // hiv : 2014-03-13 dotHIV gemeinnuetziger e.V. hiv // hkt : 2015-05-14 PCCW-HKT DataCom Services Limited hkt // hockey : 2015-03-19 Half Willow, LLC hockey // holdings : 2013-08-27 John Madison, LLC holdings // holiday : 2013-11-07 Goose Woods, LLC holiday // homedepot : 2015-04-02 Homer TLC, Inc. homedepot // homegoods : 2015-07-16 The TJX Companies, Inc. homegoods // homes : 2014-01-09 DERHomes, LLC homes // homesense : 2015-07-16 The TJX Companies, Inc. homesense // honda : 2014-12-18 Honda Motor Co., Ltd. honda // honeywell : 2015-07-23 Honeywell GTLD LLC honeywell // horse : 2013-11-21 Top Level Domain Holdings Limited horse // host : 2014-04-17 DotHost Inc. host // hosting : 2014-05-29 Uniregistry, Corp. hosting // hot : 2015-08-27 Amazon EU S.à r.l. hot // hoteles : 2015-03-05 Travel Reservations SRL hoteles // hotmail : 2014-12-18 Microsoft Corporation hotmail // house : 2013-11-07 Sugar Park, LLC house // how : 2014-01-23 Charleston Road Registry Inc. how // hsbc : 2014-10-24 HSBC Holdings PLC hsbc // htc : 2015-04-02 HTC corporation htc // hughes : 2015-07-30 Hughes Satellite Systems Corporation hughes // hyatt : 2015-07-30 Hyatt GTLD, L.L.C. hyatt // hyundai : 2015-07-09 Hyundai Motor Company hyundai // ibm : 2014-07-31 International Business Machines Corporation ibm // icbc : 2015-02-19 Industrial and Commercial Bank of China Limited icbc // ice : 2014-10-30 IntercontinentalExchange, Inc. ice // icu : 2015-01-08 One.com A/S icu // ieee : 2015-07-23 IEEE Global LLC ieee // ifm : 2014-01-30 ifm electronic gmbh ifm // iinet : 2014-07-03 Connect West Pty. Ltd. iinet // ikano : 2015-07-09 Ikano S.A. ikano // imamat : 2015-08-06 Fondation Aga Khan (Aga Khan Foundation) imamat // imdb : 2015-06-25 Amazon EU S.à r.l. imdb // immo : 2014-07-10 Auburn Bloom, LLC immo // immobilien : 2013-11-07 United TLD Holdco Ltd. immobilien // industries : 2013-12-05 Outer House, LLC industries // infiniti : 2014-03-27 NISSAN MOTOR CO., LTD. infiniti // ing : 2014-01-23 Charleston Road Registry Inc. ing // ink : 2013-12-05 Top Level Design, LLC ink // institute : 2013-11-07 Outer Maple, LLC institute // insurance : 2015-02-19 fTLD Registry Services LLC insurance // insure : 2014-03-20 Pioneer Willow, LLC insure // intel : 2015-08-06 Intel Corporation intel // international : 2013-11-07 Wild Way, LLC international // intuit : 2015-07-30 Intuit Administrative Services, Inc. intuit // investments : 2014-03-20 Holly Glen, LLC investments // ipiranga : 2014-08-28 Ipiranga Produtos de Petroleo S.A. ipiranga // irish : 2014-08-07 Dot-Irish LLC irish // iselect : 2015-02-11 iSelect Ltd iselect // ismaili : 2015-08-06 Fondation Aga Khan (Aga Khan Foundation) ismaili // ist : 2014-08-28 Istanbul Metropolitan Municipality ist // istanbul : 2014-08-28 Istanbul Metropolitan Municipality istanbul // itau : 2014-10-02 Itau Unibanco Holding S.A. itau // itv : 2015-07-09 ITV Services Limited itv // iveco : 2015-09-03 CNH Industrial N.V. iveco // iwc : 2014-06-23 Richemont DNS Inc. iwc // jaguar : 2014-11-13 Jaguar Land Rover Ltd jaguar // java : 2014-06-19 Oracle Corporation java // jcb : 2014-11-20 JCB Co., Ltd. jcb // jcp : 2015-04-23 JCP Media, Inc. jcp // jeep : 2015-07-30 FCA US LLC. jeep // jetzt : 2014-01-09 New TLD Company AB jetzt // jewelry : 2015-03-05 Wild Bloom, LLC jewelry // jio : 2015-04-02 Affinity Names, Inc. jio // jlc : 2014-12-04 Richemont DNS Inc. jlc // jll : 2015-04-02 Jones Lang LaSalle Incorporated jll // jmp : 2015-03-26 Matrix IP LLC jmp // jnj : 2015-06-18 Johnson & Johnson Services, Inc. jnj // joburg : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry joburg // jot : 2014-12-18 Amazon EU S.à r.l. jot // joy : 2014-12-18 Amazon EU S.à r.l. joy // jpmorgan : 2015-04-30 JPMorgan Chase & Co. jpmorgan // jprs : 2014-09-18 Japan Registry Services Co., Ltd. jprs // juegos : 2014-03-20 Uniregistry, Corp. juegos // juniper : 2015-07-30 JUNIPER NETWORKS, INC. juniper // kaufen : 2013-11-07 United TLD Holdco Ltd. kaufen // kddi : 2014-09-12 KDDI CORPORATION kddi // kerryhotels : 2015-04-30 Kerry Trading Co. Limited kerryhotels // kerrylogistics : 2015-04-09 Kerry Trading Co. Limited kerrylogistics // kerryproperties : 2015-04-09 Kerry Trading Co. Limited kerryproperties // kfh : 2014-12-04 Kuwait Finance House kfh // kia : 2015-07-09 KIA MOTORS CORPORATION kia // kim : 2013-09-23 Afilias Limited kim // kinder : 2014-11-07 Ferrero Trading Lux S.A. kinder // kindle : 2015-06-25 Amazon EU S.à r.l. kindle // kitchen : 2013-09-20 Just Goodbye, LLC kitchen // kiwi : 2013-09-20 DOT KIWI LIMITED kiwi // koeln : 2014-01-09 NetCologne Gesellschaft für Telekommunikation mbH koeln // komatsu : 2015-01-08 Komatsu Ltd. komatsu // kosher : 2015-08-20 Kosher Marketing Assets LLC kosher // kpmg : 2015-04-23 KPMG International Cooperative (KPMG International Genossenschaft) kpmg // kpn : 2015-01-08 Koninklijke KPN N.V. kpn // krd : 2013-12-05 KRG Department of Information Technology krd // kred : 2013-12-19 KredTLD Pty Ltd kred // kuokgroup : 2015-04-09 Kerry Trading Co. Limited kuokgroup // kyknet : 2015-03-05 Electronic Media Network (Pty) Ltd kyknet // kyoto : 2014-11-07 Academic Institution: Kyoto Jyoho Gakuen kyoto // lacaixa : 2014-01-09 CAIXA D'ESTALVIS I PENSIONS DE BARCELONA lacaixa // ladbrokes : 2015-08-06 LADBROKES INTERNATIONAL PLC ladbrokes // lamborghini : 2015-06-04 Automobili Lamborghini S.p.A. lamborghini // lamer : 2015-10-01 The Estée Lauder Companies Inc. lamer // lancaster : 2015-02-12 LANCASTER lancaster // lancia : 2015-07-31 Fiat Chrysler Automobiles N.V. lancia // lancome : 2015-07-23 L'Oréal lancome // land : 2013-09-10 Pine Moon, LLC land // landrover : 2014-11-13 Jaguar Land Rover Ltd landrover // lanxess : 2015-07-30 LANXESS Corporation lanxess // lasalle : 2015-04-02 Jones Lang LaSalle Incorporated lasalle // lat : 2014-10-16 ECOM-LAC Federaciòn de Latinoamèrica y el Caribe para Internet y el Comercio Electrònico lat // latino : 2015-07-30 Dish DBS Corporation latino // latrobe : 2014-06-16 La Trobe University latrobe // law : 2015-01-22 Minds + Machines Group Limited law // lawyer : 2014-03-20 lawyer // lds : 2014-03-20 IRI Domain Management, LLC ("Applicant") lds // lease : 2014-03-06 Victor Trail, LLC lease // leclerc : 2014-08-07 A.C.D. LEC Association des Centres Distributeurs Edouard Leclerc leclerc // lefrak : 2015-07-16 LeFrak Organization, Inc. lefrak // legal : 2014-10-16 Blue Falls, LLC legal // lego : 2015-07-16 LEGO Juris A/S lego // lexus : 2015-04-23 TOYOTA MOTOR CORPORATION lexus // lgbt : 2014-05-08 Afilias Limited lgbt // liaison : 2014-10-02 Liaison Technologies, Incorporated liaison // lidl : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG lidl // life : 2014-02-06 Trixy Oaks, LLC life // lifeinsurance : 2015-01-15 American Council of Life Insurers lifeinsurance // lifestyle : 2014-12-11 Lifestyle Domain Holdings, Inc. lifestyle // lighting : 2013-08-27 John McCook, LLC lighting // like : 2014-12-18 Amazon EU S.à r.l. like // lilly : 2015-07-31 Eli Lilly and Company lilly // limited : 2014-03-06 Big Fest, LLC limited // limo : 2013-10-17 Hidden Frostbite, LLC limo // lincoln : 2014-11-13 Ford Motor Company lincoln // linde : 2014-12-04 Linde Aktiengesellschaft linde // link : 2013-11-14 Uniregistry, Corp. link // lipsy : 2015-06-25 Lipsy Ltd lipsy // live : 2014-12-04 live // living : 2015-07-30 Lifestyle Domain Holdings, Inc. living // lixil : 2015-03-19 LIXIL Group Corporation lixil // loan : 2014-11-20 dot Loan Limited loan // loans : 2014-03-20 June Woods, LLC loans // locker : 2015-06-04 Dish DBS Corporation locker // locus : 2015-06-25 Locus Analytics LLC locus // loft : 2015-07-30 Annco, Inc. loft // lol : 2015-01-30 Uniregistry, Corp. lol // london : 2013-11-14 Dot London Domains Limited london // lotte : 2014-11-07 Lotte Holdings Co., Ltd. lotte // lotto : 2014-04-10 Afilias Limited lotto // love : 2014-12-22 Merchant Law Group LLP love // lpl : 2015-07-30 LPL Holdings, Inc. lpl // lplfinancial : 2015-07-30 LPL Holdings, Inc. lplfinancial // ltd : 2014-09-25 Over Corner, LLC ltd // ltda : 2014-04-17 DOMAIN ROBOT SERVICOS DE HOSPEDAGEM NA INTERNET LTDA ltda // lundbeck : 2015-08-06 H. Lundbeck A/S lundbeck // lupin : 2014-11-07 LUPIN LIMITED lupin // luxe : 2014-01-09 Top Level Domain Holdings Limited luxe // luxury : 2013-10-17 Luxury Partners, LLC luxury // macys : 2015-07-31 Macys, Inc. macys // madrid : 2014-05-01 Comunidad de Madrid madrid // maif : 2014-10-02 Mutuelle Assurance Instituteur France (MAIF) maif // maison : 2013-12-05 Victor Frostbite, LLC maison // makeup : 2015-01-15 L'Oréal makeup // man : 2014-12-04 MAN SE man // management : 2013-11-07 John Goodbye, LLC management // mango : 2013-10-24 PUNTO FA S.L. mango // market : 2014-03-06 market // marketing : 2013-11-07 Fern Pass, LLC marketing // markets : 2014-12-11 IG Group Holdings PLC markets // marriott : 2014-10-09 Marriott Worldwide Corporation marriott // marshalls : 2015-07-16 The TJX Companies, Inc. marshalls // maserati : 2015-07-31 Fiat Chrysler Automobiles N.V. maserati // mattel : 2015-08-06 Mattel Sites, Inc. mattel // mba : 2015-04-02 Lone Hollow, LLC mba // mcd : 2015-07-30 McDonald’s Corporation mcd // mcdonalds : 2015-07-30 McDonald’s Corporation mcdonalds // mckinsey : 2015-07-31 McKinsey Holdings, Inc. mckinsey // med : 2015-08-06 Medistry LLC med // media : 2014-03-06 Grand Glen, LLC media // meet : 2014-01-16 meet // melbourne : 2014-05-29 The Crown in right of the State of Victoria, represented by its Department of State Development, Business and Innovation melbourne // meme : 2014-01-30 Charleston Road Registry Inc. meme // memorial : 2014-10-16 Dog Beach, LLC memorial // men : 2015-02-26 Exclusive Registry Limited men // menu : 2013-09-11 Wedding TLD2, LLC menu // meo : 2014-11-07 PT Comunicacoes S.A. meo // metlife : 2015-05-07 MetLife Services and Solutions, LLC metlife // miami : 2013-12-19 Top Level Domain Holdings Limited miami // microsoft : 2014-12-18 Microsoft Corporation microsoft // mini : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft mini // mint : 2015-07-30 Intuit Administrative Services, Inc. mint // mit : 2015-07-02 Massachusetts Institute of Technology mit // mitsubishi : 2015-07-23 Mitsubishi Corporation mitsubishi // mlb : 2015-05-21 MLB Advanced Media DH, LLC mlb // mls : 2015-04-23 The Canadian Real Estate Association mls // mma : 2014-11-07 MMA IARD mma // mnet : 2015-03-05 Electronic Media Network (Pty) Ltd mnet // mobily : 2014-12-18 GreenTech Consultancy Company W.L.L. mobily // moda : 2013-11-07 United TLD Holdco Ltd. moda // moe : 2013-11-13 Interlink Co., Ltd. moe // moi : 2014-12-18 Amazon EU S.à r.l. moi // mom : 2015-04-16 Uniregistry, Corp. mom // monash : 2013-09-30 Monash University monash // money : 2014-10-16 Outer McCook, LLC money // monster : 2015-09-11 Monster Worldwide, Inc. monster // montblanc : 2014-06-23 Richemont DNS Inc. montblanc // mopar : 2015-07-30 FCA US LLC. mopar // mormon : 2013-12-05 IRI Domain Management, LLC ("Applicant") mormon // mortgage : 2014-03-20 mortgage // moscow : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) moscow // moto : 2015-06-04 Charleston Road Registry Inc. moto // motorcycles : 2014-01-09 DERMotorcycles, LLC motorcycles // mov : 2014-01-30 Charleston Road Registry Inc. mov // movie : 2015-02-05 New Frostbite, LLC movie // movistar : 2014-10-16 Telefónica S.A. movistar // msd : 2015-07-23 MSD Registry Holdings, Inc. msd // mtn : 2014-12-04 MTN Dubai Limited mtn // mtpc : 2014-11-20 Mitsubishi Tanabe Pharma Corporation mtpc // mtr : 2015-03-12 MTR Corporation Limited mtr // multichoice : 2015-03-12 MultiChoice (Proprietary) Limited multichoice // mutual : 2015-04-02 Northwestern Mutual MU TLD Registry, LLC mutual // mutuelle : 2015-06-18 Fédération Nationale de la Mutualité Française mutuelle // mzansimagic : 2015-03-05 Electronic Media Network (Pty) Ltd mzansimagic // nab : 2015-08-20 National Australia Bank Limited nab // nadex : 2014-12-11 IG Group Holdings PLC nadex // nagoya : 2013-10-24 GMO Registry, Inc. nagoya // naspers : 2015-02-12 Intelprop (Proprietary) Limited naspers // nationwide : 2015-07-23 Nationwide Mutual Insurance Company nationwide // natura : 2015-03-12 NATURA COSMÉTICOS S.A. natura // navy : 2014-03-06 United TLD Holdco Ltd. navy // nba : 2015-07-31 NBA REGISTRY, LLC nba // nec : 2015-01-08 NEC Corporation nec // netbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA netbank // netflix : 2015-06-18 Netflix, Inc. netflix // network : 2013-11-14 Trixy Manor, LLC network // neustar : 2013-12-05 NeuStar, Inc. neustar // new : 2014-01-30 Charleston Road Registry Inc. new // newholland : 2015-09-03 CNH Industrial N.V. newholland // news : 2014-12-18 news // next : 2015-06-18 Next plc next // nextdirect : 2015-06-18 Next plc nextdirect // nexus : 2014-07-24 Charleston Road Registry Inc. nexus // nfl : 2015-07-23 NFL Reg Ops LLC nfl // ngo : 2014-03-06 Public Interest Registry ngo // nhk : 2014-02-13 Japan Broadcasting Corporation (NHK) nhk // nico : 2014-12-04 DWANGO Co., Ltd. nico // nike : 2015-07-23 NIKE, Inc. nike // nikon : 2015-05-21 NIKON CORPORATION nikon // ninja : 2013-11-07 United TLD Holdco Ltd. ninja // nissan : 2014-03-27 NISSAN MOTOR CO., LTD. nissan // nissay : 2015-10-29 Nippon Life Insurance Company nissay // nokia : 2015-01-08 Nokia Corporation nokia // northwesternmutual : 2015-06-18 Northwestern Mutual Registry, LLC northwesternmutual // norton : 2014-12-04 Symantec Corporation norton // now : 2015-06-25 Amazon EU S.à r.l. now // nowruz : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. nowruz // nowtv : 2015-05-14 Starbucks (HK) Limited nowtv // nra : 2014-05-22 NRA Holdings Company, INC. nra // nrw : 2013-11-21 Minds + Machines GmbH nrw // ntt : 2014-10-31 NIPPON TELEGRAPH AND TELEPHONE CORPORATION ntt // nyc : 2014-01-23 The City of New York by and through the New York City Department of Information Technology & Telecommunications nyc // obi : 2014-09-25 OBI Group Holding SE & Co. KGaA obi // observer : 2015-04-30 Guardian News and Media Limited observer // off : 2015-07-23 Johnson Shareholdings, Inc. off // office : 2015-03-12 Microsoft Corporation office // okinawa : 2013-12-05 BusinessRalliart Inc. okinawa // olayan : 2015-05-14 Crescent Holding GmbH olayan // olayangroup : 2015-05-14 Crescent Holding GmbH olayangroup // oldnavy : 2015-07-31 The Gap, Inc. oldnavy // ollo : 2015-06-04 Dish DBS Corporation ollo // omega : 2015-01-08 The Swatch Group Ltd omega // one : 2014-11-07 One.com A/S one // ong : 2014-03-06 Public Interest Registry ong // onl : 2013-09-16 I-Registry Ltd. onl // online : 2015-01-15 DotOnline Inc. online // onyourside : 2015-07-23 Nationwide Mutual Insurance Company onyourside // ooo : 2014-01-09 INFIBEAM INCORPORATION LIMITED ooo // open : 2015-07-31 American Express Travel Related Services Company, Inc. open // oracle : 2014-06-19 Oracle Corporation oracle // orange : 2015-03-12 Orange Brand Services Limited orange // organic : 2014-03-27 Afilias Limited organic // orientexpress : 2015-02-05 Belmond Ltd. orientexpress // origins : 2015-10-01 The Estée Lauder Companies Inc. origins // osaka : 2014-09-04 Interlink Co., Ltd. osaka // otsuka : 2013-10-11 Otsuka Holdings Co., Ltd. otsuka // ott : 2015-06-04 Dish DBS Corporation ott // ovh : 2014-01-16 OVH SAS ovh // page : 2014-12-04 Charleston Road Registry Inc. page // pamperedchef : 2015-02-05 The Pampered Chef, Ltd. pamperedchef // panasonic : 2015-07-30 Panasonic Corporation panasonic // panerai : 2014-11-07 Richemont DNS Inc. panerai // paris : 2014-01-30 City of Paris paris // pars : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. pars // partners : 2013-12-05 Magic Glen, LLC partners // parts : 2013-12-05 Sea Goodbye, LLC parts // party : 2014-09-11 Blue Sky Registry Limited party // passagens : 2015-03-05 Travel Reservations SRL passagens // pay : 2015-08-27 Amazon EU S.à r.l. pay // payu : 2015-02-12 MIH PayU B.V. payu // pccw : 2015-05-14 PCCW Enterprises Limited pccw // pet : 2015-05-07 Afilias plc pet // pfizer : 2015-09-11 Pfizer Inc. pfizer // pharmacy : 2014-06-19 National Association of Boards of Pharmacy pharmacy // philips : 2014-11-07 Koninklijke Philips N.V. philips // photo : 2013-11-14 Uniregistry, Corp. photo // photography : 2013-09-20 Sugar Glen, LLC photography // photos : 2013-10-17 Sea Corner, LLC photos // physio : 2014-05-01 PhysBiz Pty Ltd physio // piaget : 2014-10-16 Richemont DNS Inc. piaget // pics : 2013-11-14 Uniregistry, Corp. pics // pictet : 2014-06-26 Pictet Europe S.A. pictet // pictures : 2014-03-06 Foggy Sky, LLC pictures // pid : 2015-01-08 Top Level Spectrum, Inc. pid // pin : 2014-12-18 Amazon EU S.à r.l. pin // ping : 2015-06-11 Ping Registry Provider, Inc. ping // pink : 2013-10-01 Afilias Limited pink // pioneer : 2015-07-16 Pioneer Corporation pioneer // pizza : 2014-06-26 Foggy Moon, LLC pizza // place : 2014-04-24 Snow Galley, LLC place // play : 2015-03-05 Charleston Road Registry Inc. play // playstation : 2015-07-02 Sony Computer Entertainment Inc. playstation // plumbing : 2013-09-10 Spring Tigers, LLC plumbing // plus : 2015-02-05 Sugar Mill, LLC plus // pnc : 2015-07-02 PNC Domain Co., LLC pnc // pohl : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG pohl // poker : 2014-07-03 Afilias Domains No. 5 Limited poker // politie : 2015-08-20 Politie Nederland politie // porn : 2014-10-16 ICM Registry PN LLC porn // pramerica : 2015-07-30 Prudential Financial, Inc. pramerica // praxi : 2013-12-05 Praxi S.p.A. praxi // press : 2014-04-03 DotPress Inc. press // prime : 2015-06-25 Amazon EU S.à r.l. prime // prod : 2014-01-23 Charleston Road Registry Inc. prod // productions : 2013-12-05 Magic Birch, LLC productions // prof : 2014-07-24 Charleston Road Registry Inc. prof // progressive : 2015-07-23 Progressive Casualty Insurance Company progressive // promo : 2014-12-18 Play.PROMO Oy promo // properties : 2013-12-05 Big Pass, LLC properties // property : 2014-05-22 Uniregistry, Corp. property // protection : 2015-04-23 protection // pru : 2015-07-30 Prudential Financial, Inc. pru // prudential : 2015-07-30 Prudential Financial, Inc. prudential // pub : 2013-12-12 United TLD Holdco Ltd. pub // pwc : 2015-10-29 PricewaterhouseCoopers LLP pwc // qpon : 2013-11-14 dotCOOL, Inc. qpon // quebec : 2013-12-19 PointQuébec Inc quebec // quest : 2015-03-26 Quest ION Limited quest // qvc : 2015-07-30 QVC, Inc. qvc // racing : 2014-12-04 Premier Registry Limited racing // raid : 2015-07-23 Johnson Shareholdings, Inc. raid // read : 2014-12-18 Amazon EU S.à r.l. read // realestate : 2015-09-11 dotRealEstate LLC realestate // realtor : 2014-05-29 Real Estate Domains LLC realtor // realty : 2015-03-19 Fegistry, LLC realty // recipes : 2013-10-17 Grand Island, LLC recipes // red : 2013-11-07 Afilias Limited red // redstone : 2014-10-31 Redstone Haute Couture Co., Ltd. redstone // redumbrella : 2015-03-26 Travelers TLD, LLC redumbrella // rehab : 2014-03-06 United TLD Holdco Ltd. rehab // reise : 2014-03-13 reise // reisen : 2014-03-06 New Cypress, LLC reisen // reit : 2014-09-04 National Association of Real Estate Investment Trusts, Inc. reit // reliance : 2015-04-02 Reliance Industries Limited reliance // ren : 2013-12-12 Beijing Qianxiang Wangjing Technology Development Co., Ltd. ren // rent : 2014-12-04 DERRent, LLC rent // rentals : 2013-12-05 Big Hollow,LLC rentals // repair : 2013-11-07 Lone Sunset, LLC repair // report : 2013-12-05 Binky Glen, LLC report // republican : 2014-03-20 United TLD Holdco Ltd. republican // rest : 2013-12-19 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable rest // restaurant : 2014-07-03 Snow Avenue, LLC restaurant // review : 2014-11-20 dot Review Limited review // reviews : 2013-09-13 reviews // rexroth : 2015-06-18 Robert Bosch GMBH rexroth // rich : 2013-11-21 I-Registry Ltd. rich // richardli : 2015-05-14 Pacific Century Asset Management (HK) Limited richardli // ricoh : 2014-11-20 Ricoh Company, Ltd. ricoh // rightathome : 2015-07-23 Johnson Shareholdings, Inc. rightathome // ril : 2015-04-02 Reliance Industries Limited ril // rio : 2014-02-27 Empresa Municipal de Informática SA - IPLANRIO rio // rip : 2014-07-10 United TLD Holdco Ltd. rip // rocher : 2014-12-18 Ferrero Trading Lux S.A. rocher // rocks : 2013-11-14 rocks // rodeo : 2013-12-19 Top Level Domain Holdings Limited rodeo // rogers : 2015-08-06 Rogers Communications Partnership rogers // room : 2014-12-18 Amazon EU S.à r.l. room // rsvp : 2014-05-08 Charleston Road Registry Inc. rsvp // ruhr : 2013-10-02 regiodot GmbH & Co. KG ruhr // run : 2015-03-19 Snow Park, LLC run // rwe : 2015-04-02 RWE AG rwe // ryukyu : 2014-01-09 BusinessRalliart Inc. ryukyu // saarland : 2013-12-12 dotSaarland GmbH saarland // safe : 2014-12-18 Amazon EU S.à r.l. safe // safety : 2015-01-08 Safety Registry Services, LLC. safety // sakura : 2014-12-18 SAKURA Internet Inc. sakura // sale : 2014-10-16 sale // salon : 2014-12-11 Outer Orchard, LLC salon // samsclub : 2015-07-31 Wal-Mart Stores, Inc. samsclub // samsung : 2014-04-03 SAMSUNG SDS CO., LTD samsung // sandvik : 2014-11-13 Sandvik AB sandvik // sandvikcoromant : 2014-11-07 Sandvik AB sandvikcoromant // sanofi : 2014-10-09 Sanofi sanofi // sap : 2014-03-27 SAP AG sap // sapo : 2014-11-07 PT Comunicacoes S.A. sapo // sarl : 2014-07-03 Delta Orchard, LLC sarl // sas : 2015-04-02 Research IP LLC sas // save : 2015-06-25 Amazon EU S.à r.l. save // saxo : 2014-10-31 Saxo Bank A/S saxo // sbi : 2015-03-12 STATE BANK OF INDIA sbi // sbs : 2014-11-07 SPECIAL BROADCASTING SERVICE CORPORATION sbs // sca : 2014-03-13 SVENSKA CELLULOSA AKTIEBOLAGET SCA (publ) sca // scb : 2014-02-20 The Siam Commercial Bank Public Company Limited ("SCB") scb // schaeffler : 2015-08-06 Schaeffler Technologies AG & Co. KG schaeffler // schmidt : 2014-04-03 SALM S.A.S. schmidt // scholarships : 2014-04-24 Scholarships.com, LLC scholarships // school : 2014-12-18 Little Galley, LLC school // schule : 2014-03-06 Outer Moon, LLC schule // schwarz : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG schwarz // science : 2014-09-11 dot Science Limited science // scjohnson : 2015-07-23 Johnson Shareholdings, Inc. scjohnson // scor : 2014-10-31 SCOR SE scor // scot : 2014-01-23 Dot Scot Registry Limited scot // seat : 2014-05-22 SEAT, S.A. (Sociedad Unipersonal) seat // secure : 2015-08-27 Amazon EU S.à r.l. secure // security : 2015-05-14 security // seek : 2014-12-04 Seek Limited seek // select : 2015-10-08 iSelect Ltd select // sener : 2014-10-24 Sener Ingeniería y Sistemas, S.A. sener // services : 2014-02-27 Fox Castle, LLC services // ses : 2015-07-23 SES ses // seven : 2015-08-06 Seven West Media Ltd seven // sew : 2014-07-17 SEW-EURODRIVE GmbH & Co KG sew // sex : 2014-11-13 ICM Registry SX LLC sex // sexy : 2013-09-11 Uniregistry, Corp. sexy // sfr : 2015-08-13 Societe Francaise du Radiotelephone - SFR sfr // shangrila : 2015-09-03 Shangriâ€La International Hotel Management Limited shangrila // sharp : 2014-05-01 Sharp Corporation sharp // shaw : 2015-04-23 Shaw Cablesystems G.P. shaw // shell : 2015-07-30 Shell Information Technology International Inc shell // shia : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. shia // shiksha : 2013-11-14 Afilias Limited shiksha // shoes : 2013-10-02 Binky Galley, LLC shoes // shouji : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. shouji // show : 2015-03-05 Snow Beach, LLC show // showtime : 2015-08-06 CBS Domains Inc. showtime // shriram : 2014-01-23 Shriram Capital Ltd. shriram // silk : 2015-06-25 Amazon EU S.à r.l. silk // sina : 2015-03-12 Sina Corporation sina // singles : 2013-08-27 Fern Madison, LLC singles // site : 2015-01-15 DotSite Inc. site // ski : 2015-04-09 STARTING DOT LIMITED ski // skin : 2015-01-15 L'Oréal skin // sky : 2014-06-19 Sky IP International Ltd, a company incorporated in England and Wales, operating via its registered Swiss branch sky // skype : 2014-12-18 Microsoft Corporation skype // sling : 2015-07-30 Hughes Satellite Systems Corporation sling // smart : 2015-07-09 Smart Communications, Inc. (SMART) smart // smile : 2014-12-18 Amazon EU S.à r.l. smile // sncf : 2015-02-19 Société Nationale des Chemins de fer Francais S N C F sncf // soccer : 2015-03-26 Foggy Shadow, LLC soccer // social : 2013-11-07 United TLD Holdco Ltd. social // softbank : 2015-07-02 SoftBank Corp. softbank // software : 2014-03-20 software // sohu : 2013-12-19 Sohu.com Limited sohu // solar : 2013-11-07 Ruby Town, LLC solar // solutions : 2013-11-07 Silver Cover, LLC solutions // song : 2015-02-26 Amazon EU S.à r.l. song // sony : 2015-01-08 Sony Corporation sony // soy : 2014-01-23 Charleston Road Registry Inc. soy // space : 2014-04-03 DotSpace Inc. space // spiegel : 2014-02-05 SPIEGEL-Verlag Rudolf Augstein GmbH & Co. KG spiegel // spot : 2015-02-26 Amazon EU S.à r.l. spot // spreadbetting : 2014-12-11 IG Group Holdings PLC spreadbetting // srl : 2015-05-07 mySRL GmbH srl // srt : 2015-07-30 FCA US LLC. srt // stada : 2014-11-13 STADA Arzneimittel AG stada // staples : 2015-07-30 Staples, Inc. staples // star : 2015-01-08 Star India Private Limited star // starhub : 2015-02-05 StarHub Ltd starhub // statebank : 2015-03-12 STATE BANK OF INDIA statebank // statefarm : 2015-07-30 State Farm Mutual Automobile Insurance Company statefarm // statoil : 2014-12-04 Statoil ASA statoil // stc : 2014-10-09 Saudi Telecom Company stc // stcgroup : 2014-10-09 Saudi Telecom Company stcgroup // stockholm : 2014-12-18 Stockholms kommun stockholm // storage : 2014-12-22 Self Storage Company LLC storage // store : 2015-04-09 DotStore Inc. store // studio : 2015-02-11 studio // study : 2014-12-11 OPEN UNIVERSITIES AUSTRALIA PTY LTD study // style : 2014-12-04 Binky Moon, LLC style // sucks : 2014-12-22 Vox Populi Registry Inc. sucks // supersport : 2015-03-05 SuperSport International Holdings Proprietary Limited supersport // supplies : 2013-12-19 Atomic Fields, LLC supplies // supply : 2013-12-19 Half Falls, LLC supply // support : 2013-10-24 Grand Orchard, LLC support // surf : 2014-01-09 Top Level Domain Holdings Limited surf // surgery : 2014-03-20 Tin Avenue, LLC surgery // suzuki : 2014-02-20 SUZUKI MOTOR CORPORATION suzuki // swatch : 2015-01-08 The Swatch Group Ltd swatch // swiftcover : 2015-07-23 Swiftcover Insurance Services Limited swiftcover // swiss : 2014-10-16 Swiss Confederation swiss // sydney : 2014-09-18 State of New South Wales, Department of Premier and Cabinet sydney // symantec : 2014-12-04 Symantec Corporation symantec // systems : 2013-11-07 Dash Cypress, LLC systems // tab : 2014-12-04 Tabcorp Holdings Limited tab // taipei : 2014-07-10 Taipei City Government taipei // talk : 2015-04-09 Amazon EU S.à r.l. talk // taobao : 2015-01-15 Alibaba Group Holding Limited taobao // target : 2015-07-31 Target Domain Holdings, LLC target // tatamotors : 2015-03-12 Tata Motors Ltd tatamotors // tatar : 2014-04-24 Limited Liability Company "Coordination Center of Regional Domain of Tatarstan Republic" tatar // tattoo : 2013-08-30 Uniregistry, Corp. tattoo // tax : 2014-03-20 Storm Orchard, LLC tax // taxi : 2015-03-19 Pine Falls, LLC taxi // tci : 2014-09-12 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. tci // tdk : 2015-06-11 TDK Corporation tdk // team : 2015-03-05 Atomic Lake, LLC team // tech : 2015-01-30 Dot Tech LLC tech // technology : 2013-09-13 Auburn Falls technology // telecity : 2015-02-19 TelecityGroup International Limited telecity // telefonica : 2014-10-16 Telefónica S.A. telefonica // temasek : 2014-08-07 Temasek Holdings (Private) Limited temasek // tennis : 2014-12-04 Cotton Bloom, LLC tennis // teva : 2015-07-02 Teva Pharmaceutical Industries Limited teva // thd : 2015-04-02 Homer TLC, Inc. thd // theater : 2015-03-19 Blue Tigers, LLC theater // theatre : 2015-05-07 theatre // theguardian : 2015-04-30 Guardian News and Media Limited theguardian // tiaa : 2015-07-23 Teachers Insurance and Annuity Association of America tiaa // tickets : 2015-02-05 Accent Media Limited tickets // tienda : 2013-11-14 Victor Manor, LLC tienda // tiffany : 2015-01-30 Tiffany and Company tiffany // tips : 2013-09-20 Corn Willow, LLC tips // tires : 2014-11-07 Dog Edge, LLC tires // tirol : 2014-04-24 punkt Tirol GmbH tirol // tjmaxx : 2015-07-16 The TJX Companies, Inc. tjmaxx // tjx : 2015-07-16 The TJX Companies, Inc. tjx // tkmaxx : 2015-07-16 The TJX Companies, Inc. tkmaxx // tmall : 2015-01-15 Alibaba Group Holding Limited tmall // today : 2013-09-20 Pearl Woods, LLC today // tokyo : 2013-11-13 GMO Registry, Inc. tokyo // tools : 2013-11-21 Pioneer North, LLC tools // top : 2014-03-20 Jiangsu Bangning Science & Technology Co.,Ltd. top // toray : 2014-12-18 Toray Industries, Inc. toray // toshiba : 2014-04-10 TOSHIBA Corporation toshiba // total : 2015-08-06 Total SA total // tours : 2015-01-22 Sugar Station, LLC tours // town : 2014-03-06 Koko Moon, LLC town // toyota : 2015-04-23 TOYOTA MOTOR CORPORATION toyota // toys : 2014-03-06 Pioneer Orchard, LLC toys // trade : 2014-01-23 Elite Registry Limited trade // trading : 2014-12-11 IG Group Holdings PLC trading // training : 2013-11-07 Wild Willow, LLC training // travelchannel : 2015-07-02 Lifestyle Domain Holdings, Inc. travelchannel // travelers : 2015-03-26 Travelers TLD, LLC travelers // travelersinsurance : 2015-03-26 Travelers TLD, LLC travelersinsurance // trust : 2014-10-16 trust // trv : 2015-03-26 Travelers TLD, LLC trv // tube : 2015-06-11 Latin American Telecom LLC tube // tui : 2014-07-03 TUI AG tui // tunes : 2015-02-26 Amazon EU S.à r.l. tunes // tushu : 2014-12-18 Amazon EU S.à r.l. tushu // tvs : 2015-02-19 T V SUNDRAM IYENGAR & SONS LIMITED tvs // ubank : 2015-08-20 National Australia Bank Limited ubank // ubs : 2014-12-11 UBS AG ubs // uconnect : 2015-07-30 FCA US LLC. uconnect // unicom : 2015-10-15 China United Network Communications Corporation Limited unicom // university : 2014-03-06 Little Station, LLC university // uno : 2013-09-11 Dot Latin LLC uno // uol : 2014-05-01 UBN INTERNET LTDA. uol // ups : 2015-06-25 UPS Market Driver, Inc. ups // vacations : 2013-12-05 Atomic Tigers, LLC vacations // vana : 2014-12-11 Lifestyle Domain Holdings, Inc. vana // vanguard : 2015-09-03 The Vanguard Group, Inc. vanguard // vegas : 2014-01-16 Dot Vegas, Inc. vegas // ventures : 2013-08-27 Binky Lake, LLC ventures // verisign : 2015-08-13 VeriSign, Inc. verisign // versicherung : 2014-03-20 dotversicherung-registry GmbH versicherung // vet : 2014-03-06 vet // viajes : 2013-10-17 Black Madison, LLC viajes // video : 2014-10-16 video // vig : 2015-05-14 VIENNA INSURANCE GROUP AG Wiener Versicherung Gruppe vig // viking : 2015-04-02 Viking River Cruises (Bermuda) Ltd. viking // villas : 2013-12-05 New Sky, LLC villas // vin : 2015-06-18 Holly Shadow, LLC vin // vip : 2015-01-22 Minds + Machines Group Limited vip // virgin : 2014-09-25 Virgin Enterprises Limited virgin // visa : 2015-07-30 Visa Worldwide Pte. Limited visa // vision : 2013-12-05 Koko Station, LLC vision // vista : 2014-09-18 Vistaprint Limited vista // vistaprint : 2014-09-18 Vistaprint Limited vistaprint // viva : 2014-11-07 Saudi Telecom Company viva // vivo : 2015-07-31 Telefonica Brasil S.A. vivo // vlaanderen : 2014-02-06 DNS.be vzw vlaanderen // vodka : 2013-12-19 Top Level Domain Holdings Limited vodka // volkswagen : 2015-05-14 Volkswagen Group of America Inc. volkswagen // vote : 2013-11-21 Monolith Registry LLC vote // voting : 2013-11-13 Valuetainment Corp. voting // voto : 2013-11-21 Monolith Registry LLC voto // voyage : 2013-08-27 Ruby House, LLC voyage // vuelos : 2015-03-05 Travel Reservations SRL vuelos // wales : 2014-05-08 Nominet UK wales // walmart : 2015-07-31 Wal-Mart Stores, Inc. walmart // walter : 2014-11-13 Sandvik AB walter // wang : 2013-10-24 Zodiac Leo Limited wang // wanggou : 2014-12-18 Amazon EU S.à r.l. wanggou // warman : 2015-06-18 Weir Group IP Limited warman // watch : 2013-11-14 Sand Shadow, LLC watch // watches : 2014-12-22 Richemont DNS Inc. watches // weather : 2015-01-08 The Weather Channel, LLC weather // weatherchannel : 2015-03-12 The Weather Channel, LLC weatherchannel // webcam : 2014-01-23 dot Webcam Limited webcam // weber : 2015-06-04 Saint-Gobain Weber SA weber // website : 2014-04-03 DotWebsite Inc. website // wed : 2013-10-01 Atgron, Inc. wed // wedding : 2014-04-24 Top Level Domain Holdings Limited wedding // weibo : 2015-03-05 Sina Corporation weibo // weir : 2015-01-29 Weir Group IP Limited weir // whoswho : 2014-02-20 Who's Who Registry whoswho // wien : 2013-10-28 punkt.wien GmbH wien // wiki : 2013-11-07 Top Level Design, LLC wiki // williamhill : 2014-03-13 William Hill Organization Limited williamhill // win : 2014-11-20 First Registry Limited win // windows : 2014-12-18 Microsoft Corporation windows // wine : 2015-06-18 June Station, LLC wine // winners : 2015-07-16 The TJX Companies, Inc. winners // wme : 2014-02-13 William Morris Endeavor Entertainment, LLC wme // wolterskluwer : 2015-08-06 Wolters Kluwer N.V. wolterskluwer // woodside : 2015-07-09 Woodside Petroleum Limited woodside // work : 2013-12-19 Top Level Domain Holdings Limited work // works : 2013-11-14 Little Dynamite, LLC works // world : 2014-06-12 Bitter Fields, LLC world // wow : 2015-10-08 Amazon EU S.à r.l. wow // wtc : 2013-12-19 World Trade Centers Association, Inc. wtc // wtf : 2014-03-06 Hidden Way, LLC wtf // xbox : 2014-12-18 Microsoft Corporation xbox // xerox : 2014-10-24 Xerox DNHC LLC xerox // xfinity : 2015-07-09 Comcast IP Holdings I, LLC xfinity // xihuan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. xihuan // xin : 2014-12-11 Elegant Leader Limited xin // xn--11b4c3d : 2015-01-15 VeriSign Sarl xn--11b4c3d // xn--1ck2e1b : 2015-02-26 Amazon EU S.à r.l. xn--1ck2e1b // xn--1qqw23a : 2014-01-09 Guangzhou YU Wei Information Technology Co., Ltd. xn--1qqw23a // xn--30rr7y : 2014-06-12 Excellent First Limited xn--30rr7y // xn--3bst00m : 2013-09-13 Eagle Horizon Limited xn--3bst00m // xn--3ds443g : 2013-09-08 TLD REGISTRY LIMITED xn--3ds443g // xn--3oq18vl8pn36a : 2015-07-02 Volkswagen (China) Investment Co., Ltd. xn--3oq18vl8pn36a // xn--3pxu8k : 2015-01-15 VeriSign Sarl xn--3pxu8k // xn--42c2d9a : 2015-01-15 VeriSign Sarl xn--42c2d9a // xn--45q11c : 2013-11-21 Zodiac Scorpio Limited xn--45q11c // xn--4gbrim : 2013-10-04 Suhub Electronic Establishment xn--4gbrim // xn--4gq48lf9j : 2015-07-31 Wal-Mart Stores, Inc. xn--4gq48lf9j // xn--55qw42g : 2013-11-08 China Organizational Name Administration Center xn--55qw42g // xn--55qx5d : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) xn--55qx5d // xn--5su34j936bgsg : 2015-09-03 Shangriâ€La International Hotel Management Limited xn--5su34j936bgsg // xn--5tzm5g : 2014-12-22 Global Website TLD Asia Limited xn--5tzm5g // xn--6frz82g : 2013-09-23 Afilias Limited xn--6frz82g // xn--6qq986b3xl : 2013-09-13 Tycoon Treasure Limited xn--6qq986b3xl // xn--80adxhks : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) xn--80adxhks // xn--80aqecdr1a : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) xn--80aqecdr1a // xn--80asehdb : 2013-07-14 CORE Association xn--80asehdb // xn--80aswg : 2013-07-14 CORE Association xn--80aswg // xn--8y0a063a : 2015-03-26 China United Network Communications Corporation Limited xn--8y0a063a // xn--9dbq2a : 2015-01-15 VeriSign Sarl xn--9dbq2a // xn--9et52u : 2014-06-12 RISE VICTORY LIMITED xn--9et52u // xn--9krt00a : 2015-03-12 Sina Corporation xn--9krt00a // xn--b4w605ferd : 2014-08-07 Temasek Holdings (Private) Limited xn--b4w605ferd // xn--bck1b9a5dre4c : 2015-02-26 Amazon EU S.à r.l. xn--bck1b9a5dre4c // xn--c1avg : 2013-11-14 Public Interest Registry xn--c1avg // xn--c2br7g : 2015-01-15 VeriSign Sarl xn--c2br7g // xn--cck2b3b : 2015-02-26 Amazon EU S.à r.l. xn--cck2b3b // xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD xn--cg4bki // xn--czr694b : 2014-01-16 HU YI GLOBAL INFORMATION RESOURCES (HOLDING) COMPANY. HONGKONG LIMITED xn--czr694b // xn--czrs0t : 2013-12-19 Wild Island, LLC xn--czrs0t // xn--czru2d : 2013-11-21 Zodiac Capricorn Limited xn--czru2d // xn--d1acj3b : 2013-11-20 The Foundation for Network Initiatives “The Smart Internet†xn--d1acj3b // xn--eckvdtc9d : 2014-12-18 Amazon EU S.à r.l. xn--eckvdtc9d // xn--efvy88h : 2014-08-22 Xinhua News Agency Guangdong Branch æ–°åŽé€šè®¯ç¤¾å¹¿ä¸œåˆ†ç¤¾ xn--efvy88h // xn--estv75g : 2015-02-19 Industrial and Commercial Bank of China Limited xn--estv75g // xn--fct429k : 2015-04-09 Amazon EU S.à r.l. xn--fct429k // xn--fhbei : 2015-01-15 VeriSign Sarl xn--fhbei // xn--fiq228c5hs : 2013-09-08 TLD REGISTRY LIMITED xn--fiq228c5hs // xn--fiq64b : 2013-10-14 CITIC Group Corporation xn--fiq64b // xn--fjq720a : 2014-05-22 Will Bloom, LLC xn--fjq720a // xn--flw351e : 2014-07-31 Charleston Road Registry Inc. xn--flw351e // xn--fzys8d69uvgm : 2015-05-14 PCCW Enterprises Limited xn--fzys8d69uvgm // xn--g2xx48c : 2015-01-30 Minds + Machines Group Limited xn--g2xx48c // xn--gckr3f0f : 2015-02-26 Amazon EU S.à r.l. xn--gckr3f0f // xn--gk3at1e : 2015-10-08 Amazon EU S.à r.l. xn--gk3at1e // xn--hxt814e : 2014-05-15 Zodiac Libra Limited xn--hxt814e // xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry xn--i1b6b1a6a2e // xn--imr513n : 2014-12-11 HU YI GLOBAL INFORMATION RESOURCES (HOLDING) COMPANY. HONGKONG LIMITED xn--imr513n // xn--io0a7i : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) xn--io0a7i // xn--j1aef : 2015-01-15 VeriSign Sarl xn--j1aef // xn--jlq61u9w7b : 2015-01-08 Nokia Corporation xn--jlq61u9w7b // xn--jvr189m : 2015-02-26 Amazon EU S.à r.l. xn--jvr189m // xn--kcrx77d1x4a : 2014-11-07 Koninklijke Philips N.V. xn--kcrx77d1x4a // xn--kpu716f : 2014-12-22 Richemont DNS Inc. xn--kpu716f // xn--kput3i : 2014-02-13 Beijing RITT-Net Technology Development Co., Ltd xn--kput3i // xn--mgba3a3ejt : 2014-11-20 Aramco Services Company xn--mgba3a3ejt // xn--mgba7c0bbn0a : 2015-05-14 Crescent Holding GmbH xn--mgba7c0bbn0a // xn--mgbaakc7dvf : 2015-09-03 Emirates Telecommunications Corporation (trading as Etisalat) xn--mgbaakc7dvf // xn--mgbab2bd : 2013-10-31 CORE Association xn--mgbab2bd // xn--mgbb9fbpob : 2014-12-18 GreenTech Consultancy Company W.L.L. xn--mgbb9fbpob // xn--mgbca7dzdo : 2015-07-30 Abu Dhabi Systems and Information Centre xn--mgbca7dzdo // xn--mgbi4ecexp : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) xn--mgbi4ecexp // xn--mgbt3dhd : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. xn--mgbt3dhd // xn--mk1bu44c : 2015-01-15 VeriSign Sarl xn--mk1bu44c // xn--mxtq1m : 2014-03-06 Net-Chinese Co., Ltd. xn--mxtq1m // xn--ngbc5azd : 2013-07-13 International Domain Registry Pty. Ltd. xn--ngbc5azd // xn--ngbe9e0a : 2014-12-04 Kuwait Finance House xn--ngbe9e0a // xn--nqv7f : 2013-11-14 Public Interest Registry xn--nqv7f // xn--nqv7fs00ema : 2013-11-14 Public Interest Registry xn--nqv7fs00ema // xn--nyqy26a : 2014-11-07 Stable Tone Limited xn--nyqy26a // xn--p1acf : 2013-12-12 Rusnames Limited xn--p1acf // xn--pbt977c : 2014-12-22 Richemont DNS Inc. xn--pbt977c // xn--pssy2u : 2015-01-15 VeriSign Sarl xn--pssy2u // xn--q9jyb4c : 2013-09-17 Charleston Road Registry Inc. xn--q9jyb4c // xn--qcka1pmc : 2014-07-31 Charleston Road Registry Inc. xn--qcka1pmc // xn--rhqv96g : 2013-09-11 Stable Tone Limited xn--rhqv96g // xn--rovu88b : 2015-02-26 Amazon EU S.à r.l. xn--rovu88b // xn--ses554g : 2014-01-16 xn--ses554g // xn--t60b56a : 2015-01-15 VeriSign Sarl xn--t60b56a // xn--tckwe : 2015-01-15 VeriSign Sarl xn--tckwe // xn--tiq49xqyj : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) xn--tiq49xqyj // xn--unup4y : 2013-07-14 Spring Fields, LLC xn--unup4y // xn--vermgensberater-ctb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG xn--vermgensberater-ctb // xn--vermgensberatung-pwb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG xn--vermgensberatung-pwb // xn--vhquv : 2013-08-27 Dash McCook, LLC xn--vhquv // xn--vuq861b : 2014-10-16 Beijing Tele-info Network Technology Co., Ltd. xn--vuq861b // xn--w4r85el8fhu5dnra : 2015-04-30 Kerry Trading Co. Limited xn--w4r85el8fhu5dnra // xn--w4rs40l : 2015-07-30 Kerry Trading Co. Limited xn--w4rs40l // xn--xhq521b : 2013-11-14 Guangzhou YU Wei Information Technology Co., Ltd. xn--xhq521b // xn--zfr164b : 2013-11-08 China Organizational Name Administration Center xn--zfr164b // xperia : 2015-05-14 Sony Mobile Communications AB xperia // xyz : 2013-12-05 XYZ.COM LLC xyz // yachts : 2014-01-09 DERYachts, LLC yachts // yahoo : 2015-04-02 Yahoo! Domain Services Inc. yahoo // yamaxun : 2014-12-18 Amazon EU S.à r.l. yamaxun // yandex : 2014-04-10 YANDEX, LLC yandex // yodobashi : 2014-11-20 YODOBASHI CAMERA CO.,LTD. yodobashi // yoga : 2014-05-29 Top Level Domain Holdings Limited yoga // yokohama : 2013-12-12 GMO Registry, Inc. yokohama // you : 2015-04-09 Amazon EU S.à r.l. you // youtube : 2014-05-01 Charleston Road Registry Inc. youtube // yun : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. yun // zappos : 2015-06-25 Amazon EU S.à r.l. zappos // zara : 2014-11-07 Industria de Diseño Textil, S.A. (INDITEX, S.A.) zara // zero : 2014-12-18 Amazon EU S.à r.l. zero // zip : 2014-05-08 Charleston Road Registry Inc. zip // zippo : 2015-07-02 Zadco Company zippo // zone : 2013-11-14 Outer Falls, LLC zone // zuerich : 2014-11-07 Kanton Zürich (Canton of Zurich) zuerich // ===END ICANN DOMAINS=== // ===BEGIN PRIVATE DOMAINS=== // (Note: these are in alphabetical order by company name) // Amazon CloudFront : https://aws.amazon.com/cloudfront/ // Submitted by Donavan Miller 2013-03-22 cloudfront.net // Amazon Elastic Compute Cloud: https://aws.amazon.com/ec2/ // Submitted by Osman Surkatty 2014-12-16 ap-northeast-1.compute.amazonaws.com ap-southeast-1.compute.amazonaws.com ap-southeast-2.compute.amazonaws.com cn-north-1.compute.amazonaws.cn compute.amazonaws.cn compute.amazonaws.com compute-1.amazonaws.com eu-west-1.compute.amazonaws.com eu-central-1.compute.amazonaws.com sa-east-1.compute.amazonaws.com us-east-1.amazonaws.com us-gov-west-1.compute.amazonaws.com us-west-1.compute.amazonaws.com us-west-2.compute.amazonaws.com z-1.compute-1.amazonaws.com z-2.compute-1.amazonaws.com // Amazon Elastic Beanstalk : https://aws.amazon.com/elasticbeanstalk/ // Submitted by Adam Stein 2013-04-02 elasticbeanstalk.com // Amazon Elastic Load Balancing : https://aws.amazon.com/elasticloadbalancing/ // Submitted by Scott Vidmar 2013-03-27 elb.amazonaws.com // Amazon S3 : https://aws.amazon.com/s3/ // Submitted by Eric Kinolik 2015-04-08 s3.amazonaws.com s3-ap-northeast-1.amazonaws.com s3-ap-southeast-1.amazonaws.com s3-ap-southeast-2.amazonaws.com s3-external-1.amazonaws.com s3-external-2.amazonaws.com s3-fips-us-gov-west-1.amazonaws.com s3-eu-central-1.amazonaws.com s3-eu-west-1.amazonaws.com s3-sa-east-1.amazonaws.com s3-us-gov-west-1.amazonaws.com s3-us-west-1.amazonaws.com s3-us-west-2.amazonaws.com s3.cn-north-1.amazonaws.com.cn s3.eu-central-1.amazonaws.com // BetaInABox // Submitted by adrian@betainabox.com 2012-09-13 betainabox.com // CentralNic : http://www.centralnic.com/names/domains // Submitted by registry 2012-09-27 ae.org ar.com br.com cn.com com.de com.se de.com eu.com gb.com gb.net hu.com hu.net jp.net jpn.com kr.com mex.com no.com qc.com ru.com sa.com se.com se.net uk.com uk.net us.com uy.com za.bz za.com // Africa.com Web Solutions Ltd : https://registry.africa.com // Submitted by Gavin Brown 2014-02-04 africa.com // iDOT Services Limited : http://www.domain.gr.com // Submitted by Gavin Brown 2014-02-04 gr.com // Radix FZC : http://domains.in.net // Submitted by Gavin Brown 2014-02-04 in.net // US REGISTRY LLC : http://us.org // Submitted by Gavin Brown 2014-02-04 us.org // co.com Registry, LLC : https://registry.co.com // Submitted by Gavin Brown 2014-02-04 co.com // c.la : http://www.c.la/ c.la // cloudControl : https://www.cloudcontrol.com/ // Submitted by Tobias Wilken 2013-07-23 cloudcontrolled.com cloudcontrolapp.com // co.ca : http://registry.co.ca/ co.ca // CDN77.com : http://www.cdn77.com // Submitted by Jan Krpes 2015-07-13 c.cdn77.org cdn77-ssl.net r.cdn77.net rsc.cdn77.org ssl.origin.cdn77-secure.org // CoDNS B.V. co.nl co.no // Commerce Guys, SAS // Submitted by Damien Tournoud 2015-01-22 *.platform.sh // Cupcake : https://cupcake.io/ // Submitted by Jonathan Rudenberg 2013-10-08 cupcake.is // DreamHost : http://www.dreamhost.com/ // Submitted by Andrew Farmer 2012-10-02 dreamhosters.com // DuckDNS : http://www.duckdns.org/ // Submitted by Richard Harper 2015-05-17 duckdns.org // DynDNS.com : http://www.dyndns.com/services/dns/dyndns/ dyndns-at-home.com dyndns-at-work.com dyndns-blog.com dyndns-free.com dyndns-home.com dyndns-ip.com dyndns-mail.com dyndns-office.com dyndns-pics.com dyndns-remote.com dyndns-server.com dyndns-web.com dyndns-wiki.com dyndns-work.com dyndns.biz dyndns.info dyndns.org dyndns.tv at-band-camp.net ath.cx barrel-of-knowledge.info barrell-of-knowledge.info better-than.tv blogdns.com blogdns.net blogdns.org blogsite.org boldlygoingnowhere.org broke-it.net buyshouses.net cechire.com dnsalias.com dnsalias.net dnsalias.org dnsdojo.com dnsdojo.net dnsdojo.org does-it.net doesntexist.com doesntexist.org dontexist.com dontexist.net dontexist.org doomdns.com doomdns.org dvrdns.org dyn-o-saur.com dynalias.com dynalias.net dynalias.org dynathome.net dyndns.ws endofinternet.net endofinternet.org endoftheinternet.org est-a-la-maison.com est-a-la-masion.com est-le-patron.com est-mon-blogueur.com for-better.biz for-more.biz for-our.info for-some.biz for-the.biz forgot.her.name forgot.his.name from-ak.com from-al.com from-ar.com from-az.net from-ca.com from-co.net from-ct.com from-dc.com from-de.com from-fl.com from-ga.com from-hi.com from-ia.com from-id.com from-il.com from-in.com from-ks.com from-ky.com from-la.net from-ma.com from-md.com from-me.org from-mi.com from-mn.com from-mo.com from-ms.com from-mt.com from-nc.com from-nd.com from-ne.com from-nh.com from-nj.com from-nm.com from-nv.com from-ny.net from-oh.com from-ok.com from-or.com from-pa.com from-pr.com from-ri.com from-sc.com from-sd.com from-tn.com from-tx.com from-ut.com from-va.com from-vt.com from-wa.com from-wi.com from-wv.com from-wy.com ftpaccess.cc fuettertdasnetz.de game-host.org game-server.cc getmyip.com gets-it.net go.dyndns.org gotdns.com gotdns.org groks-the.info groks-this.info ham-radio-op.net here-for-more.info hobby-site.com hobby-site.org home.dyndns.org homedns.org homeftp.net homeftp.org homeip.net homelinux.com homelinux.net homelinux.org homeunix.com homeunix.net homeunix.org iamallama.com in-the-band.net is-a-anarchist.com is-a-blogger.com is-a-bookkeeper.com is-a-bruinsfan.org is-a-bulls-fan.com is-a-candidate.org is-a-caterer.com is-a-celticsfan.org is-a-chef.com is-a-chef.net is-a-chef.org is-a-conservative.com is-a-cpa.com is-a-cubicle-slave.com is-a-democrat.com is-a-designer.com is-a-doctor.com is-a-financialadvisor.com is-a-geek.com is-a-geek.net is-a-geek.org is-a-green.com is-a-guru.com is-a-hard-worker.com is-a-hunter.com is-a-knight.org is-a-landscaper.com is-a-lawyer.com is-a-liberal.com is-a-libertarian.com is-a-linux-user.org is-a-llama.com is-a-musician.com is-a-nascarfan.com is-a-nurse.com is-a-painter.com is-a-patsfan.org is-a-personaltrainer.com is-a-photographer.com is-a-player.com is-a-republican.com is-a-rockstar.com is-a-socialist.com is-a-soxfan.org is-a-student.com is-a-teacher.com is-a-techie.com is-a-therapist.com is-an-accountant.com is-an-actor.com is-an-actress.com is-an-anarchist.com is-an-artist.com is-an-engineer.com is-an-entertainer.com is-by.us is-certified.com is-found.org is-gone.com is-into-anime.com is-into-cars.com is-into-cartoons.com is-into-games.com is-leet.com is-lost.org is-not-certified.com is-saved.org is-slick.com is-uberleet.com is-very-bad.org is-very-evil.org is-very-good.org is-very-nice.org is-very-sweet.org is-with-theband.com isa-geek.com isa-geek.net isa-geek.org isa-hockeynut.com issmarterthanyou.com isteingeek.de istmein.de kicks-ass.net kicks-ass.org knowsitall.info land-4-sale.us lebtimnetz.de leitungsen.de likes-pie.com likescandy.com merseine.nu mine.nu misconfused.org mypets.ws myphotos.cc neat-url.com office-on-the.net on-the-web.tv podzone.net podzone.org readmyblog.org saves-the-whales.com scrapper-site.net scrapping.cc selfip.biz selfip.com selfip.info selfip.net selfip.org sells-for-less.com sells-for-u.com sells-it.net sellsyourhome.org servebbs.com servebbs.net servebbs.org serveftp.net serveftp.org servegame.org shacknet.nu simple-url.com space-to-rent.com stuff-4-sale.org stuff-4-sale.us teaches-yoga.com thruhere.net traeumtgerade.de webhop.biz webhop.info webhop.net webhop.org worse-than.tv writesthisblog.com // EU.org https://eu.org/ // Submitted by Pierre Beyssac 2015-04-17 eu.org al.eu.org asso.eu.org at.eu.org au.eu.org be.eu.org bg.eu.org ca.eu.org cd.eu.org ch.eu.org cn.eu.org cy.eu.org cz.eu.org de.eu.org dk.eu.org edu.eu.org ee.eu.org es.eu.org fi.eu.org fr.eu.org gr.eu.org hr.eu.org hu.eu.org ie.eu.org il.eu.org in.eu.org int.eu.org is.eu.org it.eu.org jp.eu.org kr.eu.org lt.eu.org lu.eu.org lv.eu.org mc.eu.org me.eu.org mk.eu.org mt.eu.org my.eu.org net.eu.org ng.eu.org nl.eu.org no.eu.org nz.eu.org paris.eu.org pl.eu.org pt.eu.org q-a.eu.org ro.eu.org ru.eu.org se.eu.org si.eu.org sk.eu.org tr.eu.org uk.eu.org us.eu.org // Fastly Inc. http://www.fastly.com/ // Submitted by Vladimir Vuksan 2013-05-31 a.ssl.fastly.net b.ssl.fastly.net global.ssl.fastly.net a.prod.fastly.net global.prod.fastly.net // Firebase, Inc. // Submitted by Chris Raynor 2014-01-21 firebaseapp.com // Flynn : https://flynn.io // Submitted by Jonathan Rudenberg 2014-07-12 flynnhub.com // GDS : https://www.gov.uk/service-manual/operations/operating-servicegovuk-subdomains // Submitted by David Illsley 2014-08-28 service.gov.uk // GitHub, Inc. // Submitted by Ben Toews 2014-02-06 github.io githubusercontent.com // GlobeHosting, Inc. // Submitted by Zoltan Egresi 2013-07-12 ro.com // Google, Inc. // Submitted by Eduardo Vela 2014-12-19 appspot.com blogspot.ae blogspot.al blogspot.am blogspot.ba blogspot.be blogspot.bg blogspot.bj blogspot.ca blogspot.cf blogspot.ch blogspot.cl blogspot.co.at blogspot.co.id blogspot.co.il blogspot.co.ke blogspot.co.nz blogspot.co.uk blogspot.co.za blogspot.com blogspot.com.ar blogspot.com.au blogspot.com.br blogspot.com.by blogspot.com.co blogspot.com.cy blogspot.com.ee blogspot.com.eg blogspot.com.es blogspot.com.mt blogspot.com.ng blogspot.com.tr blogspot.com.uy blogspot.cv blogspot.cz blogspot.de blogspot.dk blogspot.fi blogspot.fr blogspot.gr blogspot.hk blogspot.hr blogspot.hu blogspot.ie blogspot.in blogspot.is blogspot.it blogspot.jp blogspot.kr blogspot.li blogspot.lt blogspot.lu blogspot.md blogspot.mk blogspot.mr blogspot.mx blogspot.my blogspot.nl blogspot.no blogspot.pe blogspot.pt blogspot.qa blogspot.re blogspot.ro blogspot.rs blogspot.ru blogspot.se blogspot.sg blogspot.si blogspot.sk blogspot.sn blogspot.td blogspot.tw blogspot.ug blogspot.vn codespot.com googleapis.com googlecode.com pagespeedmobilizer.com withgoogle.com withyoutube.com // Heroku : https://www.heroku.com/ // Submitted by Tom Maher 2013-05-02 herokuapp.com herokussl.com // iki.fi // Submitted by Hannu Aronsson 2009-11-05 iki.fi // info.at : http://www.info.at/ biz.at info.at // Michau Enterprises Limited : http://www.co.pl/ co.pl // Microsoft : http://microsoft.com // Submitted by Barry Dorrans 2014-01-24 azurewebsites.net azure-mobile.net cloudapp.net // Mozilla Foundation : https://mozilla.org/ // Submited by glob 2015-07-06 bmoattachments.org // Neustar Inc. // Submitted by Trung Tran 2015-04-23 4u.com // ngrok : https://ngrok.com/ // Submitted by Alan Shreve 2015-11-10 ngrok.io // NFSN, Inc. : https://www.NearlyFreeSpeech.NET/ // Submitted by Jeff Wheelhouse 2014-02-02 nfshost.com // NYC.mn : http://www.information.nyc.mn // Submitted by Matthew Brown 2013-03-11 nyc.mn // One Fold Media : http://www.onefoldmedia.com/ // Submitted by Eddie Jones 2014-06-10 nid.io // Opera Software, A.S.A. // Submitted by Yngve Pettersen 2009-11-26 operaunite.com // OutSystems // Submitted by Duarte Santos 2014-03-11 outsystemscloud.com // .pl domains (grandfathered) art.pl gliwice.pl krakow.pl poznan.pl wroc.pl zakopane.pl // Pantheon Systems, Inc. : https://pantheon.io/ // Submitted by Gary Dylina 2015-09-14 pantheon.io gotpantheon.com // priv.at : http://www.nic.priv.at/ // Submitted by registry 2008-06-09 priv.at // QA2 // Submitted by Daniel Dent (https://www.danieldent.com/) 2015-07-16 qa2.com // Red Hat, Inc. OpenShift : https://openshift.redhat.com/ // Submitted by Tim Kramer 2012-10-24 rhcloud.com // Sandstorm Development Group, Inc. : https://sandcats.io/ // Submitted by Asheesh Laroia 2015-07-21 sandcats.io // Service Online LLC : http://drs.ua/ // Submitted by Serhii Bulakh 2015-07-30 biz.ua co.ua pp.ua // SinaAppEngine : http://sae.sina.com.cn/ // Submitted by SinaAppEngine 2015-02-02 sinaapp.com vipsinaapp.com 1kapp.com // TASK geographical domains (www.task.gda.pl/uslugi/dns) gda.pl gdansk.pl gdynia.pl med.pl sopot.pl // UDR Limited : http://www.udr.hk.com // Submitted by registry 2014-11-07 hk.com hk.org ltd.hk inc.hk // Yola : https://www.yola.com/ // Submitted by Stefano Rivera 2014-07-09 yolasite.com // ZaNiC : http://www.za.net/ // Submitted by registry 2009-10-03 za.net za.org // ===END PRIVATE DOMAINS=== END_BUILTIN_DATA 1; IO-Socket-SSL-2.024/lib/IO/Socket/SSL/Utils.pm0000644000175100017510000004765312653360416017076 0ustar workwork package IO::Socket::SSL::Utils; use strict; use warnings; use Carp 'croak'; use Net::SSLeay; # old versions of Exporter do not export 'import' yet require Exporter; *import = \&Exporter::import; our $VERSION = '2.014'; our @EXPORT = qw( PEM_file2cert PEM_string2cert PEM_cert2file PEM_cert2string PEM_file2key PEM_string2key PEM_key2file PEM_key2string KEY_free CERT_free KEY_create_rsa CERT_asHash CERT_create ); sub PEM_file2cert { my $file = shift; my $bio = Net::SSLeay::BIO_new_file($file,'r') or croak "cannot read $file: $!"; my $cert = Net::SSLeay::PEM_read_bio_X509($bio); Net::SSLeay::BIO_free($bio); $cert or croak "cannot parse $file as PEM X509 cert: ". Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); return $cert; } sub PEM_cert2file { my ($cert,$file) = @_; my $string = Net::SSLeay::PEM_get_string_X509($cert) or croak("cannot get string from cert"); open( my $fh,'>',$file ) or croak("cannot write $file: $!"); print $fh $string; } sub PEM_string2cert { my $string = shift; my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem()); Net::SSLeay::BIO_write($bio,$string); my $cert = Net::SSLeay::PEM_read_bio_X509($bio); Net::SSLeay::BIO_free($bio); $cert or croak "cannot parse string as PEM X509 cert: ". Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); return $cert; } sub PEM_cert2string { my $cert = shift; return Net::SSLeay::PEM_get_string_X509($cert) || croak("cannot get string from cert"); } sub PEM_file2key { my $file = shift; my $bio = Net::SSLeay::BIO_new_file($file,'r') or croak "cannot read $file: $!"; my $key = Net::SSLeay::PEM_read_bio_PrivateKey($bio); Net::SSLeay::BIO_free($bio); $key or croak "cannot parse $file as PEM private key: ". Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); return $key; } sub PEM_key2file { my ($key,$file) = @_; my $string = Net::SSLeay::PEM_get_string_PrivateKey($key) or croak("cannot get string from key"); open( my $fh,'>',$file ) or croak("cannot write $file: $!"); print $fh $string; } sub PEM_string2key { my $string = shift; my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem()); Net::SSLeay::BIO_write($bio,$string); my $key = Net::SSLeay::PEM_read_bio_PrivateKey($bio); Net::SSLeay::BIO_free($bio); $key or croak "cannot parse string as PEM private key: ". Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); return $key; } sub PEM_key2string { my $key = shift; return Net::SSLeay::PEM_get_string_PrivateKey($key) || croak("cannot get string from key"); } sub CERT_free { my $cert = shift or return; Net::SSLeay::X509_free($cert); } sub KEY_free { my $key = shift or return; Net::SSLeay::EVP_PKEY_free($key); } sub KEY_create_rsa { my $bits = shift || 2048; my $key = Net::SSLeay::EVP_PKEY_new(); my $rsa = Net::SSLeay::RSA_generate_key($bits, 0x10001); # 0x10001 = RSA_F4 Net::SSLeay::EVP_PKEY_assign_RSA($key,$rsa); return $key; } # extract information from cert my %gen2i = qw( OTHERNAME 0 EMAIL 1 DNS 2 X400 3 DIRNAME 4 EDIPARTY 5 URI 6 IP 7 RID 8 ); my %i2gen = reverse %gen2i; sub CERT_asHash { my $cert = shift; my $digest_name = shift || 'sha256'; my %hash = ( version => Net::SSLeay::X509_get_version($cert), not_before => _asn1t2t(Net::SSLeay::X509_get_notBefore($cert)), not_after => _asn1t2t(Net::SSLeay::X509_get_notAfter($cert)), serial => Net::SSLeay::ASN1_INTEGER_get( Net::SSLeay::X509_get_serialNumber($cert)), crl_uri => [ Net::SSLeay::P_X509_get_crl_distribution_points($cert) ], keyusage => [ Net::SSLeay::P_X509_get_key_usage($cert) ], extkeyusage => { oid => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,0) ], nid => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,1) ], sn => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,2) ], ln => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,3) ], }, "pubkey_digest_$digest_name" => Net::SSLeay::X509_pubkey_digest( $cert,_digest($digest_name)), "x509_digest_$digest_name" => Net::SSLeay::X509_digest( $cert,_digest($digest_name)), "fingerprint_$digest_name" => Net::SSLeay::X509_get_fingerprint( $cert,_digest($digest_name)), ); my $subj = Net::SSLeay::X509_get_subject_name($cert); my %subj; for ( 0..Net::SSLeay::X509_NAME_entry_count($subj)-1 ) { my $e = Net::SSLeay::X509_NAME_get_entry($subj,$_); my $o = Net::SSLeay::X509_NAME_ENTRY_get_object($e); $subj{ Net::SSLeay::OBJ_obj2txt($o) } = Net::SSLeay::P_ASN1_STRING_get( Net::SSLeay::X509_NAME_ENTRY_get_data($e)); } $hash{subject} = \%subj; if ( my @names = Net::SSLeay::X509_get_subjectAltNames($cert) ) { my $alt = $hash{subjectAltNames} = []; while (my ($t,$v) = splice(@names,0,2)) { $t = $i2gen{$t} || die "unknown type $t in subjectAltName"; if ( $t eq 'IP' ) { if (length($v) == 4) { $v = join('.',unpack("CCCC",$v)); } elsif ( length($v) == 16 ) { my @v = unpack("nnnnnnnn",$v); my ($best0,$last0); for(my $i=0;$i<@v;$i++) { if ($v[$i] == 0) { if ($last0) { $last0->[1] = $i; $last0->[2]++; $best0 = $last0 if ++$last0->[2]>$best0->[2]; } else { $last0 = [ $i,$i,0 ]; $best0 ||= $last0; } } else { $last0 = undef; } } if ($best0) { $v = ''; $v .= join(':', map { sprintf( "%x",$_) } @v[0..$best0->[0]-1]) if $best0->[0]>0; $v .= '::'; $v .= join(':', map { sprintf( "%x",$_) } @v[$best0->[1]+1..$#v]) if $best0->[1]<$#v; } else { $v = join(':', map { sprintf( "%x",$_) } @v); } } } push @$alt,[$t,$v] } } my $issuer = Net::SSLeay::X509_get_issuer_name($cert); my %issuer; for ( 0..Net::SSLeay::X509_NAME_entry_count($issuer)-1 ) { my $e = Net::SSLeay::X509_NAME_get_entry($issuer,$_); my $o = Net::SSLeay::X509_NAME_ENTRY_get_object($e); $issuer{ Net::SSLeay::OBJ_obj2txt($o) } = Net::SSLeay::P_ASN1_STRING_get( Net::SSLeay::X509_NAME_ENTRY_get_data($e)); } $hash{issuer} = \%issuer; my @ext; for( 0..Net::SSLeay::X509_get_ext_count($cert)-1 ) { my $e = Net::SSLeay::X509_get_ext($cert,$_); my $o = Net::SSLeay::X509_EXTENSION_get_object($e); my $nid = Net::SSLeay::OBJ_obj2nid($o); push @ext, { oid => Net::SSLeay::OBJ_obj2txt($o), nid => ( $nid > 0 ) ? $nid : undef, sn => ( $nid > 0 ) ? Net::SSLeay::OBJ_nid2sn($nid) : undef, critical => Net::SSLeay::X509_EXTENSION_get_critical($e), data => Net::SSLeay::X509V3_EXT_print($e), } } $hash{ext} = \@ext; if ( defined(&Net::SSLeay::P_X509_get_ocsp_uri)) { $hash{ocsp_uri} = [ Net::SSLeay::P_X509_get_ocsp_uri($cert) ]; } else { $hash{ocsp_uri} = []; for( @ext ) { $_->{sn} or next; $_->{sn} eq 'authorityInfoAccess' or next; push @{ $hash{ocsp_uri}}, $_->{data} =~m{\bOCSP - URI:(\S+)}g; } } return \%hash; } sub CERT_create { my %args = @_%2 ? %{ shift() } : @_; my $cert = Net::SSLeay::X509_new(); my $digest_name = delete $args{digest} || 'sha256'; Net::SSLeay::ASN1_INTEGER_set( Net::SSLeay::X509_get_serialNumber($cert), delete $args{serial} || rand(2**32), ); # version default to 2 (V3) Net::SSLeay::X509_set_version($cert, delete $args{version} || 2 ); # not_before default to now Net::SSLeay::ASN1_TIME_set( Net::SSLeay::X509_get_notBefore($cert), delete $args{not_before} || time() ); # not_after default to now+365 days Net::SSLeay::ASN1_TIME_set( Net::SSLeay::X509_get_notAfter($cert), delete $args{not_after} || time() + 365*86400 ); # set subject my $subj_e = Net::SSLeay::X509_get_subject_name($cert); my $subj = delete $args{subject} || { organizationName => 'IO::Socket::SSL', commonName => 'IO::Socket::SSL Test' }; while ( my ($k,$v) = each %$subj ) { # Not everything we get is nice - try with MBSTRING_UTF8 first and if it # fails try V_ASN1_T61STRING and finally V_ASN1_OCTET_STRING Net::SSLeay::X509_NAME_add_entry_by_txt($subj_e,$k,0x1000,$v,-1,0) or Net::SSLeay::X509_NAME_add_entry_by_txt($subj_e,$k,20,$v,-1,0) or Net::SSLeay::X509_NAME_add_entry_by_txt($subj_e,$k,4,$v,-1,0) or croak("failed to add entry for $k - ". Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error())); } my @ext = ( &Net::SSLeay::NID_subject_key_identifier => 'hash', &Net::SSLeay::NID_authority_key_identifier => 'keyid', &Net::SSLeay::NID_authority_key_identifier => 'issuer', ); if ( my $altsubj = delete $args{subjectAltNames} ) { push @ext, &Net::SSLeay::NID_subject_alt_name => join(',', map { "$_->[0]:$_->[1]" } @$altsubj) } my $key = delete $args{key} || KEY_create_rsa(); Net::SSLeay::X509_set_pubkey($cert,$key); my $is = delete $args{issuer}; my $issuer_cert = delete $args{issuer_cert} || $is && $is->[0] || $cert; my $issuer_key = delete $args{issuer_key} || $is && $is->[1] || $key; my %purpose; if (my $p = delete $args{purpose}) { if (!ref($p)) { $purpose{lc($2)} = (!$1 || $1 eq '+') ? 1:0 while $p =~m{([+-]?)(\w+)}g; } elsif (ref($p) eq 'ARRAY') { for(@$p) { m{^([+-]?)(\w+)$} or die "invalid entry in purpose: $_"; $purpose{lc($2)} = (!$1 || $1 eq '+') ? 1:0 } } else { while( my ($k,$v) = each %$p) { $purpose{lc($k)} = ($v && $v ne '-')?1:0; } } } if (defined( my $ca = delete $args{CA})) { # add defaults if ($ca) { %purpose = ( ca => 1, sslca => 1, emailca => 1, objca => 1, %purpose ); } else { %purpose = ( server => 1, client => 1, %purpose ); } } elsif (!%purpose) { %purpose = (server => 1, client => 1); } my (%key_usage,%ext_key_usage,%cert_type,%basic_constraints); my %dS = ( digitalSignature => \%key_usage ); my %kE = ( keyEncipherment => \%key_usage ); my %CA = ( 'CA:TRUE' => \%basic_constraints, %dS, keyCertSign => \%key_usage ); for( [ client => { %dS, %kE, clientAuth => \%ext_key_usage, client => \%cert_type } ], [ server => { %dS, %kE, serverAuth => \%ext_key_usage, server => \%cert_type } ], [ email => { %dS, %kE, emailProtection => \%ext_key_usage, email => \%cert_type } ], [ objsign => { %dS, %kE, codeSigning => \%ext_key_usage, objsign => \%cert_type } ], [ CA => { %CA }], [ sslCA => { %CA, sslCA => \%cert_type }], [ emailCA => { %CA, emailCA => \%cert_type }], [ objCA => { %CA, objCA => \%cert_type }], [ emailProtection => { %dS, %kE, emailProtection => \%ext_key_usage, email => \%cert_type } ], [ codeSigning => { %dS, %kE, codeSigning => \%ext_key_usage, objsign => \%cert_type } ], [ timeStamping => { timeStamping => \%ext_key_usage } ], [ digitalSignature => { digitalSignature => \%key_usage } ], [ nonRepudiation => { nonRepudiation => \%key_usage } ], [ keyEncipherment => { keyEncipherment => \%key_usage } ], [ dataEncipherment => { dataEncipherment => \%key_usage } ], [ keyAgreement => { keyAgreement => \%key_usage } ], [ keyCertSign => { keyCertSign => \%key_usage } ], [ cRLSign => { cRLSign => \%key_usage } ], [ encipherOnly => { encipherOnly => \%key_usage } ], [ decipherOnly => { decipherOnly => \%key_usage } ], ) { delete $purpose{lc($_->[0])} or next; while (my($k,$h) = each %{$_->[1]}) { $h->{$k} = 1; } } die "unknown purpose ".join(",",keys %purpose) if %purpose; if (%basic_constraints) { push @ext,&Net::SSLeay::NID_basic_constraints, => join(",",'critical', sort keys %basic_constraints); } else { push @ext, &Net::SSLeay::NID_basic_constraints => 'CA:FALSE'; } push @ext,&Net::SSLeay::NID_key_usage => join(",",'critical', sort keys %key_usage) if %key_usage; push @ext,&Net::SSLeay::NID_netscape_cert_type => join(",",sort keys %cert_type) if %cert_type; push @ext,&Net::SSLeay::NID_ext_key_usage => join(",",sort keys %ext_key_usage) if %ext_key_usage; Net::SSLeay::P_X509_add_extensions($cert, $issuer_cert, @ext); for my $ext (@{ $args{ext} || [] }) { my $nid = $ext->{nid} || $ext->{sn} && Net::SSLeay::OBJ_sn2nid($ext->{sn}) || croak "cannot determine NID of extension"; my $val = $ext->{data}; if ($nid == 177) { # authorityInfoAccess: # OpenSSL i2v does not output the same way as expected by i2v :( for (split(/\n/,$val)) { s{ - }{;}; # "OCSP - URI:..." -> "OCSP;URI:..." $_ = "critical,$_" if $ext->{critical}; Net::SSLeay::P_X509_add_extensions($cert,$issuer_cert,$nid,$_); } } else { $val = "critical,$val" if $ext->{critical}; Net::SSLeay::P_X509_add_extensions($cert, $issuer_cert, $nid, $val); } } Net::SSLeay::X509_set_issuer_name($cert, Net::SSLeay::X509_get_subject_name($issuer_cert)); Net::SSLeay::X509_sign($cert,$issuer_key,_digest($digest_name)); return ($cert,$key); } if ( defined &Net::SSLeay::ASN1_TIME_timet ) { *_asn1t2t = \&Net::SSLeay::ASN1_TIME_timet } else { require Time::Local; my %mon2i = qw( Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7 Sep 8 Oct 9 Nov 10 Dec 11 ); *_asn1t2t = sub { my $t = Net::SSLeay::P_ASN1_TIME_put2string( shift ); my ($mon,$d,$h,$m,$s,$y,$tz) = split(/[\s:]+/,$t); defined( $mon = $mon2i{$mon} ) or die "invalid month in $t"; $tz ||= $y =~s{^(\d+)([A-Z]\S*)}{$1} && $2; if ( ! $tz ) { return Time::Local::timelocal($s,$m,$h,$d,$mon,$y) } elsif ( $tz eq 'GMT' ) { return Time::Local::timegm($s,$m,$h,$d,$mon,$y) } else { die "unexpected TZ $tz from ASN1_TIME_print"; } } } { my %digest; sub _digest { my $digest_name = shift; return $digest{$digest_name} ||= do { Net::SSLeay::SSLeay_add_ssl_algorithms(); Net::SSLeay::EVP_get_digestbyname($digest_name) or die "Digest algorithm $digest_name is not available"; }; } } 1; __END__ =head1 NAME IO::Socket::SSL::Utils -- loading, storing, creating certificates and keys =head1 SYNOPSIS use IO::Socket::SSL::Utils; my $cert = PEM_file2cert('cert.pem'); # load certificate from file my $string = PEM_cert2string($cert); # convert certificate to PEM string CERT_free($cert); # free memory within OpenSSL my $key = KEY_create_rsa(2048); # create new 2048-bit RSA key PEM_string2file($key,"key.pem"); # and write it to file KEY_free($key); # free memory within OpenSSL =head1 DESCRIPTION This module provides various utility functions to work with certificates and private keys, shielding some of the complexity of the underlying Net::SSLeay and OpenSSL. =head1 FUNCTIONS =over 4 =item * Functions converting between string or file and certificates and keys. They croak if the operation cannot be completed. =over 8 =item PEM_file2cert(file) -> cert =item PEM_cert2file(cert,file) =item PEM_string2cert(string) -> cert =item PEM_cert2string(cert) -> string =item PEM_file2key(file) -> key =item PEM_key2file(key,file) =item PEM_string2key(string) -> key =item PEM_key2string(key) -> string =back =item * Functions for cleaning up. Each loaded or created cert and key must be freed to not leak memory. =over 8 =item CERT_free(cert) =item KEY_free(key) =back =item * KEY_create_rsa(bits) -> key Creates an RSA key pair, bits defaults to 2048. =item * CERT_asHash(cert,[digest_algo]) -> hash Extracts the information from the certificate into a hash and uses the given digest_algo (default: SHA-256) to determine digest of pubkey and cert. The resulting hash contains: =over 8 =item subject Hash with the parts of the subject, e.g. commonName, countryName, organizationName, stateOrProvinceName, localityName. =item subjectAltNames Array with list of alternative names. Each entry in the list is of C<[type,value]>, where C can be OTHERNAME, EMAIL, DNS, X400, DIRNAME, EDIPARTY, URI, IP or RID. =item issuer Hash with the parts of the issuer, e.g. commonName, countryName, organizationName, stateOrProvinceName, localityName. =item not_before, not_after The time frame, where the certificate is valid, as time_t, e.g. can be converted with localtime or similar functions. =item serial The serial number =item crl_uri List of URIs for CRL distribution. =item ocsp_uri List of URIs for revocation checking using OCSP. =item keyusage List of keyUsage information in the certificate. =item extkeyusage List of extended key usage information from the certificate. Each entry in this list consists of a hash with oid, nid, ln and sn. =item pubkey_digest_xxx Binary digest of the pubkey using the given digest algorithm, e.g. pubkey_digest_sha256 if (the default) SHA-256 was used. =item x509_digest_xxx Binary digest of the X.509 certificate using the given digest algorithm, e.g. x509_digest_sha256 if (the default) SHA-256 was used. =item fingerprint_xxx Fingerprint of the certificate using the given digest algorithm, e.g. fingerprint_sha256 if (the default) SHA-256 was used. Contrary to digest_* this is an ASCII string with a list if hexadecimal numbers, e.g. "73:59:75:5C:6D...". =item ext List of extensions. Each entry in the list is a hash with oid, nid, sn, critical flag (boolean) and data (string representation given by X509V3_EXT_print). =item version Certificate version, usually 2 (x509v3) =back =item * CERT_create(hash) -> (cert,key) Creates a certificate based on the given hash. If the issuer is not specified the certificate will be self-signed. The following keys can be given: =over 8 =item subject Hash with the parts of the subject, e.g. commonName, countryName, ... as described in C. Default points to IO::Socket::SSL. =item not_before A time_t value when the certificate starts to be valid. Defaults to current time. =item not_after A time_t value when the certificate ends to be valid. Defaults to current time plus one 365 days. =item serial The serial number. If not given a random number will be used. =item version The version of the certificate, default 2 (x509v3). =item CA true|false If true declare certificate as CA, defaults to false. =item purpose string|array|hash Set the purpose of the certificate. The different purposes can be given as a string separated by non-word character, as array or hash. With string or array each purpose can be prefixed with '+' (enable) or '-' (disable) and same can be done with the value when given as a hash. By default enabling the purpose is assumed. If the CA option is given and true the defaults "ca,sslca,emailca,objca" are assumed, but can be overridden with explicit purpose. If the CA option is given and false the defaults "server,client" are assumed. If no CA option and no purpose is given it defaults to "server,client". Purpose affects basicConstraints, keyUsage, extKeyUsage and netscapeCertType. The following purposes are defined (case is not important): client server email objsign CA sslCA emailCA objCA emailProtection codeSigning timeStamping digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly Examples: # root-CA for SSL certificates purpose => 'sslCA' # or CA => 1 # server certificate and CA (typically self-signed) purpose => 'sslCA,server' # client certificate purpose => 'client', =item ext [{ sn => .., data => ... }, ... ] List of extensions. The type of the extension can be specified as name with C or as NID with C and the data with C. These data must be in the same syntax as expected within openssl.cnf, e.g. something like C. Additionally the critical flag can be set with C 1>. =item key key use given key as key for certificate, otherwise a new one will be generated and returned =item issuer_cert cert set issuer for new certificate =item issuer_key key sign new certificate with given key =item issuer [ cert, key ] Instead of giving issuer_key and issuer_cert as separate arguments they can be given both together. =item digest algorithm specify the algorithm used to sign the certificate, default SHA-256. =back =back =head1 AUTHOR Steffen Ullrich IO-Socket-SSL-2.024/lib/IO/Socket/SSL/Intercept.pm0000644000175100017510000002456012653370110017713 0ustar workwork package IO::Socket::SSL::Intercept; use strict; use warnings; use Carp 'croak'; use IO::Socket::SSL::Utils; use Net::SSLeay; our $VERSION = '2.014'; sub new { my ($class,%args) = @_; my $cacert = delete $args{proxy_cert}; if ( ! $cacert ) { if ( my $f = delete $args{proxy_cert_file} ) { $cacert = PEM_file2cert($f); } else { croak "no proxy_cert or proxy_cert_file given"; } } my $cakey = delete $args{proxy_key}; if ( ! $cakey ) { if ( my $f = delete $args{proxy_key_file} ) { $cakey = PEM_file2key($f); } else { croak "no proxy_cert or proxy_cert_file given"; } } my $certkey = delete $args{cert_key}; if ( ! $certkey ) { if ( my $f = delete $args{cert_key_file} ) { $certkey = PEM_file2key($f); } } my $cache = delete $args{cache} || {}; my $self = bless { cacert => $cacert, cakey => $cakey, certkey => $certkey, serial => delete $args{serial} || 1, cache => $cache, }; return $self; } sub DESTROY { # call various ssl _free routines my $self = shift or return; for ( \$self->{cacert}, map { \$_->{cert} } ref($self->{cache}) ne 'CODE' ? values %{$self->{cache}} :()) { $$_ or next; CERT_free($$_); $$_ = undef; } for ( \$self->{cakey}, \$self->{pubkey} ) { $$_ or next; KEY_free($$_); $$_ = undef; } } sub clone_cert { my ($self,$old_cert,$clone_key) = @_; $clone_key ||= substr(unpack("H*",Net::SSLeay::X509_get_fingerprint($old_cert,'sha1')),0,16); if ( my ($clone,$key) = _get_cached($self,$clone_key)) { return ($clone,$key); } # create new certificate based on original # copy most but not all extensions my $hash = CERT_asHash($old_cert); if (my $ext = $hash->{ext}) { @$ext = grep { defined($_->{sn}) && $_->{sn} !~m{^(?: authorityInfoAccess | subjectKeyIdentifier | authorityKeyIdentifier | certificatePolicies | crlDistributionPoints )$}x } @$ext; } my ($clone,$key) = CERT_create( %$hash, serial => $self->{serial}++, issuer_cert => $self->{cacert}, issuer_key => $self->{cakey}, key => $self->{certkey}, ); # put into cache _set_cached($self,$clone_key,$clone,$key); return ($clone,$key); } sub _get_cached { my ($self,$clone_key) = @_; my $c = $self->{cache}; return $c->($clone_key) if ref($c) eq 'CODE'; my $e = $c->{$clone_key} or return; $e->{atime} = time(); return ($e->{cert},$e->{key} || $self->{certkey}); } sub _set_cached { my ($self,$clone_key,$cert,$key) = @_; my $c = $self->{cache}; return $c->($clone_key,$cert,$key) if ref($c) eq 'CODE'; $c->{$clone_key} = { cert => $cert, $self->{certkey} && $self->{certkey} == $key ? () : ( key => $key ), atime => time() }; } sub STORABLE_freeze { my $self = shift; $self->serialize() } sub STORABLE_thaw { my ($class,undef,$data) = @_; $class->unserialize($data) } sub serialize { my $self = shift; my $data = pack("N",2); # version $data .= pack("N/a", PEM_cert2string($self->{cacert})); $data .= pack("N/a", PEM_key2string($self->{cakey})); if ( $self->{certkey} ) { $data .= pack("N/a", PEM_key2string($self->{certkey})); } else { $data .= pack("N/a", ''); } $data .= pack("N",$self->{serial}); if ( ref($self->{cache}) eq 'HASH' ) { while ( my($k,$v) = each %{ $self->{cache}} ) { $data .= pack("N/aN/aN/aN", $k, PEM_cert2string($k->{cert}), $k->{key} ? PEM_key2string($k->{key}) : '', $k->{atime}); } } return $data; } sub unserialize { my ($class,$data) = @_; unpack("N",substr($data,0,4,'')) == 2 or croak("serialized with wrong version"); ( my $cacert,my $cakey,my $certkey,my $serial,$data) = unpack("N/aN/aN/aNa*",$data); my $self = bless { serial => $serial, cacert => PEM_string2cert($cacert), cakey => PEM_string2key($cakey), $certkey ? ( certkey => PEM_string2key($certkey)):(), }, ref($class)||$class; $self->{cache} = {} if $data ne ''; while ( $data ne '' ) { (my $key,my $cert,my $certkey, my $atime,$data) = unpack("N/aN/aNa*",$data); $self->{cache}{$key} = { cert => PEM_string2cert($cert), $key ? ( key => PEM_string2key($certkey)):(), atime => $atime }; } return $self; } 1; __END__ =head1 NAME IO::Socket::SSL::Intercept -- SSL interception (man in the middle) =head1 SYNOPSIS use IO::Socket::SSL::Intercept; # create interceptor with proxy certificates my $mitm = IO::Socket::SSL::Intercept->new( proxy_cert_file => 'proxy_cert.pem', proxy_key_file => 'proxy_key.pem', ... ); my $listen = IO::Socket::INET->new( LocalAddr => .., Listen => .. ); while (1) { # TCP accept new client my $client = $listen->accept or next; # SSL connect to server my $server = IO::Socket::SSL->new( PeerAddr => .., SSL_verify_mode => ..., ... ) or die "ssl connect failed: $!,$SSL_ERROR"; # clone server certificate my ($cert,$key) = $mitm->clone_cert( $server->peer_certificate ); # and upgrade client side to SSL with cloned certificate IO::Socket::SSL->start_SSL($client, SSL_server => 1, SSL_cert => $cert, SSL_key => $key ) or die "upgrade failed: $SSL_ERROR"; # now transfer data between $client and $server and analyze # the unencrypted data ... } =head1 DESCRIPTION This module provides functionality to clone certificates and sign them with a proxy certificate, thus making it easy to intercept SSL connections (man in the middle). It also manages a cache of the generated certificates. =head1 How Intercepting SSL Works Intercepting SSL connections is useful for analyzing encrypted traffic for security reasons or for testing. It does not break the end-to-end security of SSL, e.g. a properly written client will notice the interception unless you explicitly configure the client to trust your interceptor. Intercepting SSL works the following way: =over 4 =item * Create a new CA certificate, which will be used to sign the cloned certificates. This proxy CA certificate should be trusted by the client, or (a properly written client) will throw error messages or deny the connections because it detected a man in the middle attack. Due to the way the interception works there no support for client side certificates is possible. Using openssl such a proxy CA certificate and private key can be created with: openssl genrsa -out proxy_key.pem 1024 openssl req -new -x509 -extensions v3_ca -key proxy_key.pem -out proxy_cert.pem # export as PKCS12 for import into browser openssl pkcs12 -export -in proxy_cert.pem -inkey proxy_key.pem -out proxy_cert.p12 =item * Configure client to connect to use intercepting proxy or somehow redirect connections from client to the proxy (e.g. packet filter redirects, ARP or DNS spoofing etc). =item * Accept the TCP connection from the client, e.g. don't do any SSL handshakes with the client yet. =item * Establish the SSL connection to the server and verify the servers certificate as usually. Then create a new certificate based on the original servers certificate, but signed by your proxy CA. This is the step where IO::Socket::SSL::Intercept helps. =item * Upgrade the TCP connection to the client to SSL using the cloned certificate from the server. If the client trusts your proxy CA it will accept the upgrade to SSL. =item * Transfer data between client and server. While the connections to client and server are both encrypted with SSL you will read/write the unencrypted data in your proxy application. =back =head1 METHODS IO::Socket::SSL::Intercept helps creating the cloned certificate with the following methods: =over 4 =item B<< $mitm = IO::Socket::SSL::Intercept->new(%args) >> This creates a new interceptor object. C<%args> should be =over 8 =item proxy_cert X509 | proxy_cert_file filename This is the proxy certificate. It can be either given by an X509 object from Ls internal representation, or using a file in PEM format. =item proxy_key EVP_PKEY | proxy_key_file filename This is the key for the proxy certificate. It can be either given by an EVP_PKEY object from Ls internal representation, or using a file in PEM format. The key should not have a passphrase. =item pubkey EVP_PKEY | pubkey_file filename This optional argument specifies the public key used for the cloned certificate. It can be either given by an EVP_PKEY object from Ls internal representation, or using a file in PEM format. If not given it will create a new public key on each call of C. =item serial INTEGER This optional argument gives the starting point for the serial numbers of the newly created certificates. Default to 1. =item cache HASH | SUBROUTINE This optional argument gives a way to cache created certificates, so that they don't get recreated on future accesses to the same host. If the argument ist not given an internal HASH ist used. If the argument is a hash it will store for each generated certificate a hash reference with C and C in the hash, where C is the time of last access (to expire unused entries) and C is the certificate. Please note, that the certificate is in Ls internal X509 format and can thus not be simply dumped and restored. The key for the hash is an C either given to C or generated from the original certificate. If the argument is a subroutine it will be called as C<< $cache->(ident) >> to get an existing (cert,key) and with C<< $cache->(ident,cert,key) >> to cache the newly created certificate. =back =item B<< ($clone_cert,$key) = $mitm->clone_cert($original_cert,[ $ident ]) >> This clones the given certificate. An ident as the key into the cache can be given (like C), if not it will be created from the properties of the original certificate. It returns the cloned certificate and its key (which is the same for alle created certificates). =item B<< $string = $mitm->serialize >> This creates a serialized version of the object (e.g. a string) which can then be used to persistantly store created certificates over restarts of the application. The cache will only be serialized if it is a HASH. To work together with L the C function is defined to call C. =item B<< $mitm = IO::Socket::SSL::Intercept->unserialize($string) >> This restores an Intercept object from a serialized string. To work together with L the C function is defined to call C. =back =head1 AUTHOR Steffen Ullrich IO-Socket-SSL-2.024/lib/IO/Socket/SSL.pm0000644000175100017510000027172012655444660015776 0ustar workwork#vim: set sts=4 sw=4 ts=8 ai: # # IO::Socket::SSL: # provide an interface to SSL connections similar to IO::Socket modules # # Current Code Shepherd: Steffen Ullrich # Code Shepherd before: Peter Behroozi, # # The original version of this module was written by # Marko Asplund, , who drew from # Crypt::SSLeay (Net::SSL) by Gisle Aas. # package IO::Socket::SSL; our $VERSION = '2.024'; use IO::Socket; use Net::SSLeay 1.46; use IO::Socket::SSL::PublicSuffix; use Exporter (); use Errno qw( EWOULDBLOCK EAGAIN ETIMEDOUT EINTR ); use Carp; use strict; BEGIN { eval { require Scalar::Util; Scalar::Util->import("weaken"); 1 } || eval { require WeakRef; WeakRef->import("weaken"); 1 } || die "no support for weaken - please install Scalar::Util"; } use constant SSL_VERIFY_NONE => Net::SSLeay::VERIFY_NONE(); use constant SSL_VERIFY_PEER => Net::SSLeay::VERIFY_PEER(); use constant SSL_VERIFY_FAIL_IF_NO_PEER_CERT => Net::SSLeay::VERIFY_FAIL_IF_NO_PEER_CERT(); use constant SSL_VERIFY_CLIENT_ONCE => Net::SSLeay::VERIFY_CLIENT_ONCE(); # from openssl/ssl.h; should be better in Net::SSLeay use constant SSL_SENT_SHUTDOWN => 1; use constant SSL_RECEIVED_SHUTDOWN => 2; use constant SSL_OCSP_NO_STAPLE => 0b00001; use constant SSL_OCSP_MUST_STAPLE => 0b00010; use constant SSL_OCSP_FAIL_HARD => 0b00100; use constant SSL_OCSP_FULL_CHAIN => 0b01000; use constant SSL_OCSP_TRY_STAPLE => 0b10000; # capabilities of underlying Net::SSLeay/openssl my $can_client_sni; # do we support SNI on the client side my $can_server_sni; # do we support SNI on the server side my $can_npn; # do we support NPN (obsolete) my $can_alpn; # do we support ALPN my $can_ecdh; # do we support ECDH key exchange my $can_ocsp; # do we support OCSP my $can_ocsp_staple; # do we support OCSP stapling BEGIN { $can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000; $can_server_sni = defined &Net::SSLeay::get_servername; $can_npn = defined &Net::SSLeay::P_next_proto_negotiated; $can_alpn = defined &Net::SSLeay::CTX_set_alpn_protos; $can_ecdh = defined &Net::SSLeay::CTX_set_tmp_ecdh && # There is a regression with elliptic curves on 1.0.1d with 64bit # http://rt.openssl.org/Ticket/Display.html?id=2975 ( Net::SSLeay::OPENSSL_VERSION_NUMBER() != 0x1000104f || length(pack("P",0)) == 4 ); $can_ocsp = defined &Net::SSLeay::OCSP_cert2ids; $can_ocsp_staple = $can_ocsp && defined &Net::SSLeay::set_tlsext_status_type; } my $algo2digest = do { my %digest; sub { my $digest_name = shift; return $digest{$digest_name} ||= do { Net::SSLeay::SSLeay_add_ssl_algorithms(); Net::SSLeay::EVP_get_digestbyname($digest_name) or die "Digest algorithm $digest_name is not available"; }; } }; # global defaults my %DEFAULT_SSL_ARGS = ( SSL_check_crl => 0, SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken SSL_verify_callback => undef, SSL_verifycn_scheme => undef, # fallback cn verification SSL_verifycn_publicsuffix => undef, # fallback default list verification #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults' SSL_npn_protocols => undef, # meaning depends whether on server or client side SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] SSL_cipher_list => 'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '. 'EDH ALL +SHA +3DES !RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP', ); my %DEFAULT_SSL_CLIENT_ARGS = ( %DEFAULT_SSL_ARGS, SSL_verify_mode => SSL_VERIFY_PEER, SSL_ca_file => undef, SSL_ca_path => undef, # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771 # Debian works around this by disabling TLSv1_2 on the client side # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet # stays small enough # The following list is taken from IE11, except that we don't do RC4-MD5, # RC4-SHA is already bad enough. Also, we have a different sort order # compared to IE11, because we put ciphers supporting forward secrecy on top SSL_cipher_list => join(" ", qw( ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-DSS-AES128-SHA256 DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA256 DHE-DSS-AES256-SHA AES128-SHA256 AES128-SHA AES256-SHA256 AES256-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA RC4-SHA ), # just to make sure, that we don't accidentally add bad ciphers above "!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP" ) ); # set values inside _init to work with perlcc, RT#95452 my %DEFAULT_SSL_SERVER_ARGS; # Initialization of OpenSSL internals # This will be called once during compilation - perlcc users might need to # call it again by hand, see RT#95452 { sub init { # library_init returns false if the library was already initialized. # This way we can find out if the library needs to be re-initialized # inside code compiled with perlcc Net::SSLeay::library_init() or return; Net::SSLeay::load_error_strings(); Net::SSLeay::OpenSSL_add_all_digests(); Net::SSLeay::randomize(); %DEFAULT_SSL_SERVER_ARGS = ( %DEFAULT_SSL_ARGS, SSL_verify_mode => SSL_VERIFY_NONE, SSL_honor_cipher_order => 1, # trust server to know the best cipher SSL_dh => do { my $bio = Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()); # generated with: openssl dhparam 2048 Net::SSLeay::BIO_write($bio,<<'DH'); -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAr8wskArj5+1VCVsnWt/RUR7tXkHJ7mGW7XxrLSPOaFyKyWf8lZht iSY2Lc4oa4Zw8wibGQ3faeQu/s8fvPq/aqTxYmyHPKCMoze77QJHtrYtJAosB9SY CN7s5Hexxb5/vQ4qlQuOkVrZDiZO9GC4KaH9mJYnCoAsXDhDft6JT0oRVSgtZQnU gWFKShIm+JVjN94kGs0TcBEesPTK2g8XVHK9H8AtSUb9BwW2qD/T5RmgNABysApO Ps2vlkxjAHjJcqc3O+OiImKik/X2rtBTZjpKmzN3WWTB0RJZCOWaLlDO81D01o1E aZecz3Np9KIYey900f+X7zC2bJxEHp95ywIBAg== -----END DH PARAMETERS----- DH my $dh = Net::SSLeay::PEM_read_bio_DHparams($bio); Net::SSLeay::BIO_free($bio); $dh or die "no DH"; $dh; }, $can_ecdh ? ( SSL_ecdh_curve => 'prime256v1' ):(), ); } # Call it once at compile time and try it at INIT. # This should catch all cases of including the module, e.g 'use' (INIT) or # 'require' (compile time) and works also with perlcc { no warnings; INIT { init() } init(); } } # global defaults which can be changed using set_defaults # either key/value can be set or it can just be set to an external hash my $GLOBAL_SSL_ARGS = {}; my $GLOBAL_SSL_CLIENT_ARGS = {}; my $GLOBAL_SSL_SERVER_ARGS = {}; # hack which is used to filter bad settings from used modules my $FILTER_SSL_ARGS = undef; # non-XS Versions of Scalar::Util will fail BEGIN{ local $SIG{__DIE__}; local $SIG{__WARN__}; # be silent eval { use Scalar::Util 'dualvar'; dualvar(0,'') }; die "You need the XS Version of Scalar::Util for dualvar() support" if $@; } # get constants for SSL_OP_NO_* now, instead calling the related functions # every time we setup a connection my %SSL_OP_NO; for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) { my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_); my $sub = "Net::SSLeay::OP_NO_$op"; $SSL_OP_NO{$k} = eval { no strict 'refs'; &$sub } || 0; } # Make SSL_CTX_clear_options accessible through SSL_CTX_ctrl unless it is # already implemented in Net::SSLeay if (!defined &Net::SSLeay::CTX_clear_options) { *Net::SSLeay::CTX_clear_options = sub { my ($ctx,$opt) = @_; # 77 = SSL_CTRL_CLEAR_OPTIONS Net::SSLeay::CTX_ctrl($ctx,77,$opt,0); }; } # Try to work around problems with alternative trust path by default, RT#104759 my $DEFAULT_X509_STORE_flags = 0; eval { $DEFAULT_X509_STORE_flags |= Net::SSLeay::X509_V_FLAG_TRUSTED_FIRST() }; our $DEBUG; use vars qw(@ISA $SSL_ERROR @EXPORT); { # These constants will be used in $! at return from SSL_connect, # SSL_accept, _generic_(read|write), thus notifying the caller # the usual way of problems. Like with EWOULDBLOCK, EINPROGRESS.. # these are especially important for non-blocking sockets my $x = Net::SSLeay::ERROR_WANT_READ(); use constant SSL_WANT_READ => dualvar( \$x, 'SSL wants a read first' ); my $y = Net::SSLeay::ERROR_WANT_WRITE(); use constant SSL_WANT_WRITE => dualvar( \$y, 'SSL wants a write first' ); @EXPORT = qw( SSL_WANT_READ SSL_WANT_WRITE SSL_VERIFY_NONE SSL_VERIFY_PEER SSL_VERIFY_FAIL_IF_NO_PEER_CERT SSL_VERIFY_CLIENT_ONCE SSL_OCSP_NO_STAPLE SSL_OCSP_TRY_STAPLE SSL_OCSP_MUST_STAPLE SSL_OCSP_FAIL_HARD SSL_OCSP_FULL_CHAIN $SSL_ERROR GEN_DNS GEN_IPADD ); } my @caller_force_inet4; # in case inet4 gets forced we store here who forced it my $IOCLASS; my $family_key; # 'Domain'||'Family' BEGIN { # declare @ISA depending of the installed socket class # try to load inet_pton from Socket or Socket6 and make sure it is usable local $SIG{__DIE__}; local $SIG{__WARN__}; # be silent my $ip6 = eval { require Socket; Socket->VERSION(1.95); my $ok = Socket::inet_pton( AF_INET6(),'::1') && AF_INET6(); $ok && Socket->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ ); # behavior different to Socket6::getnameinfo - wrap *_getnameinfo = sub { my ($err,$host,$port) = Socket::getnameinfo(@_) or return; return if $err; return ($host,$port); }; $ok; } || eval { require Socket6; my $ok = Socket6::inet_pton( AF_INET6(),'::1') && AF_INET6(); $ok && Socket6->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ ); # behavior different to Socket::getnameinfo - wrap *_getnameinfo = sub { return Socket6::getnameinfo(@_); }; $ok; }; # try IO::Socket::IP or IO::Socket::INET6 for IPv6 support $family_key = 'Domain'; # traditional if ( $ip6 ) { # if we have IO::Socket::IP >= 0.31 we will use this in preference # because it can handle both IPv4 and IPv6 if ( eval { require IO::Socket::IP; IO::Socket::IP->VERSION(0.31) }) { @ISA = qw(IO::Socket::IP); constant->import( CAN_IPV6 => "IO::Socket::IP" ); $family_key = 'Family'; $IOCLASS = "IO::Socket::IP"; # if we have IO::Socket::INET6 we will use this not IO::Socket::INET # because it can handle both IPv4 and IPv6 # require at least 2.62 because of several problems before that version } elsif( eval { require IO::Socket::INET6; IO::Socket::INET6->VERSION(2.62) } ) { @ISA = qw(IO::Socket::INET6); constant->import( CAN_IPV6 => "IO::Socket::INET6" ); $IOCLASS = "IO::Socket::INET6"; } else { $ip6 = 0; } } # fall back to IO::Socket::INET for IPv4 only if ( ! $ip6 ) { @ISA = qw(IO::Socket::INET); $IOCLASS = "IO::Socket::INET"; constant->import( CAN_IPV6 => '' ); } #Make $DEBUG another name for $Net::SSLeay::trace *DEBUG = \$Net::SSLeay::trace; #Compatibility *ERROR = \$SSL_ERROR; } sub DEBUG { $DEBUG or return; my (undef,$file,$line,$sub) = caller(1); if ($sub =~m{^IO::Socket::SSL::(?:error|(_internal_error))$}) { (undef,$file,$line) = caller(2) if $1; } else { (undef,$file,$line) = caller; } my $msg = shift; $file = '...'.substr( $file,-17 ) if length($file)>20; $msg = sprintf $msg,@_ if @_; print STDERR "DEBUG: $file:$line: $msg\n"; } BEGIN { # import some constants from Net::SSLeay or use hard-coded defaults # if Net::SSLeay isn't recent enough to provide the constants my %const = ( NID_CommonName => 13, GEN_DNS => 2, GEN_IPADD => 7, ); while ( my ($name,$value) = each %const ) { no strict 'refs'; *{$name} = UNIVERSAL::can( 'Net::SSLeay', $name ) || sub { $value }; } *idn_to_ascii = \&IO::Socket::SSL::PublicSuffix::idn_to_ascii; *idn_to_unicode = \&IO::Socket::SSL::PublicSuffix::idn_to_unicode; } my $OPENSSL_LIST_SEPARATOR = $^O =~m{^(?:(dos|os2|mswin32|netware)|vms)$}i ? $1 ? ';' : ',' : ':'; my $CHECK_SSL_PATH = sub { my %args = (@_ == 1) ? ('',@_) : @_; for my $type (keys %args) { my $path = $args{$type}; if (!$type) { delete $args{$type}; $type = (ref($path) || -d $path) ? 'SSL_ca_path' : 'SSL_ca_file'; $args{$type} = $path; } next if ref($path) eq 'SCALAR' && ! $$path; if ($type eq 'SSL_ca_file') { die "SSL_ca_file $path does not exist" if ! -f $path; die "SSL_ca_file $path is not accessible: $!" if ! open(my $fh,'<',$path); } elsif ($type eq 'SSL_ca_path') { $path = [ split($OPENSSL_LIST_SEPARATOR,$path) ] if !ref($path); my @err; for my $d (ref($path) ? @$path : $path) { if (! -d $d) { push @err, "SSL_ca_path $d does not exist"; } elsif (! opendir(my $dh,$d)) { push @err, "SSL_ca_path $d is not accessible: $!" } else { @err = (); last } } die "@err" if @err; } } return %args; }; { my %default_ca; my $ca_detected; # 0: never detect, undef: need to (re)detect my $openssldir; sub default_ca { if (@_) { # user defined default CA or reset if ( @_ > 1 ) { %default_ca = @_; $ca_detected = 0; } elsif ( my $path = shift ) { %default_ca = $CHECK_SSL_PATH->($path); $ca_detected = 0; } else { $ca_detected = undef; } } return %default_ca if defined $ca_detected; $openssldir ||= Net::SSLeay::SSLeay_version(5) =~m{^OPENSSLDIR: "(.+)"$} && $1 || ''; # (re)detect according to openssl crypto/cryptlib.h my $dir = $ENV{SSL_CERT_DIR} || ( $^O =~m{vms}i ? "SSLCERTS:":"$openssldir/certs" ); if ( opendir(my $dh,$dir)) { FILES: for my $f ( grep { m{^[a-f\d]{8}(\.\d+)?$} } readdir($dh) ) { open( my $fh,'<',"$dir/$f") or next; while (my $line = <$fh>) { $line =~m{^-+BEGIN (X509 |TRUSTED |)CERTIFICATE-} or next; $default_ca{SSL_ca_path} = $dir; last FILES; } } } my $file = $ENV{SSL_CERT_FILE} || ( $^O =~m{vms}i ? "SSLCERTS:cert.pem":"$openssldir/cert.pem" ); if ( open(my $fh,'<',$file)) { while (my $line = <$fh>) { $line =~m{^-+BEGIN (X509 |TRUSTED |)CERTIFICATE-} or next; $default_ca{SSL_ca_file} = $file; last; } } $default_ca{SSL_ca_file} = Mozilla::CA::SSL_ca_file() if ! %default_ca && eval { require Mozilla::CA }; $ca_detected = 1; return %default_ca; } } # Export some stuff # inet4|inet6|debug will be handled by myself, everything # else will be handled the Exporter way sub import { my $class = shift; my @export; foreach (@_) { if ( /^inet4$/i ) { # explicitly fall back to inet4 @ISA = 'IO::Socket::INET'; @caller_force_inet4 = caller(); # save for warnings for 'inet6' case } elsif ( /^inet6$/i ) { # check if we have already ipv6 as base if ( ! UNIVERSAL::isa( $class, 'IO::Socket::INET6') and ! UNIVERSAL::isa( $class, 'IO::Socket::IP' )) { # either we don't support it or we disabled it by explicitly # loading it with 'inet4'. In this case re-enable but warn # because this is probably an error if ( CAN_IPV6 ) { @ISA = ( CAN_IPV6 ); warn "IPv6 support re-enabled in __PACKAGE__, got disabled in file $caller_force_inet4[1] line $caller_force_inet4[2]"; } else { die "INET6 is not supported, install IO::Socket::IP"; } } } elsif ( /^:?debug(\d+)/ ) { $DEBUG=$1; } else { push @export,$_ } } @_ = ( $class,@export ); goto &Exporter::import; } my %SSL_OBJECT; my %CREATED_IN_THIS_THREAD; sub CLONE { %CREATED_IN_THIS_THREAD = (); } # we have callbacks associated with contexts, but have no way to access the # current SSL object from these callbacks. To work around this # CURRENT_SSL_OBJECT will be set before calling Net::SSLeay::{connect,accept} # and reset afterwards, so we have access to it inside _internal_error. my $CURRENT_SSL_OBJECT; # You might be expecting to find a new() subroutine here, but that is # not how IO::Socket::INET works. All configuration gets performed in # the calls to configure() and either connect() or accept(). #Call to configure occurs when a new socket is made using #IO::Socket::INET. Returns false (empty list) on failure. sub configure { my ($self, $arg_hash) = @_; return _invalid_object() unless($self); # force initial blocking # otherwise IO::Socket::SSL->new might return undef if the # socket is nonblocking and it fails to connect immediately # for real nonblocking behavior one should create a nonblocking # socket and later call connect explicitly my $blocking = delete $arg_hash->{Blocking}; # because Net::HTTPS simple redefines blocking() to {} (e.g # return undef) and IO::Socket::INET does not like this we # set Blocking only explicitly if it was set $arg_hash->{Blocking} = 1 if defined ($blocking); $self->configure_SSL($arg_hash) || return; if ($arg_hash->{$family_key} ||= $arg_hash->{Domain} || $arg_hash->{Family}) { # Hack to work around the problem that IO::Socket::IP defaults to # AI_ADDRCONFIG which creates problems if we have only the loopback # interface. If we already know the family this flag is more harmful # then useful. $arg_hash->{GetAddrInfoFlags} = 0 if $IOCLASS eq 'IO::Socket::IP' && ! defined $arg_hash->{GetAddrInfoFlags}; } return $self->_internal_error("@ISA configuration failed",0) if ! $self->SUPER::configure($arg_hash); $self->blocking(0) if defined $blocking && !$blocking; return $self; } sub configure_SSL { my ($self, $arg_hash) = @_; $arg_hash->{Proto} ||= 'tcp'; my $is_server = $arg_hash->{SSL_server}; if ( ! defined $is_server ) { $is_server = $arg_hash->{SSL_server} = $arg_hash->{Listen} || 0; } # add user defined defaults, maybe after filtering $FILTER_SSL_ARGS->($is_server,$arg_hash) if $FILTER_SSL_ARGS; my %defaults = ( %$GLOBAL_SSL_ARGS, $is_server ? %$GLOBAL_SSL_SERVER_ARGS : %$GLOBAL_SSL_CLIENT_ARGS, ); if ( $defaults{SSL_reuse_ctx} ) { # ignore default context if there are args to override it delete $defaults{SSL_reuse_ctx} if grep { m{^SSL_(?!verifycn_name|hostname)$} } keys %$arg_hash; } %$arg_hash = ( %defaults, %$arg_hash ) if %defaults; my $ctx = $arg_hash->{'SSL_reuse_ctx'}; if ($ctx) { if ($ctx->isa('IO::Socket::SSL::SSL_Context') and $ctx->{context}) { # valid context } elsif ( $ctx = ${*$ctx}{_SSL_ctx} ) { # reuse context from existing SSL object } } # create context # this will fill in defaults in $arg_hash $ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash) || return; ${*$self}{'_SSL_arguments'} = $arg_hash; ${*$self}{'_SSL_ctx'} = $ctx; ${*$self}{'_SSL_opened'} = 1 if $is_server; return $self; } sub _skip_rw_error { my ($self,$ssl,$rv) = @_; my $err = Net::SSLeay::get_error($ssl,$rv); if ( $err == Net::SSLeay::ERROR_WANT_READ()) { $SSL_ERROR = SSL_WANT_READ; } elsif ( $err == Net::SSLeay::ERROR_WANT_WRITE()) { $SSL_ERROR = SSL_WANT_WRITE; } else { return $err; } $! ||= EWOULDBLOCK; ${*$self}{_SSL_last_err} = [$SSL_ERROR,4] if ref($self); Net::SSLeay::ERR_clear_error(); return 0; } # Call to connect occurs when a new client socket is made using IO::Socket::* sub connect { my $self = shift || return _invalid_object(); return $self if ${*$self}{'_SSL_opened'}; # already connected if ( ! ${*$self}{'_SSL_opening'} ) { # call SUPER::connect if the underlying socket is not connected # if this fails this might not be an error (e.g. if $! = EINPROGRESS # and socket is nonblocking this is normal), so keep any error # handling to the client $DEBUG>=2 && DEBUG('socket not yet connected' ); $self->SUPER::connect(@_) || return; $DEBUG>=2 && DEBUG('socket connected' ); # IO::Socket works around systems, which return EISCONN or similar # on non-blocking re-connect by returning true, even if $! is set # but it does not clear $!, so do it here $! = undef; # don't continue with connect_SSL if SSL_startHandshake is set to 0 my $sh = ${*$self}{_SSL_arguments}{SSL_startHandshake}; return $self if defined $sh && ! $sh; } return $self->connect_SSL; } sub connect_SSL { my $self = shift; my $args = @_>1 ? {@_}: $_[0]||{}; my ($ssl,$ctx); if ( ! ${*$self}{'_SSL_opening'} ) { # start ssl connection $DEBUG>=2 && DEBUG('ssl handshake not started' ); ${*$self}{'_SSL_opening'} = 1; my $arg_hash = ${*$self}{'_SSL_arguments'}; my $fileno = ${*$self}{'_SSL_fileno'} = fileno($self); return $self->_internal_error("Socket has no fileno",9) if ! defined $fileno; $ctx = ${*$self}{'_SSL_ctx'}; # Reference to real context $ssl = ${*$self}{'_SSL_object'} = Net::SSLeay::new($ctx->{context}) || return $self->error("SSL structure creation failed"); $CREATED_IN_THIS_THREAD{$ssl} = 1; $SSL_OBJECT{$ssl} = [$self,0]; weaken($SSL_OBJECT{$ssl}[0]); Net::SSLeay::set_fd($ssl, $fileno) || return $self->error("SSL filehandle association failed"); if ( $can_client_sni ) { my $host; if ( exists $arg_hash->{SSL_hostname} ) { # explicitly given # can be set to undef/'' to not use extension $host = $arg_hash->{SSL_hostname} } elsif ( $host = $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} ) { # implicitly given $host =~s{:[a-zA-Z0-9_\-]+$}{}; # should be hostname, not IPv4/6 $host = undef if $host !~m{[a-z_]} or $host =~m{:}; } # define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 # define TLSEXT_NAMETYPE_host_name 0 if ($host) { $DEBUG>=2 && DEBUG("using SNI with hostname $host"); Net::SSLeay::ctrl($ssl,55,0,$host); } else { $DEBUG>=2 && DEBUG("not using SNI because hostname is unknown"); } } elsif ( $arg_hash->{SSL_hostname} ) { return $self->_internal_error( "Client side SNI not supported for this openssl",9); } else { $DEBUG>=2 && DEBUG("not using SNI because openssl is too old"); } $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} || $self->_update_peer; if ( $ctx->{verify_name_ref} ) { # need target name for update my $host = $arg_hash->{SSL_verifycn_name} || $arg_hash->{SSL_hostname}; if ( ! defined $host ) { if ( $host = $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} ) { $host =~s{:[a-zA-Z0-9_\-]+$}{}; } } ${$ctx->{verify_name_ref}} = $host; } my $ocsp = $ctx->{ocsp_mode}; if ( $ocsp & SSL_OCSP_NO_STAPLE ) { # don't try stapling } elsif ( ! $can_ocsp_staple ) { croak("OCSP stapling not support") if $ocsp & SSL_OCSP_MUST_STAPLE; } elsif ( $ocsp & (SSL_OCSP_TRY_STAPLE|SSL_OCSP_MUST_STAPLE)) { # staple by default if verification enabled ${*$self}{_SSL_ocsp_verify} = undef; Net::SSLeay::set_tlsext_status_type($ssl, Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); $DEBUG>=2 && DEBUG("request OCSP stapling"); } my $session = $ctx->session_cache( $arg_hash->{SSL_session_key} ? ( $arg_hash->{SSL_session_key},1 ) : ( $arg_hash->{PeerAddr} || $arg_hash->{PeerHost}, $arg_hash->{PeerPort} || $arg_hash->{PeerService} ) ); Net::SSLeay::set_session($ssl, $session) if ($session); } $ssl ||= ${*$self}{'_SSL_object'}; $SSL_ERROR = $! = undef; my $timeout = exists $args->{Timeout} ? $args->{Timeout} : ${*$self}{io_socket_timeout}; # from IO::Socket if ( defined($timeout) && $timeout>0 && $self->blocking(0) ) { $DEBUG>=2 && DEBUG( "set socket to non-blocking to enforce timeout=$timeout" ); # timeout was given and socket was blocking # enforce timeout with now non-blocking socket } else { # timeout does not apply because invalid or socket non-blocking $timeout = undef; } my $start = defined($timeout) && time(); { $SSL_ERROR = undef; $CURRENT_SSL_OBJECT = $self; $DEBUG>=3 && DEBUG("call Net::SSLeay::connect" ); my $rv = Net::SSLeay::connect($ssl); $CURRENT_SSL_OBJECT = undef; $DEBUG>=3 && DEBUG("done Net::SSLeay::connect -> $rv" ); if ( $rv < 0 ) { if ( my $err = $self->_skip_rw_error( $ssl,$rv )) { $self->error("SSL connect attempt failed"); delete ${*$self}{'_SSL_opening'}; ${*$self}{'_SSL_opened'} = -1; $DEBUG>=1 && DEBUG( "fatal SSL error: $SSL_ERROR" ); return $self->fatal_ssl_error(); } $DEBUG>=2 && DEBUG('ssl handshake in progress' ); # connect failed because handshake needs to be completed # if socket was non-blocking or no timeout was given return with this error return if ! defined($timeout); # wait until socket is readable or writable my $rv; if ( $timeout>0 ) { my $vec = ''; vec($vec,$self->fileno,1) = 1; $DEBUG>=2 && DEBUG( "waiting for fd to become ready: $SSL_ERROR" ); $rv = $SSL_ERROR == SSL_WANT_READ ? select( $vec,undef,undef,$timeout) : $SSL_ERROR == SSL_WANT_WRITE ? select( undef,$vec,undef,$timeout) : undef; } else { $DEBUG>=2 && DEBUG("handshake failed because no more time" ); $! = ETIMEDOUT } if ( ! $rv ) { $DEBUG>=2 && DEBUG("handshake failed because socket did not became ready" ); # failed because of timeout, return $! ||= ETIMEDOUT; delete ${*$self}{'_SSL_opening'}; ${*$self}{'_SSL_opened'} = -1; $self->blocking(1); # was blocking before return } # socket is ready, try non-blocking connect again after recomputing timeout $DEBUG>=2 && DEBUG("socket ready, retrying connect" ); my $now = time(); $timeout -= $now - $start; $start = $now; redo; } elsif ( $rv == 0 ) { delete ${*$self}{'_SSL_opening'}; $DEBUG>=2 && DEBUG("connection failed - connect returned 0" ); $self->error("SSL connect attempt failed because of handshake problems" ); ${*$self}{'_SSL_opened'} = -1; return $self->fatal_ssl_error(); } } $DEBUG>=2 && DEBUG('ssl handshake done' ); # ssl connect successful delete ${*$self}{'_SSL_opening'}; ${*$self}{'_SSL_opened'}=1; if (defined($timeout)) { $self->blocking(1); # reset back to blocking $! = undef; # reset errors from non-blocking } $ctx ||= ${*$self}{'_SSL_ctx'}; if ( my $ocsp_result = ${*$self}{_SSL_ocsp_verify} ) { # got result from OCSP stapling if ( $ocsp_result->[0] > 0 ) { $DEBUG>=3 && DEBUG("got OCSP success with stapling"); # successful validated } elsif ( $ocsp_result->[0] < 0 ) { # Permanent problem with validation because certificate # is either self-signed or the issuer cannot be found. # Ignore here, because this will cause other errors too. $DEBUG>=3 && DEBUG("got OCSP failure with stapling: %s", $ocsp_result->[1]); } else { # definitely revoked $DEBUG>=3 && DEBUG("got OCSP revocation with stapling: %s", $ocsp_result->[1]); $self->_internal_error($ocsp_result->[1],5); return $self->fatal_ssl_error(); } } elsif ( $ctx->{ocsp_mode} & SSL_OCSP_MUST_STAPLE ) { $self->_internal_error("did not receive the required stapled OCSP response",5); return $self->fatal_ssl_error(); } if ( $ctx->has_session_cache and my $session = Net::SSLeay::get1_session($ssl)) { my $arg_hash = ${*$self}{'_SSL_arguments'}; $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} || $self->_update_peer; $ctx->session_cache( $arg_hash->{SSL_session_key} ? ( $arg_hash->{SSL_session_key},1 ) : ( $arg_hash->{PeerAddr} || $arg_hash->{PeerHost}, $arg_hash->{PeerPort} || $arg_hash->{PeerService} ), $session ); } tie *{$self}, "IO::Socket::SSL::SSL_HANDLE", $self; return $self; } # called if PeerAddr is not set in ${*$self}{'_SSL_arguments'} # this can be the case if start_SSL is called with a normal IO::Socket::INET # so that PeerAddr|PeerPort are not set from args sub _update_peer { my $self = shift; my $arg_hash = ${*$self}{'_SSL_arguments'}; eval { my $sockaddr = getpeername( $self ); my $af = sockaddr_family($sockaddr); if( CAN_IPV6 && $af == AF_INET6 ) { my (undef, $host, $port) = _getnameinfo($sockaddr, NI_NUMERICHOST | NI_NUMERICSERV); $arg_hash->{PeerAddr} = $host; $arg_hash->{PeerPort} = $port; } else { my ($port,$addr) = sockaddr_in( $sockaddr); $arg_hash->{PeerAddr} = inet_ntoa( $addr ); $arg_hash->{PeerPort} = $port; } } } #Call to accept occurs when a new client connects to a server using #IO::Socket::SSL sub accept { my $self = shift || return _invalid_object(); my $class = shift || 'IO::Socket::SSL'; my $socket = ${*$self}{'_SSL_opening'}; if ( ! $socket ) { # underlying socket not done $DEBUG>=2 && DEBUG('no socket yet' ); $socket = $self->SUPER::accept($class) || return; $DEBUG>=2 && DEBUG('accept created normal socket '.$socket ); # don't continue with accept_SSL if SSL_startHandshake is set to 0 my $sh = ${*$self}{_SSL_arguments}{SSL_startHandshake}; if (defined $sh && ! $sh) { ${*$socket}{_SSL_ctx} = ${*$self}{_SSL_ctx}; ${*$socket}{_SSL_arguments} = { %{${*$self}{_SSL_arguments}}, SSL_server => 0, }; $DEBUG>=2 && DEBUG('will not start SSL handshake yet'); return wantarray ? ($socket, getpeername($socket) ) : $socket } } $self->accept_SSL($socket) || return; $DEBUG>=2 && DEBUG('accept_SSL ok' ); return wantarray ? ($socket, getpeername($socket) ) : $socket; } sub accept_SSL { my $self = shift; my $socket = ( @_ && UNIVERSAL::isa( $_[0], 'IO::Handle' )) ? shift : $self; my $args = @_>1 ? {@_}: $_[0]||{}; my $ssl; if ( ! ${*$self}{'_SSL_opening'} ) { $DEBUG>=2 && DEBUG('starting sslifying' ); ${*$self}{'_SSL_opening'} = $socket; if ($socket != $self) { ${*$socket}{_SSL_ctx} = ${*$self}{_SSL_ctx}; ${*$socket}{_SSL_arguments} = { %{${*$self}{_SSL_arguments}}, SSL_server => 0 }; } my $fileno = ${*$socket}{'_SSL_fileno'} = fileno($socket); return $socket->_internal_error("Socket has no fileno",9) if ! defined $fileno; $ssl = ${*$socket}{_SSL_object} = Net::SSLeay::new(${*$socket}{_SSL_ctx}{context}) || return $socket->error("SSL structure creation failed"); $CREATED_IN_THIS_THREAD{$ssl} = 1; $SSL_OBJECT{$ssl} = [$socket,1]; weaken($SSL_OBJECT{$ssl}[0]); Net::SSLeay::set_fd($ssl, $fileno) || return $socket->error("SSL filehandle association failed"); } $ssl ||= ${*$socket}{'_SSL_object'}; $SSL_ERROR = $! = undef; #$DEBUG>=2 && DEBUG('calling ssleay::accept' ); my $timeout = exists $args->{Timeout} ? $args->{Timeout} : ${*$self}{io_socket_timeout}; # from IO::Socket if ( defined($timeout) && $timeout>0 && $socket->blocking(0) ) { # timeout was given and socket was blocking # enforce timeout with now non-blocking socket } else { # timeout does not apply because invalid or socket non-blocking $timeout = undef; } my $start = defined($timeout) && time(); { $SSL_ERROR = undef; $CURRENT_SSL_OBJECT = $self; my $rv = Net::SSLeay::accept($ssl); $CURRENT_SSL_OBJECT = undef; $DEBUG>=3 && DEBUG( "Net::SSLeay::accept -> $rv" ); if ( $rv < 0 ) { if ( my $err = $socket->_skip_rw_error( $ssl,$rv )) { $socket->error("SSL accept attempt failed"); delete ${*$self}{'_SSL_opening'}; ${*$socket}{'_SSL_opened'} = -1; return $socket->fatal_ssl_error(); } # accept failed because handshake needs to be completed # if socket was non-blocking or no timeout was given return with this error return if ! defined($timeout); # wait until socket is readable or writable my $rv; if ( $timeout>0 ) { my $vec = ''; vec($vec,$socket->fileno,1) = 1; $rv = $SSL_ERROR == SSL_WANT_READ ? select( $vec,undef,undef,$timeout) : $SSL_ERROR == SSL_WANT_WRITE ? select( undef,$vec,undef,$timeout) : undef; } else { $! = ETIMEDOUT } if ( ! $rv ) { # failed because of timeout, return $! ||= ETIMEDOUT; delete ${*$self}{'_SSL_opening'}; ${*$socket}{'_SSL_opened'} = -1; $socket->blocking(1); # was blocking before return } # socket is ready, try non-blocking accept again after recomputing timeout my $now = time(); $timeout -= $now - $start; $start = $now; redo; } elsif ( $rv == 0 ) { $socket->error("SSL accept attempt failed because of handshake problems" ); delete ${*$self}{'_SSL_opening'}; ${*$socket}{'_SSL_opened'} = -1; return $socket->fatal_ssl_error(); } } $DEBUG>=2 && DEBUG('handshake done, socket ready' ); # socket opened delete ${*$self}{'_SSL_opening'}; ${*$socket}{'_SSL_opened'} = 1; if (defined($timeout)) { $socket->blocking(1); # reset back to blocking $! = undef; # reset errors from non-blocking } tie *{$socket}, "IO::Socket::SSL::SSL_HANDLE", $socket; return $socket; } ####### I/O subroutines ######################## sub _generic_read { my ($self, $read_func, undef, $length, $offset) = @_; my $ssl = $self->_get_ssl_object || return; my $buffer=\$_[2]; $SSL_ERROR = $! = undef; my ($data,$rwerr) = $read_func->($ssl, $length); if ( !defined($data)) { if ( my $err = $self->_skip_rw_error( $ssl, defined($rwerr) ? $rwerr:-1 )) { $self->error("SSL read error"); } return; } $length = length($data); $$buffer = '' if !defined $$buffer; $offset ||= 0; if ($offset>length($$buffer)) { $$buffer.="\0" x ($offset-length($$buffer)); #mimic behavior of read } substr($$buffer, $offset, length($$buffer), $data); return $length; } sub read { my $self = shift; ${*$self}{_SSL_object} && return _generic_read($self, $self->blocking ? \&Net::SSLeay::ssl_read_all : \&Net::SSLeay::read, @_ ); # fall back to plain read if we are not required to use SSL yet return $self->SUPER::read(@_); } # contrary to the behavior of read sysread can read partial data sub sysread { my $self = shift; ${*$self}{_SSL_object} && return _generic_read( $self, \&Net::SSLeay::read, @_ ); # fall back to plain sysread if we are not required to use SSL yet my $rv = $self->SUPER::sysread(@_); return $rv; } sub peek { my $self = shift; ${*$self}{_SSL_object} && return _generic_read( $self, \&Net::SSLeay::peek, @_ ); # fall back to plain peek if we are not required to use SSL yet # emulate peek with recv(...,MS_PEEK) - peek(buf,len,offset) return if ! defined recv($self,my $buf,$_[1],MSG_PEEK); $_[0] = $_[2] ? substr($_[0],0,$_[2]).$buf : $buf; return length($buf); } sub _generic_write { my ($self, $write_all, undef, $length, $offset) = @_; my $ssl = $self->_get_ssl_object || return; my $buffer = \$_[2]; my $buf_len = length($$buffer); $length ||= $buf_len; $offset ||= 0; return $self->_internal_error("Invalid offset for SSL write",9) if $offset>$buf_len; return 0 if ($offset == $buf_len); $SSL_ERROR = $! = undef; my $written; if ( $write_all ) { my $data = $length < $buf_len-$offset ? substr($$buffer, $offset, $length) : $$buffer; ($written, my $errs) = Net::SSLeay::ssl_write_all($ssl, $data); # ssl_write_all returns number of bytes written $written = undef if ! $written && $errs; } else { $written = Net::SSLeay::write_partial( $ssl,$offset,$length,$$buffer ); # write_partial does SSL_write which returns -1 on error $written = undef if $written < 0; } if ( !defined($written) ) { if ( my $err = $self->_skip_rw_error( $ssl,-1 )) { $self->error("SSL write error ($err)"); } return; } return $written; } # if socket is blocking write() should return only on error or # if all data are written sub write { my $self = shift; ${*$self}{_SSL_object} && return _generic_write( $self, scalar($self->blocking),@_ ); # fall back to plain write if we are not required to use SSL yet return $self->SUPER::write(@_); } # contrary to write syswrite() returns already if only # a part of the data is written sub syswrite { my $self = shift; ${*$self}{_SSL_object} && return _generic_write($self,0,@_); # fall back to plain syswrite if we are not required to use SSL yet return $self->SUPER::syswrite(@_); } sub print { my $self = shift; my $string = join(($, or ''), @_, ($\ or '')); return $self->write( $string ); } sub printf { my ($self,$format) = (shift,shift); return $self->write(sprintf($format, @_)); } sub getc { my ($self, $buffer) = (shift, undef); return $buffer if $self->read($buffer, 1, 0); } sub readline { my $self = shift; ${*$self}{_SSL_object} or return $self->SUPER::getline; if ( not defined $/ or wantarray) { # read all and split my $buf = ''; while (1) { my $rv = $self->sysread($buf,2**16,length($buf)); if ( ! defined $rv ) { next if $! == EINTR; # retry last if $! == EWOULDBLOCK || $! == EAGAIN; # use everything so far return; # return error } elsif ( ! $rv ) { last } } if ( ! defined $/ ) { return $buf } elsif ( ref($/)) { my $size = ${$/}; die "bad value in ref \$/: $size" unless $size>0; return $buf=~m{\G(.{1,$size})}g; } elsif ( $/ eq '' ) { return $buf =~m{\G(.*\n\n+|.+)}g; } else { return $buf =~m{\G(.*$/|.+)}g; } } # read only one line if ( ref($/) ) { my $size = ${$/}; # read record of $size bytes die "bad value in ref \$/: $size" unless $size>0; my $buf = ''; while ( $size>length($buf)) { my $rv = $self->sysread($buf,$size-length($buf),length($buf)); if ( ! defined $rv ) { next if $! == EINTR; # retry last if $! == EWOULDBLOCK || $! == EAGAIN; # use everything so far return; # return error } elsif ( ! $rv ) { last } } return $buf; } my ($delim0,$delim1) = $/ eq '' ? ("\n\n","\n"):($/,''); # find first occurrence of $delim0 followed by as much as possible $delim1 my $buf = ''; my $eod = 0; # pointer into $buf after $delim0 $delim1* my $ssl = $self->_get_ssl_object or return; while (1) { # wait until we have more data or eof my $poke = Net::SSLeay::peek($ssl,1); if ( ! defined $poke or $poke eq '' ) { next if $! == EINTR; } my $skip = 0; # peek into available data w/o reading my $pending = Net::SSLeay::pending($ssl); if ( $pending and ( my $pb = Net::SSLeay::peek( $ssl,$pending )) ne '' ) { $buf .= $pb } else { return $buf eq '' ? ():$buf; } if ( !$eod ) { my $pos = index( $buf,$delim0 ); if ( $pos<0 ) { $skip = $pending } else { $eod = $pos + length($delim0); # pos after delim0 } } if ( $eod ) { if ( $delim1 ne '' ) { # delim0 found, check for as much delim1 as possible while ( index( $buf,$delim1,$eod ) == $eod ) { $eod+= length($delim1); } } $skip = $pending - ( length($buf) - $eod ); } # remove data from $self which I already have in buf while ( $skip>0 ) { if ($self->sysread(my $p,$skip,0)) { $skip -= length($p); next; } $! == EINTR or last; } if ( $eod and ( $delim1 eq '' or $eod < length($buf))) { # delim0 found and there can be no more delim1 pending last } } return substr($buf,0,$eod); } sub close { my $self = shift || return _invalid_object(); my $close_args = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}; return if ! $self->stop_SSL( SSL_fast_shutdown => 1, %$close_args, _SSL_ioclass_downgrade => 0, ); if ( ! $close_args->{_SSL_in_DESTROY} ) { untie( *$self ); undef ${*$self}{_SSL_fileno}; return $self->SUPER::close; } return 1; } sub is_SSL { my $self = pop; return ${*$self}{_SSL_object} && 1 } sub stop_SSL { my $self = shift || return _invalid_object(); my $stop_args = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}; $stop_args->{SSL_no_shutdown} = 1 if ! ${*$self}{_SSL_opened}; if (my $ssl = ${*$self}{'_SSL_object'}) { if ( ! $stop_args->{SSL_no_shutdown} ) { my $status = Net::SSLeay::get_shutdown($ssl); my $timeout = not($self->blocking) ? undef : exists $stop_args->{Timeout} ? $stop_args->{Timeout} : ${*$self}{io_socket_timeout}; # from IO::Socket if ($timeout) { $self->blocking(0); $timeout += time(); } while (1) { if ( $status & SSL_SENT_SHUTDOWN and # don't care for received if fast shutdown $status & SSL_RECEIVED_SHUTDOWN || $stop_args->{SSL_fast_shutdown}) { # shutdown complete last; } if ((${*$self}{'_SSL_opened'}||0) <= 0) { # not really open, thus don't expect shutdown to return # something meaningful last; } # initiate or complete shutdown local $SIG{PIPE} = 'IGNORE'; my $rv = Net::SSLeay::shutdown($ssl); if ( $rv < 0 ) { # non-blocking socket? if ( ! $timeout ) { $self->_skip_rw_error( $ssl,$rv ); # need to try again return; } # don't use _skip_rw_error so that existing error does # not get cleared my $wait = $timeout - time(); last if $wait<=0; vec(my $vec = '',fileno($self),1) = 1; my $err = Net::SSLeay::get_error($ssl,$rv); if ( $err == Net::SSLeay::ERROR_WANT_READ()) { select($vec,undef,undef,$wait) } elsif ( $err == Net::SSLeay::ERROR_WANT_READ()) { select(undef,$vec,undef,$wait) } else { last; } } $status |= SSL_SENT_SHUTDOWN; $status |= SSL_RECEIVED_SHUTDOWN if $rv>0; } $self->blocking(1) if $timeout; } # destroy allocated objects for SSL and untie # do not destroy CTX unless explicitly specified Net::SSLeay::free($ssl); delete ${*$self}{_SSL_object}; if (my $cert = delete ${*$self}{'_SSL_certificate'}) { Net::SSLeay::X509_free($cert); } ${*$self}{'_SSL_opened'} = 0; untie(*$self); } if ($stop_args->{'SSL_ctx_free'}) { my $ctx = delete ${*$self}{'_SSL_ctx'}; $ctx && $ctx->DESTROY(); } if ( ! $stop_args->{_SSL_in_DESTROY} ) { my $downgrade = $stop_args->{_SSL_ioclass_downgrade}; if ( $downgrade || ! defined $downgrade ) { # rebless to original class from start_SSL if ( my $orig_class = delete ${*$self}{'_SSL_ioclass_upgraded'} ) { bless $self,$orig_class; # FIXME: if original class was tied too we need to restore the tie # remove all _SSL related from *$self my @sslkeys = grep { m{^_?SSL_} } keys %{*$self}; delete @{*$self}{@sslkeys} if @sslkeys; } } } return 1; } sub fileno { my $self = shift; my $fn = ${*$self}{'_SSL_fileno'}; return defined($fn) ? $fn : $self->SUPER::fileno(); } ####### IO::Socket::SSL specific functions ####### # _get_ssl_object is for internal use ONLY! sub _get_ssl_object { my $self = shift; return ${*$self}{'_SSL_object'} || IO::Socket::SSL->_internal_error("Undefined SSL object",9); } # _get_ctx_object is for internal use ONLY! sub _get_ctx_object { my $self = shift; my $ctx_object = ${*$self}{_SSL_ctx}; return $ctx_object && $ctx_object->{context}; } # default error for undefined arguments sub _invalid_object { return IO::Socket::SSL->_internal_error("Undefined IO::Socket::SSL object",9); } sub pending { my $ssl = shift()->_get_ssl_object || return; return Net::SSLeay::pending($ssl); } sub start_SSL { my ($class,$socket) = (shift,shift); return $class->_internal_error("Not a socket",9) if ! ref($socket); my $arg_hash = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}; my %to = exists $arg_hash->{Timeout} ? ( Timeout => delete $arg_hash->{Timeout} ) :(); my $original_class = ref($socket); if ( ! $original_class ) { $socket = ($original_class = $ISA[0])->new_from_fd($socket,'<+') or return $class->_internal_error( "creating $original_class from file handle failed",9); } my $original_fileno = (UNIVERSAL::can($socket, "fileno")) ? $socket->fileno : CORE::fileno($socket); return $class->_internal_error("Socket has no fileno",9) if ! defined $original_fileno; bless $socket, $class; $socket->configure_SSL($arg_hash) or bless($socket, $original_class) && return; ${*$socket}{'_SSL_fileno'} = $original_fileno; ${*$socket}{'_SSL_ioclass_upgraded'} = $original_class if $class ne $original_class; my $start_handshake = $arg_hash->{SSL_startHandshake}; if ( ! defined($start_handshake) || $start_handshake ) { # if we have no callback force blocking mode $DEBUG>=2 && DEBUG( "start handshake" ); my $was_blocking = $socket->blocking(1); my $result = ${*$socket}{'_SSL_arguments'}{SSL_server} ? $socket->accept_SSL(%to) : $socket->connect_SSL(%to); if ( $result ) { $socket->blocking(0) if ! $was_blocking; return $socket; } else { # upgrade to SSL failed, downgrade socket to original class if ( $original_class ) { bless($socket,$original_class); $socket->blocking(0) if ! $was_blocking && $socket->can('blocking'); } return; } } else { $DEBUG>=2 && DEBUG( "don't start handshake: $socket" ); return $socket; # just return upgraded socket } } sub new_from_fd { my ($class, $fd) = (shift,shift); # Check for accidental inclusion of MODE in the argument list if (length($_[0]) < 4) { (my $mode = $_[0]) =~ tr/+<>//d; shift unless length($mode); } my $handle = $ISA[0]->new_from_fd($fd, '+<') || return($class->error("Could not create socket from file descriptor.")); # Annoying workaround for Perl 5.6.1 and below: $handle = $ISA[0]->new_from_fd($handle, '+<'); return $class->start_SSL($handle, @_); } sub dump_peer_certificate { my $ssl = shift()->_get_ssl_object || return; return Net::SSLeay::dump_peer_certificate($ssl); } if ( defined &Net::SSLeay::get_peer_cert_chain && $Net::SSLeay::VERSION >= 1.58 ) { *peer_certificates = sub { my $self = shift; my $ssl = $self->_get_ssl_object || return; my @chain = Net::SSLeay::get_peer_cert_chain($ssl); @chain = () if @chain && !$self->peer_certificate; # work around #96013 if ( ${*$self}{_SSL_arguments}{SSL_server} ) { # in the client case the chain contains the peer certificate, # in the server case not # this one has an increased reference counter, the other not if ( my $peer = Net::SSLeay::get_peer_certificate($ssl)) { Net::SSLeay::X509_free($peer); unshift @chain, $peer; } } return @chain; } } else { *peer_certificates = sub { die "peer_certificates needs Net::SSLeay>=1.58"; } } { my %dispatcher = ( issuer => sub { Net::SSLeay::X509_NAME_oneline( Net::SSLeay::X509_get_issuer_name( shift )) }, subject => sub { Net::SSLeay::X509_NAME_oneline( Net::SSLeay::X509_get_subject_name( shift )) }, commonName => sub { my $cn = Net::SSLeay::X509_NAME_get_text_by_NID( Net::SSLeay::X509_get_subject_name( shift ), NID_CommonName); $cn; }, subjectAltNames => sub { Net::SSLeay::X509_get_subjectAltNames( shift ) }, ); # alternative names $dispatcher{authority} = $dispatcher{issuer}; $dispatcher{owner} = $dispatcher{subject}; $dispatcher{cn} = $dispatcher{commonName}; sub peer_certificate { my ($self,$field,$reload) = @_; my $ssl = $self->_get_ssl_object or return; Net::SSLeay::X509_free(delete ${*$self}{_SSL_certificate}) if $reload && ${*$self}{_SSL_certificate}; my $cert = ${*$self}{_SSL_certificate} ||= Net::SSLeay::get_peer_certificate($ssl) or return $self->error("Could not retrieve peer certificate"); if ($field) { my $sub = $dispatcher{$field} or croak "invalid argument for peer_certificate, valid are: ".join( " ",keys %dispatcher ). "\nMaybe you need to upgrade your Net::SSLeay"; return $sub->($cert); } else { return $cert } } sub sock_certificate { my ($self,$field) = @_; my $ssl = $self->_get_ssl_object || return; my $cert = Net::SSLeay::get_certificate( $ssl ) || return; if ($field) { my $sub = $dispatcher{$field} or croak "invalid argument for sock_certificate, valid are: ".join( " ",keys %dispatcher ). "\nMaybe you need to upgrade your Net::SSLeay"; return $sub->($cert); } else { return $cert } } # known schemes, possible attributes are: # - wildcards_in_alt (0, 'full_label', 'anywhere') # - wildcards_in_cn (0, 'full_label', 'anywhere') # - check_cn (0, 'always', 'when_only') # unfortunately there are a lot of different schemes used, see RFC 6125 for a # summary, which references all of the following except RFC4217/ftp my %scheme = ( none => {}, # do not check # default set is a superset of all the others and thus worse than a more # specific set, but much better than not verifying name at all default => { wildcards_in_cn => 'anywhere', wildcards_in_alt => 'anywhere', check_cn => 'always', ip_in_cn => 1, }, ); for(qw( rfc2818 rfc3920 xmpp rfc4217 ftp )) { $scheme{$_} = { wildcards_in_cn => 'anywhere', wildcards_in_alt => 'anywhere', check_cn => 'when_only', } } for(qw(www http)) { $scheme{$_} = { wildcards_in_cn => 'anywhere', wildcards_in_alt => 'anywhere', check_cn => 'when_only', ip_in_cn => 4, } } for(qw( rfc4513 ldap )) { $scheme{$_} = { wildcards_in_cn => 0, wildcards_in_alt => 'full_label', check_cn => 'always', }; } for(qw( rfc2595 smtp rfc4642 imap pop3 acap rfc5539 nntp rfc5538 netconf rfc5425 syslog rfc5953 snmp )) { $scheme{$_} = { wildcards_in_cn => 'full_label', wildcards_in_alt => 'full_label', check_cn => 'always' }; } for(qw( rfc5971 gist )) { $scheme{$_} = { wildcards_in_cn => 'full_label', wildcards_in_alt => 'full_label', check_cn => 'when_only', }; } for(qw( rfc5922 sip )) { $scheme{$_} = { wildcards_in_cn => 0, wildcards_in_alt => 0, check_cn => 'always', }; } # function to verify the hostname # # as every application protocol has its own rules to do this # we provide some default rules as well as a user-defined # callback sub verify_hostname_of_cert { my $identity = shift; my $cert = shift; my $scheme = shift || 'default'; my $publicsuffix = shift; if ( ! ref($scheme) ) { $DEBUG>=3 && DEBUG( "scheme=$scheme cert=$cert" ); $scheme = $scheme{$scheme} || croak("scheme $scheme not defined"); } return 1 if ! %$scheme; # 'none' $identity =~s{\.+$}{}; # ignore absolutism # get data from certificate my $commonName = $dispatcher{cn}->($cert); my @altNames = $dispatcher{subjectAltNames}->($cert); $DEBUG>=3 && DEBUG("identity=$identity cn=$commonName alt=@altNames" ); if ( my $sub = $scheme->{callback} ) { # use custom callback return $sub->($identity,$commonName,@altNames); } # is the given hostname an IP address? Then we have to convert to network byte order [RFC791][RFC2460] my $ipn; if ( CAN_IPV6 and $identity =~m{:} ) { # no IPv4 or hostname have ':' in it, try IPv6. $identity =~m{[^\da-fA-F:\.]} and return; # invalid characters in name $ipn = inet_pton(AF_INET6,$identity) or return; # invalid name } elsif ( my @ip = $identity =~m{^(\d+)(?:\.(\d+)\.(\d+)\.(\d+)|[\d\.]*)$} ) { # check for invalid IP/hostname return if 4 != @ip or 4 != grep { defined($_) && $_<256 } @ip; $ipn = pack("CCCC",@ip); } else { # assume hostname, check for umlauts etc if ( $identity =~m{[^a-zA-Z0-9_.\-]} ) { $identity =~m{\0} and return; # $identity has \\0 byte $identity = idn_to_ascii($identity) or return; # conversation to IDNA failed $identity =~m{[^a-zA-Z0-9_.\-]} and return; # still junk inside } } # do the actual verification my $check_name = sub { my ($name,$identity,$wtyp,$publicsuffix) = @_; $name =~s{\.+$}{}; # ignore absolutism $name eq '' and return; $wtyp ||= ''; my $pattern; ### IMPORTANT! # We accept only a single wildcard and only for a single part of the FQDN # e.g *.example.org does match www.example.org but not bla.www.example.org # The RFCs are in this regard unspecific but we don't want to have to # deal with certificates like *.com, *.co.uk or even * # see also http://nils.toedtmann.net/pub/subjectAltName.txt . # Also, we fall back to full_label matches if the identity is an IDNA # name, see RFC6125 and the discussion at # http://bugs.python.org/issue17997#msg194950 if ( $wtyp eq 'anywhere' and $name =~m{^([a-zA-Z0-9_\-]*)\*(.+)} ) { return if $1 ne '' and substr($identity,0,4) eq 'xn--'; # IDNA $pattern = qr{^\Q$1\E[a-zA-Z0-9_\-]+\Q$2\E$}i; } elsif ( $wtyp =~ m{^(?:full_label|leftmost)$} and $name =~m{^\*(\..+)$} ) { $pattern = qr{^[a-zA-Z0-9_\-]+\Q$1\E$}i; } else { return lc($identity) eq lc($name); } if ( $identity =~ $pattern ) { $publicsuffix = IO::Socket::SSL::PublicSuffix->default if ! defined $publicsuffix; return 1 if $publicsuffix eq ''; my @labels = split( m{\.+}, $identity ); my $tld = $publicsuffix->public_suffix(\@labels,+1); return 1 if @labels > ( $tld ? 0+@$tld : 1 ); } return; }; my $alt_dnsNames = 0; while (@altNames) { my ($type, $name) = splice (@altNames, 0, 2); if ( $ipn and $type == GEN_IPADD ) { # exact match needed for IP # $name is already packed format (inet_xton) return 1 if $ipn eq $name; } elsif ( ! $ipn and $type == GEN_DNS ) { $name =~s/\s+$//; $name =~s/^\s+//; $alt_dnsNames++; $check_name->($name,$identity,$scheme->{wildcards_in_alt},$publicsuffix) and return 1; } } if ( $scheme->{check_cn} eq 'always' or $scheme->{check_cn} eq 'when_only' and !$alt_dnsNames ) { if ( ! $ipn ) { $check_name->($commonName,$identity,$scheme->{wildcards_in_cn},$publicsuffix) and return 1; } elsif ( $scheme->{ip_in_cn} ) { if ( $identity eq $commonName ) { return 1 if $scheme->{ip_in_cn} == 4 ? length($ipn) == 4 : $scheme->{ip_in_cn} == 6 ? length($ipn) == 8 : 1; } } } return 0; # no match } } sub verify_hostname { my $self = shift; my $host = shift; my $cert = $self->peer_certificate; return verify_hostname_of_cert( $host,$cert,@_ ); } sub get_servername { my $self = shift; return ${*$self}{_SSL_servername} ||= do { my $ssl = $self->_get_ssl_object or return; Net::SSLeay::get_servername($ssl); }; } sub get_fingerprint_bin { my ($self,$algo,$cert) = @_; $cert ||= $self->peer_certificate; return Net::SSLeay::X509_digest($cert, $algo2digest->($algo || 'sha256')); } sub get_fingerprint { my ($self,$algo,$cert) = @_; $algo ||= 'sha256'; my $fp = get_fingerprint_bin($self,$algo,$cert) or return; return $algo.'$'.unpack('H*',$fp); } sub get_cipher { my $ssl = shift()->_get_ssl_object || return; return Net::SSLeay::get_cipher($ssl); } sub get_sslversion { my $ssl = shift()->_get_ssl_object || return; my $version = Net::SSLeay::version($ssl) or return; return $version == 0x0303 ? 'TLSv1_2' : $version == 0x0302 ? 'TLSv1_1' : $version == 0x0301 ? 'TLSv1' : $version == 0x0300 ? 'SSLv3' : $version == 0x0002 ? 'SSLv2' : $version == 0xfeff ? 'DTLS1' : undef; } sub get_sslversion_int { my $ssl = shift()->_get_ssl_object || return; return Net::SSLeay::version($ssl); } if ($can_ocsp) { no warnings 'once'; *ocsp_resolver = sub { my $self = shift; my $ssl = $self->_get_ssl_object || return; my $ctx = ${*$self}{_SSL_ctx}; return IO::Socket::SSL::OCSP_Resolver->new( $ssl, $ctx->{ocsp_cache} ||= IO::Socket::SSL::OCSP_Cache->new, $ctx->{ocsp_mode} & SSL_OCSP_FAIL_HARD, @_ ? \@_ : $ctx->{ocsp_mode} & SSL_OCSP_FULL_CHAIN ? [ $self->peer_certificates ]: [ $self->peer_certificate ] ); }; } sub errstr { my $self = shift; my $oe = ref($self) && ${*$self}{_SSL_last_err}; return $oe ? $oe->[0] : $SSL_ERROR || ''; } sub fatal_ssl_error { my $self = shift; my $error_trap = ${*$self}{'_SSL_arguments'}->{'SSL_error_trap'}; $@ = $self->errstr; if (defined $error_trap and ref($error_trap) eq 'CODE') { $error_trap->($self, $self->errstr()."\n".$self->get_ssleay_error()); } elsif ( ${*$self}{'_SSL_ioclass_upgraded'} ) { # downgrade only $self->stop_SSL; } else { # kill socket $self->close } return; } sub get_ssleay_error { #Net::SSLeay will print out the errors itself unless we explicitly #undefine $Net::SSLeay::trace while running print_errs() local $Net::SSLeay::trace; return Net::SSLeay::print_errs('SSL error: ') || ''; } # internal errors, e.g unsupported features, hostname check failed etc # _SSL_last_err contains severity so that on error chains we can decide if one # error should replace the previous one or if this is just a less specific # follow-up error, e.g. configuration failed because certificate failed because # hostname check went wrong: # 0 - fallback errors # 4 - errors bubbled up from OpenSSL (sub error, r/w error) # 5 - hostname or OCSP verification failed # 9 - fatal problems, e.g. missing feature, no fileno... # _SSL_last_err and SSL_ERROR are only replaced if the error has a higher # severity than the previous one sub _internal_error { my ($self, $error, $severity) = @_; $error = dualvar( -1, $error ); $self = $CURRENT_SSL_OBJECT if !ref($self) && $CURRENT_SSL_OBJECT; if (ref($self)) { my $oe = ${*$self}{_SSL_last_err}; if (!$oe || $oe->[1] <= $severity) { ${*$self}{_SSL_last_err} = [$error,$severity]; $SSL_ERROR = $error; $DEBUG && DEBUG("local error: $error"); } else { $DEBUG && DEBUG("ignoring less severe local error '$error', keep '$oe->[0]'"); } } else { $SSL_ERROR = $error; $DEBUG && DEBUG("global error: $error"); } return; } # OpenSSL errors sub error { my ($self, $error) = @_; my @err; while ( my $err = Net::SSLeay::ERR_get_error()) { push @err, Net::SSLeay::ERR_error_string($err); $DEBUG>=2 && DEBUG( $error."\n".$self->get_ssleay_error()); } $error .= ' '.join(' ',@err) if @err; return $self->_internal_error($error,4) if $error; return; } sub can_client_sni { return $can_client_sni } sub can_server_sni { return $can_server_sni } sub can_npn { return $can_npn } sub can_alpn { return $can_alpn } sub can_ecdh { return $can_ecdh } sub can_ipv6 { return CAN_IPV6 } sub can_ocsp { return $can_ocsp } sub DESTROY { my $self = shift or return; my $ssl = ${*$self}{_SSL_object} or return; delete $SSL_OBJECT{$ssl}; if ($CREATED_IN_THIS_THREAD{$ssl}) { $self->close(_SSL_in_DESTROY => 1, SSL_no_shutdown => 1) if ${*$self}{'_SSL_opened'}; delete(${*$self}{'_SSL_ctx'}); } } #######Extra Backwards Compatibility Functionality####### sub socket_to_SSL { IO::Socket::SSL->start_SSL(@_); } sub socketToSSL { IO::Socket::SSL->start_SSL(@_); } sub kill_socket { shift->close } sub issuer_name { return(shift()->peer_certificate("issuer")) } sub subject_name { return(shift()->peer_certificate("subject")) } sub get_peer_certificate { return shift() } sub context_init { return($GLOBAL_SSL_ARGS = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}); } sub set_default_context { $GLOBAL_SSL_ARGS->{'SSL_reuse_ctx'} = shift; } sub set_default_session_cache { $GLOBAL_SSL_ARGS->{SSL_session_cache} = shift; } { my $set_defaults = sub { my $args = shift; for(my $i=0;$i<@$args;$i+=2 ) { my ($k,$v) = @{$args}[$i,$i+1]; if ( $k =~m{^SSL_} ) { $_->{$k} = $v for(@_); } elsif ( $k =~m{^(name|scheme)$} ) { $_->{"SSL_verifycn_$k"} = $v for (@_); } elsif ( $k =~m{^(callback|mode)$} ) { $_->{"SSL_verify_$k"} = $v for(@_); } else { $_->{"SSL_$k"} = $v for(@_); } } }; sub set_defaults { my %args = @_; $set_defaults->(\@_, $GLOBAL_SSL_ARGS, $GLOBAL_SSL_CLIENT_ARGS, $GLOBAL_SSL_SERVER_ARGS ); } { # deprecated API no warnings; *set_ctx_defaults = \&set_defaults; } sub set_client_defaults { my %args = @_; $set_defaults->(\@_, $GLOBAL_SSL_CLIENT_ARGS ); } sub set_server_defaults { my %args = @_; $set_defaults->(\@_, $GLOBAL_SSL_SERVER_ARGS ); } } sub set_args_filter_hack { my $sub = shift; if ( ref $sub ) { $FILTER_SSL_ARGS = $sub; } elsif ( $sub eq 'use_defaults' ) { # override args with defaults $FILTER_SSL_ARGS = sub { my ($is_server,$args) = @_; %$args = ( %$args, $is_server ? ( %DEFAULT_SSL_SERVER_ARGS, %$GLOBAL_SSL_SERVER_ARGS ) : ( %DEFAULT_SSL_CLIENT_ARGS, %$GLOBAL_SSL_CLIENT_ARGS ) ); } } } sub next_proto_negotiated { my $self = shift; return $self->_internal_error("NPN not supported in Net::SSLeay",9) if ! $can_npn; my $ssl = $self->_get_ssl_object || return; return Net::SSLeay::P_next_proto_negotiated($ssl); } sub alpn_selected { my $self = shift; return $self->_internal_error("ALPN not supported in Net::SSLeay",9) if ! $can_alpn; my $ssl = $self->_get_ssl_object || return; return Net::SSLeay::P_alpn_selected($ssl); } sub opened { my $self = shift; return IO::Handle::opened($self) && ${*$self}{'_SSL_opened'}; } sub opening { my $self = shift; return ${*$self}{'_SSL_opening'}; } sub want_read { shift->errstr == SSL_WANT_READ } sub want_write { shift->errstr == SSL_WANT_WRITE } #Redundant IO::Handle functionality sub getline { return(scalar shift->readline()) } sub getlines { return(shift->readline()) if wantarray(); croak("Use of getlines() not allowed in scalar context"); } #Useless IO::Handle functionality sub truncate { croak("Use of truncate() not allowed with SSL") } sub stat { croak("Use of stat() not allowed with SSL" ) } sub setbuf { croak("Use of setbuf() not allowed with SSL" ) } sub setvbuf { croak("Use of setvbuf() not allowed with SSL" ) } sub fdopen { croak("Use of fdopen() not allowed with SSL" ) } #Unsupported socket functionality sub ungetc { croak("Use of ungetc() not implemented in IO::Socket::SSL") } sub send { croak("Use of send() not implemented in IO::Socket::SSL; use print/printf/syswrite instead") } sub recv { croak("Use of recv() not implemented in IO::Socket::SSL; use read/sysread instead") } package IO::Socket::SSL::SSL_HANDLE; use strict; use Errno 'EBADF'; *weaken = *IO::Socket::SSL::weaken; sub TIEHANDLE { my ($class, $handle) = @_; weaken($handle); bless \$handle, $class; } sub READ { ${shift()}->sysread(@_) } sub READLINE { ${shift()}->readline(@_) } sub GETC { ${shift()}->getc(@_) } sub PRINT { ${shift()}->print(@_) } sub PRINTF { ${shift()}->printf(@_) } sub WRITE { ${shift()}->syswrite(@_) } sub FILENO { ${shift()}->fileno(@_) } sub TELL { $! = EBADF; return -1 } sub BINMODE { return 0 } # not perfect, but better than not implementing the method sub CLOSE { #<---- Do not change this function! my $ssl = ${$_[0]}; local @_; $ssl->close(); } package IO::Socket::SSL::SSL_Context; use Carp; use strict; my %CTX_CREATED_IN_THIS_THREAD; *DEBUG = *IO::Socket::SSL::DEBUG; use constant SSL_MODE_ENABLE_PARTIAL_WRITE => 1; use constant SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER => 2; use constant FILETYPE_PEM => Net::SSLeay::FILETYPE_PEM(); use constant FILETYPE_ASN1 => Net::SSLeay::FILETYPE_ASN1(); # Note that the final object will actually be a reference to the scalar # (C-style pointer) returned by Net::SSLeay::CTX_*_new() so that # it can be blessed. sub new { my $class = shift; #DEBUG( "$class @_" ); my $arg_hash = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}; # common problem forgetting to set SSL_use_cert # if client cert is given by user but SSL_use_cert is undef, assume that it # should be set my $is_server = $arg_hash->{SSL_server}; if ( ! $is_server && ! defined $arg_hash->{SSL_use_cert} && ( grep { $arg_hash->{$_} } qw(SSL_cert SSL_cert_file)) && ( grep { $arg_hash->{$_} } qw(SSL_key SSL_key_file)) ) { $arg_hash->{SSL_use_cert} = 1 } # if any of SSL_ca* is set don't set the other SSL_ca* # from defaults if ( $arg_hash->{SSL_ca} ) { $arg_hash->{SSL_ca_file} ||= undef $arg_hash->{SSL_ca_path} ||= undef } elsif ( $arg_hash->{SSL_ca_path} ) { $arg_hash->{SSL_ca_file} ||= undef } elsif ( $arg_hash->{SSL_ca_file} ) { $arg_hash->{SSL_ca_path} ||= undef; } # add library defaults %$arg_hash = ( SSL_use_cert => $is_server, $is_server ? %DEFAULT_SSL_SERVER_ARGS : %DEFAULT_SSL_CLIENT_ARGS, %$arg_hash ); # Avoid passing undef arguments to Net::SSLeay defined($arg_hash->{$_}) or delete($arg_hash->{$_}) for(keys %$arg_hash); # check SSL CA, cert etc arguments # some apps set keys '' to signal that it is not set, replace with undef for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file SSL_ca SSL_ca_file SSL_ca_path SSL_fingerprint )) { $arg_hash->{$_} = undef if defined $arg_hash->{$_} and $arg_hash->{$_} eq ''; } for(qw(SSL_cert_file SSL_key_file)) { defined( my $file = $arg_hash->{$_} ) or next; for my $f (ref($file) eq 'HASH' ? values(%$file):$file ) { die "$_ $f does not exist" if ! -f $f; } } my $verify_mode = $arg_hash->{SSL_verify_mode} || 0; if ( $verify_mode != Net::SSLeay::VERIFY_NONE()) { for (qw(SSL_ca_file SSL_ca_path)) { $CHECK_SSL_PATH->($_ => $arg_hash->{$_} || next); } } elsif ( $verify_mode ne '0' ) { # some users use the string 'SSL_VERIFY_PEER' instead of the constant die "SSL_verify_mode must be a number and not a string"; } my $self = bless {},$class; my $vcn_scheme = delete $arg_hash->{SSL_verifycn_scheme}; my $vcn_publicsuffix = delete $arg_hash->{SSL_verifycn_publicsuffix}; if ( ! $is_server and $verify_mode & 0x01 and ! $vcn_scheme || $vcn_scheme ne 'none' ) { # gets updated during configure_SSL my $verify_name; $self->{verify_name_ref} = \$verify_name; my $vcb = $arg_hash->{SSL_verify_callback}; $arg_hash->{SSL_verify_callback} = sub { my ($ok,$ctx_store,$certname,$error,$cert,$depth) = @_; $ok = $vcb->($ok,$ctx_store,$certname,$error,$cert,$depth) if $vcb; $ok or return 0; return $ok if $depth != 0; my $host = $verify_name || ref($vcn_scheme) && $vcn_scheme->{callback} && 'unknown'; if ( ! $host ) { if ( $vcn_scheme ) { IO::Socket::SSL->_internal_error( "Cannot determine peer hostname for verification",8); return 0; } warn "Cannot determine hostname of peer for verification. ". "Disabling default hostname verification for now. ". "Please specify hostname with SSL_verifycn_name and better set SSL_verifycn_scheme too.\n"; return $ok; } elsif ( ! $vcn_scheme && $host =~m{^[\d.]+$|:} ) { # don't try to verify IP by default return $ok; } # verify name my $rv = IO::Socket::SSL::verify_hostname_of_cert( $host,$cert,$vcn_scheme,$vcn_publicsuffix ); if ( ! $rv ) { IO::Socket::SSL->_internal_error( "hostname verification failed",5); } return $rv; }; } my $ssl_op = Net::SSLeay::OP_ALL(); $ssl_op |= &Net::SSLeay::OP_SINGLE_DH_USE; $ssl_op |= &Net::SSLeay::OP_SINGLE_ECDH_USE if $can_ecdh; my $ver; for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i or croak("invalid SSL_version specified"); my $not = $1; ( my $v = lc($2||$3) ) =~s{^(...)}{\U$1}; if ( $not ) { $ssl_op |= $SSL_OP_NO{$v}; } else { croak("cannot set multiple SSL protocols in SSL_version") if $ver && $v ne $ver; $ver = $v; $ver =~s{/}{}; # interpret SSLv2/3 as SSLv23 $ver =~s{(TLSv1)(\d)}{$1\_$2}; # TLSv1_1 } } my $ctx_new_sub = UNIVERSAL::can( 'Net::SSLeay', $ver eq 'SSLv2' ? 'CTX_v2_new' : $ver eq 'SSLv3' ? 'CTX_v3_new' : $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : $ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' : $ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' : 'CTX_new' ) or return IO::Socket::SSL->_internal_error("SSL Version $ver not supported",9); # For SNI in server mode we need a separate context for each certificate. my %ctx; if ($arg_hash->{'SSL_server'}) { my %sni; for my $opt (qw(SSL_key SSL_key_file SSL_cert SSL_cert_file)) { my $val = $arg_hash->{$opt} or next; if ( ref($val) eq 'HASH' ) { while ( my ($host,$v) = each %$val ) { $sni{lc($host)}{$opt} = $v; } } } while (my ($host,$v) = each %sni) { $ctx{$host} = { %$arg_hash, %$v }; } } $ctx{''} = $arg_hash if ! %ctx; while (my ($host,$arg_hash) = each %ctx) { # replace value in %ctx with real context my $ctx = $ctx_new_sub->() or return IO::Socket::SSL->error("SSL Context init failed"); $CTX_CREATED_IN_THIS_THREAD{$ctx} = 1; # SSL_OP_CIPHER_SERVER_PREFERENCE $ssl_op |= 0x00400000 if $arg_hash->{SSL_honor_cipher_order}; if ($ver eq 'SSLv23' && !($ssl_op & $SSL_OP_NO{SSLv3})) { # At least LibreSSL disables SSLv3 by default in SSL_CTX_new. # If we really want SSL3.0 we need to explicitly allow it with # SSL_CTX_clear_options. Net::SSLeay::CTX_clear_options($ctx,$SSL_OP_NO{SSLv3}); } Net::SSLeay::CTX_set_options($ctx,$ssl_op); # if we don't set session_id_context if client certificate is expected # client session caching will fail # if user does not provide explicit id just use the stringification # of the context if ( my $id = $arg_hash->{SSL_session_id_context} || ( $arg_hash->{SSL_verify_mode} & 0x01 ) && "$ctx" ) { Net::SSLeay::CTX_set_session_id_context($ctx,$id,length($id)); } # SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER makes syswrite return if at least one # buffer was written and not block for the rest # SSL_MODE_ENABLE_PARTIAL_WRITE can be necessary for non-blocking because we # cannot guarantee, that the location of the buffer stays constant Net::SSLeay::CTX_set_mode( $ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|SSL_MODE_ENABLE_PARTIAL_WRITE); if ( my $proto_list = $arg_hash->{SSL_npn_protocols} ) { return IO::Socket::SSL->_internal_error("NPN not supported in Net::SSLeay",9) if ! $can_npn; if($arg_hash->{SSL_server}) { # on server side SSL_npn_protocols means a list of advertised protocols Net::SSLeay::CTX_set_next_protos_advertised_cb($ctx, $proto_list); } else { # on client side SSL_npn_protocols means a list of preferred protocols # negotiation algorithm used is "as-openssl-implements-it" Net::SSLeay::CTX_set_next_proto_select_cb($ctx, $proto_list); } } if ( my $proto_list = $arg_hash->{SSL_alpn_protocols} ) { return IO::Socket::SSL->_internal_error("ALPN not supported in Net::SSLeay",9) if ! $can_alpn; if($arg_hash->{SSL_server}) { Net::SSLeay::CTX_set_alpn_select_cb($ctx, $proto_list); } else { Net::SSLeay::CTX_set_alpn_protos($ctx, $proto_list); } } # Try to apply SSL_ca even if SSL_verify_mode is 0, so that they can be # used to verify OCSP responses. # If applying fails complain only if verify_mode != VERIFY_NONE. if ( $arg_hash->{SSL_ca} || defined $arg_hash->{SSL_ca_file} || defined $arg_hash->{SSL_ca_path} ) { my $file = $arg_hash->{SSL_ca_file}; $file = undef if ref($file) eq 'SCALAR' && ! $$file; my $dir = $arg_hash->{SSL_ca_path}; $dir = undef if ref($dir) eq 'SCALAR' && ! $$dir; if ( $arg_hash->{SSL_ca} ) { my $store = Net::SSLeay::CTX_get_cert_store($ctx); for (@{$arg_hash->{SSL_ca}}) { Net::SSLeay::X509_STORE_add_cert($store,$_) or return IO::Socket::SSL->error( "Failed to add certificate to CA store"); } } $dir = join($OPENSSL_LIST_SEPARATOR,@$dir) if ref($dir); if ( $file || $dir and ! Net::SSLeay::CTX_load_verify_locations( $ctx, $file || '', $dir || '')) { return IO::Socket::SSL->error( "Invalid certificate authority locations") if $verify_mode != Net::SSLeay::VERIFY_NONE(); } } elsif ( my %ca = IO::Socket::SSL::default_ca()) { # no CA path given, continue with system defaults my $dir = $ca{SSL_ca_path}; $dir = join($OPENSSL_LIST_SEPARATOR,@$dir) if ref($dir); if (! Net::SSLeay::CTX_load_verify_locations( $ctx, $ca{SSL_ca_file} || '',$dir || '') && $verify_mode != Net::SSLeay::VERIFY_NONE()) { return IO::Socket::SSL->error( "Invalid default certificate authority locations") } } if ($arg_hash->{SSL_server} && ($verify_mode & Net::SSLeay::VERIFY_PEER())) { if ($arg_hash->{SSL_client_ca}) { for (@{$arg_hash->{SSL_client_ca}}) { return IO::Socket::SSL->error( "Failed to add certificate to client CA list") if ! Net::SSLeay::CTX_add_client_CA($ctx,$_); } } if ($arg_hash->{SSL_client_ca_file}) { my $list = Net::SSLeay::load_client_CA_file( $arg_hash->{SSL_client_ca_file}) or return IO::Socket::SSL->error( "Failed to load certificate to client CA list"); Net::SSLeay::CTX_set_client_CA_list($ctx,$list); } } my $X509_STORE_flags = $DEFAULT_X509_STORE_flags; if ($arg_hash->{'SSL_check_crl'}) { $X509_STORE_flags |= Net::SSLeay::X509_V_FLAG_CRL_CHECK(); if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } } } Net::SSLeay::X509_STORE_set_flags( Net::SSLeay::CTX_get_cert_store($ctx), $X509_STORE_flags ) if $X509_STORE_flags; Net::SSLeay::CTX_set_default_passwd_cb($ctx,$arg_hash->{SSL_passwd_cb}) if $arg_hash->{SSL_passwd_cb}; my ($havekey,$havecert); if ( my $x509 = $arg_hash->{SSL_cert} ) { # binary, e.g. X509* # we have either a single certificate or a list with # a chain of certificates my @x509 = ref($x509) eq 'ARRAY' ? @$x509: ($x509); my $cert = shift @x509; Net::SSLeay::CTX_use_certificate( $ctx,$cert ) || return IO::Socket::SSL->error("Failed to use Certificate"); foreach my $ca (@x509) { Net::SSLeay::CTX_add_extra_chain_cert( $ctx,$ca ) || return IO::Socket::SSL->error("Failed to use Certificate"); } $havecert = 'OBJ'; } elsif ( my $f = $arg_hash->{SSL_cert_file} ) { # try to load chain from PEM or certificate from ASN1 if (Net::SSLeay::CTX_use_certificate_chain_file($ctx,$f)) { $havecert = 'PEM'; } elsif (Net::SSLeay::CTX_use_certificate_file($ctx,$f,FILETYPE_ASN1)) { $havecert = 'DER'; } else { # try to load certificate, key and chain from PKCS12 file my ($key,$cert,@chain) = Net::SSLeay::P_PKCS12_load_file($f,1); if (!$cert and $arg_hash->{SSL_passwd_cb} and defined( my $pw = $arg_hash->{SSL_passwd_cb}->(0))) { ($key,$cert,@chain) = Net::SSLeay::P_PKCS12_load_file($f,1,$pw); } PKCS12: while ($cert) { Net::SSLeay::CTX_use_certificate($ctx,$cert) or last; for my $ca (@chain) { Net::SSLeay::CTX_add_extra_chain_cert($ctx,$ca) or last PKCS12; } last if $key && ! Net::SSLeay::CTX_use_PrivateKey($ctx,$key); $havecert = 'PKCS12'; last; } $havekey = 'PKCS12' if $key; Net::SSLeay::X509_free($cert) if $cert; Net::SSLeay::EVP_PKEY_free($key) if $key; # don't free @chain, because CTX_add_extra_chain_cert # did not duplicate the certificates } $havecert or return IO::Socket::SSL->error( "Failed to load certificate from file (no PEM, DER or PKCS12)"); } if (!$havecert || $havekey) { # skip SSL_key_* } elsif ( my $pkey = $arg_hash->{SSL_key} ) { # binary, e.g. EVP_PKEY* Net::SSLeay::CTX_use_PrivateKey($ctx, $pkey) || return IO::Socket::SSL->error("Failed to use Private Key"); $havekey = 'MEM'; } elsif ( my $f = $arg_hash->{SSL_key_file} || (($havecert eq 'PEM') ? $arg_hash->{SSL_cert_file}:undef) ) { for my $ft ( FILETYPE_PEM, FILETYPE_ASN1 ) { if (Net::SSLeay::CTX_use_PrivateKey_file($ctx,$f,$ft)) { $havekey = ($ft == FILETYPE_PEM) ? 'PEM':'DER'; last; } } $havekey or return IO::Socket::SSL->error( "Failed to load key from file (no PEM or DER)"); } # replace arg_hash with created context $ctx{$host} = $ctx; } if ($arg_hash->{'SSL_server'} || $arg_hash->{'SSL_use_cert'}) { if ( my $f = $arg_hash->{SSL_dh_file} ) { my $bio = Net::SSLeay::BIO_new_file( $f,'r' ) || return IO::Socket::SSL->error( "Failed to open DH file $f" ); my $dh = Net::SSLeay::PEM_read_bio_DHparams($bio); Net::SSLeay::BIO_free($bio); $dh || return IO::Socket::SSL->error( "Failed to read PEM for DH from $f - wrong format?" ); my $rv; for (values (%ctx)) { $rv = Net::SSLeay::CTX_set_tmp_dh( $_,$dh ) or last; } Net::SSLeay::DH_free( $dh ); $rv || return IO::Socket::SSL->error( "Failed to set DH from $f" ); } elsif ( my $dh = $arg_hash->{SSL_dh} ) { # binary, e.g. DH* for( values %ctx ) { Net::SSLeay::CTX_set_tmp_dh( $_,$dh ) || return IO::Socket::SSL->error( "Failed to set DH from SSL_dh" ); } } if ( my $curve = $arg_hash->{SSL_ecdh_curve} ) { return IO::Socket::SSL->_internal_error( "ECDH curve needs Net::SSLeay>=1.56 and OpenSSL>=1.0",9) if ! $can_ecdh; if ( $curve !~ /^\d+$/ ) { # name of curve, find NID $curve = Net::SSLeay::OBJ_txt2nid($curve) || return IO::Socket::SSL->error( "cannot find NID for curve name '$curve'"); } my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve) or return IO::Socket::SSL->error( "cannot create curve for NID $curve"); for( values %ctx ) { Net::SSLeay::CTX_set_tmp_ecdh($_,$ecdh) or return IO::Socket::SSL->error( "failed to set ECDH curve context"); } Net::SSLeay::EC_KEY_free($ecdh); } } my $verify_cb = $arg_hash->{SSL_verify_callback}; my @accept_fp; if ( my $fp = $arg_hash->{SSL_fingerprint} ) { for( ref($fp) ? @$fp : $fp) { my ($algo,$digest) = m{^([\w-]+)\$([a-f\d:]+)$}i; return IO::Socket::SSL->_internal_error("invalid fingerprint '$_'",9) if ! $algo; $algo = lc($algo); ( $digest = lc($digest) ) =~s{:}{}g; push @accept_fp,[ $algo, pack('H*',$digest) ] } } my $verify_fingerprint = @accept_fp && do { my $fail; sub { my ($ok,$cert,$depth) = @_; $fail = 1 if ! $ok; return 1 if $depth>0; # to let us continue with verification # Check fingerprint only from top certificate. my %fp; for(@accept_fp) { my $fp = $fp{$_->[0]} ||= Net::SSLeay::X509_digest($cert,$algo2digest->($_->[0])); next if $fp ne $_->[1]; return 1; } return ! $fail; } }; my $verify_callback = ( $verify_cb || @accept_fp ) && sub { my ($ok, $ctx_store) = @_; my ($certname,$cert,$error,$depth); if ($ctx_store) { $cert = Net::SSLeay::X509_STORE_CTX_get_current_cert($ctx_store); $error = Net::SSLeay::X509_STORE_CTX_get_error($ctx_store); $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($ctx_store); $certname = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($cert)). Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert)); $error &&= Net::SSLeay::ERR_error_string($error); } $DEBUG>=3 && DEBUG( "ok=$ok [$depth] $certname" ); $ok = $verify_cb->($ok,$ctx_store,$certname,$error,$cert,$depth) if $verify_cb; $ok = $verify_fingerprint->($ok,$cert,$depth) if $verify_fingerprint && $cert; return $ok; }; if ( $^O eq 'darwin' ) { # explicitly set error code to disable use of apples TEA patch # https://hynek.me/articles/apple-openssl-verification-surprises/ my $vcb = $verify_callback; $verify_callback = sub { my $rv = $vcb ? &$vcb : $_[0]; if ( $rv != 1 ) { # 50 - X509_V_ERR_APPLICATION_VERIFICATION: application verification failure Net::SSLeay::X509_STORE_CTX_set_error($_[1], 50); } return $rv; }; } Net::SSLeay::CTX_set_verify($_, $verify_mode, $verify_callback) for (values %ctx); my $staple_callback = $arg_hash->{SSL_ocsp_staple_callback}; if ( !$is_server && $can_ocsp_staple ) { $self->{ocsp_cache} = $arg_hash->{SSL_ocsp_cache}; my $status_cb = sub { my ($ssl,$resp) = @_; my $iossl = $SSL_OBJECT{$ssl} or die "no IO::Socket::SSL object found for SSL $ssl"; $iossl->[1] and do { # we must return with 1 or it will be called again # and because we have no SSL object we must make the error global Carp::cluck($IO::Socket::SSL::SSL_ERROR = "OCSP callback on server side"); return 1; }; $iossl = $iossl->[0]; # if we have a callback use this # callback must not free or copy $resp !! if ( $staple_callback ) { $staple_callback->($iossl,$resp); return 1; } # default callback does verification if ( ! $resp ) { $DEBUG>=3 && DEBUG("did not get stapled OCSP response"); return 1; } $DEBUG>=3 && DEBUG("got stapled OCSP response"); my $status = Net::SSLeay::OCSP_response_status($resp); if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL()) { $DEBUG>=3 && DEBUG("bad status of stapled OCSP response: ". Net::SSLeay::OCSP_response_status_str($status)); return 1; } if (!eval { Net::SSLeay::OCSP_response_verify($ssl,$resp) }) { $DEBUG>=3 && DEBUG("verify of stapled OCSP response failed"); return 1; } my (@results,$hard_error); my @chain = $iossl->peer_certificates; for my $cert (@chain) { my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) }; if (!$certid) { $DEBUG>=3 && DEBUG("cannot create OCSP_CERTID: $@"); push @results,[-1,$@]; last; } ($status) = Net::SSLeay::OCSP_response_results($resp,$certid); if ($status && $status->[2]) { my $cache = ${*$iossl}{_SSL_ctx}{ocsp_cache}; if (!$status->[1]) { push @results,[1,$status->[2]{nextUpdate}]; $cache && $cache->put($certid,$status->[2]); } elsif ( $status->[2]{statusType} == Net::SSLeay::V_OCSP_CERTSTATUS_GOOD()) { push @results,[1,$status->[2]{nextUpdate}]; $cache && $cache->put($certid,{ %{$status->[2]}, expire => time()+120, soft_error => $status->[1], }); } else { push @results,($hard_error = [0,$status->[1]]); $cache && $cache->put($certid,{ %{$status->[2]}, hard_error => $status->[1], }); } } } # return result of lead certificate, this should be in chain[0] and # thus result[0], but we better check. But if we had any hard_error # return this instead if ($hard_error) { ${*$iossl}{_SSL_ocsp_verify} = $hard_error; } elsif (@results and $chain[0] == $iossl->peer_certificate) { ${*$iossl}{_SSL_ocsp_verify} = $results[0]; } return 1; }; Net::SSLeay::CTX_set_tlsext_status_cb($_,$status_cb) for (values %ctx); } if ( my $cl = $arg_hash->{SSL_cipher_list} ) { for (keys %ctx) { Net::SSLeay::CTX_set_cipher_list($ctx{$_}, ref($cl) ? $cl->{$_} || $cl->{''} || $DEFAULT_SSL_ARGS{SSL_cipher_list} || next : $cl ) || return IO::Socket::SSL->error("Failed to set SSL cipher list"); } } # Main context is default context or any other if no default context. my $ctx = $ctx{''} || (values %ctx)[0]; if (keys(%ctx) > 1 || ! exists $ctx{''}) { $can_server_sni or return IO::Socket::SSL->_internal_error( "Server side SNI not supported for this openssl/Net::SSLeay",9); Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, sub { my $ssl = shift; my $host = Net::SSLeay::get_servername($ssl); $host = '' if ! defined $host; my $snictx = $ctx{lc($host)} || $ctx{''} or do { $DEBUG>1 and DEBUG( "cannot get context from servername '$host'"); return 0; }; $DEBUG>1 and DEBUG("set context from servername $host"); Net::SSLeay::set_SSL_CTX($ssl,$snictx) if $snictx != $ctx; return 1; }); } if ( my $cb = $arg_hash->{SSL_create_ctx_callback} ) { $cb->($_) for values (%ctx); } $self->{context} = $ctx; $self->{verify_mode} = $arg_hash->{SSL_verify_mode}; $self->{ocsp_mode} = defined($arg_hash->{SSL_ocsp_mode}) ? $arg_hash->{SSL_ocsp_mode} : $self->{verify_mode} ? IO::Socket::SSL::SSL_OCSP_TRY_STAPLE() : 0; $DEBUG>=3 && DEBUG( "new ctx $ctx" ); if ( my $cache = $arg_hash->{SSL_session_cache} ) { # use predefined cache $self->{session_cache} = $cache } elsif ( my $size = $arg_hash->{SSL_session_cache_size}) { $self->{session_cache} = IO::Socket::SSL::Session_Cache->new( $size ); } return $self; } sub session_cache { my $self = shift; my $cache = $self->{session_cache} || return; my ($addr,$port,$session) = @_; $port ||= $addr =~s{:(\w+)$}{} && $1; # host:port my $key = "$addr:$port"; return defined($session) ? $cache->add_session($key, $session) : $cache->get_session($key); } sub has_session_cache { return defined shift->{session_cache}; } sub CLONE { %CTX_CREATED_IN_THIS_THREAD = (); } sub DESTROY { my $self = shift; if ( my $ctx = $self->{context} ) { $DEBUG>=3 && DEBUG("free ctx $ctx open=".join( " ",keys %CTX_CREATED_IN_THIS_THREAD )); if ( %CTX_CREATED_IN_THIS_THREAD and delete $CTX_CREATED_IN_THIS_THREAD{$ctx} ) { # remove any verify callback for this context if ( $self->{verify_mode}) { $DEBUG>=3 && DEBUG("free ctx $ctx callback" ); Net::SSLeay::CTX_set_verify($ctx, 0,undef); } if ( $self->{ocsp_error_ref}) { $DEBUG>=3 && DEBUG("free ctx $ctx tlsext_status_cb" ); Net::SSLeay::CTX_set_tlsext_status_cb($ctx,undef); } $DEBUG>=3 && DEBUG("OK free ctx $ctx" ); Net::SSLeay::CTX_free($ctx); } } delete(@{$self}{'context','session_cache'}); } package IO::Socket::SSL::Session_Cache; use strict; sub new { my ($class, $size) = @_; $size>0 or return; return bless { _maxsize => $size }, $class; } sub get_session { my ($self, $key) = @_; my $session = $self->{$key} || return; return $session->{session} if ($self->{'_head'} eq $session); $session->{prev}->{next} = $session->{next}; $session->{next}->{prev} = $session->{prev}; $session->{next} = $self->{'_head'}; $session->{prev} = $self->{'_head'}->{prev}; $self->{'_head'}->{prev} = $self->{'_head'}->{prev}->{next} = $session; $self->{'_head'} = $session; return $session->{session}; } sub add_session { my ($self, $key, $val) = @_; return if ($key eq '_maxsize' or $key eq '_head'); if ( my $have = $self->{$key} ) { Net::SSLeay::SESSION_free( $have->{session} ); $have->{session} = $val; return get_session($self,$key); # will put key on front } my $session = $self->{$key} = { session => $val, key => $key }; if ( keys(%$self) > $self->{_maxsize}+2) { my $last = $self->{'_head'}->{prev}; Net::SSLeay::SESSION_free($last->{session}); delete($self->{$last->{key}}); $self->{'_head'}->{prev} = $self->{'_head'}->{prev}->{prev}; delete($self->{'_head'}) if ($self->{'_maxsize'} == 1); } if ($self->{'_head'}) { $session->{next} = $self->{'_head'}; $session->{prev} = $self->{'_head'}->{prev}; $self->{'_head'}->{prev}->{next} = $session; $self->{'_head'}->{prev} = $session; } else { $session->{next} = $session->{prev} = $session; } $self->{'_head'} = $session; return $session; } sub DESTROY { my $self = shift; delete(@{$self}{'_head','_maxsize'}); for (values %$self) { Net::SSLeay::SESSION_free($_->{session} || next); } } package IO::Socket::SSL::OCSP_Cache; sub new { my ($class,$size) = @_; return bless { '' => { _lru => 0, size => $size || 100 } },$class; } sub get { my ($self,$id) = @_; my $e = $self->{$id} or return; $e->{_lru} = $self->{''}{_lru}++; if ( $e->{expire} && time()<$e->{expire}) { delete $self->{$id}; return; } if ( $e->{nextUpdate} && time()<$e->{nextUpdate} ) { delete $self->{$id}; return; } return $e; } sub put { my ($self,$id,$e) = @_; $self->{$id} = $e; $e->{_lru} = $self->{''}{_lru}++; my $del = keys(%$self) - $self->{''}{size}; if ($del>0) { my @k = sort { $self->{$a}{_lru} <=> $self->{$b}{_lru} } keys %$self; delete @{$self}{ splice(@k,0,$del) }; } return $e; } package IO::Socket::SSL::OCSP_Resolver; *DEBUG = *IO::Socket::SSL::DEBUG; # create a new resolver # $ssl - the ssl object # $cache - OCSP_Cache object (put,get) # $failhard - flag if we should fail hard on OCSP problems # $certs - list of certs to verify sub new { my ($class,$ssl,$cache,$failhard,$certs) = @_; my (%todo,$done,$hard_error,@soft_error); for my $cert (@$certs) { # skip entries which have no OCSP uri or where we cannot get a certid # (e.g. self-signed or where we don't have the issuer) my $subj = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert)); my $uri = Net::SSLeay::P_X509_get_ocsp_uri($cert) or do { $DEBUG>2 && DEBUG("no URI for certificate $subj"); push @soft_error,"no ocsp_uri for $subj"; next; }; my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) } or do { $DEBUG>2 && DEBUG("no OCSP_CERTID for certificate $subj: $@"); push @soft_error,"no certid for $subj: $@"; next; }; if (!($done = $cache->get($certid))) { push @{ $todo{$uri}{ids} }, $certid; } elsif ( $done->{hard_error} ) { # one error is enough to fail validation $hard_error = $done->{hard_error}; %todo = (); last; } elsif ( $done->{soft_error} ) { push @soft_error,$done->{soft_error}; } } while ( my($uri,$v) = each %todo) { my $ids = $v->{ids}; $v->{req} = Net::SSLeay::i2d_OCSP_REQUEST( Net::SSLeay::OCSP_ids2req(@$ids)); } $hard_error ||= '' if ! %todo; return bless { ssl => $ssl, cache => $cache, failhard => $failhard, hard_error => $hard_error, soft_error => @soft_error ? join("; ",@soft_error) : undef, todo => \%todo, },$class; } # return current result, e.g. '' for no error, else error # if undef we have no final result yet sub hard_error { return shift->{hard_error} } sub soft_error { return shift->{soft_error} } # return hash with uri => ocsp_request_data for open requests sub requests { my $todo = shift()->{todo}; return map { ($_,$todo->{$_}{req}) } keys %$todo; } # add new response sub add_response { my ($self,$uri,$resp) = @_; my $todo = delete $self->{todo}{$uri}; return $self->{error} if ! $todo || $self->{error}; my ($req,@soft_error,@hard_error); # do we have a response if (!$resp) { @soft_error = "http request failed" # is it an valid OCSP_RESPONSE } elsif ( ! eval { $resp = Net::SSLeay::d2i_OCSP_RESPONSE($resp) }) { @soft_error = "invalid response (no OCSP_RESPONSE)"; # hopefully short-time error $self->{cache}->put($_,{ soft_error => "@soft_error", expire => time()+10, }) for (@{$todo->{ids}}); # is the OCSP response status success } elsif ( ( my $status = Net::SSLeay::OCSP_response_status($resp)) != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL() ){ @soft_error = "OCSP response failed: ". Net::SSLeay::OCSP_response_status_str($status); # hopefully short-time error $self->{cache}->put($_,{ soft_error => "@soft_error", expire => time()+10, }) for (@{$todo->{ids}}); # does nonce match the request and can the signature be verified } elsif ( ! eval { $req = Net::SSLeay::d2i_OCSP_REQUEST($todo->{req}); Net::SSLeay::OCSP_response_verify($self->{ssl},$resp,$req); }) { if ($@) { @soft_error = $@ } else { my @err; while ( my $err = Net::SSLeay::ERR_get_error()) { push @soft_error, Net::SSLeay::ERR_error_string($err); } @soft_error = 'failed to verify OCSP response' if ! @soft_error; } # configuration problem or we don't know the signer $self->{cache}->put($_,{ soft_error => "@soft_error", expire => time()+120, }) for (@{$todo->{ids}}); # extract results from response } elsif ( my @result = Net::SSLeay::OCSP_response_results($resp,@{$todo->{ids}})) { my (@found,@miss); for my $rv (@result) { if ($rv->[2]) { push @found,$rv->[0]; if (!$rv->[1]) { # no error $self->{cache}->put($rv->[0],$rv->[2]); } elsif ( $rv->[2]{statusType} == Net::SSLeay::V_OCSP_CERTSTATUS_GOOD()) { # soft error, like response after nextUpdate push @soft_error,$rv->[1]; $self->{cache}->put($rv->[0],{ %{$rv->[2]}, soft_error => "@soft_error", expire => time()+120, }); } else { # hard error $self->{cache}->put($rv->[0],$rv->[2]); push @hard_error, $rv->[1]; } } else { push @miss,$rv->[0]; } } if (@miss && @found) { # we sent multiple responses, but server answered only to one # try again $self->{todo}{$uri} = $todo; $todo->{ids} = \@miss; $todo->{req} = Net::SSLeay::i2d_OCSP_REQUEST( Net::SSLeay::OCSP_ids2req(@miss)); $DEBUG>=2 && DEBUG("$uri just answered ".@found." of ".(@found+@miss)." requests"); } } else { @soft_error = "no data in response"; # probably configuration problem $self->{cache}->put($_,{ soft_error => "@soft_error", expire => time()+120, }) for (@{$todo->{ids}}); } Net::SSLeay::OCSP_REQUEST_free($req) if $req; if ($self->{failhard}) { push @hard_error,@soft_error; @soft_error = (); } if (@soft_error) { $self->{soft_error} .= "; " if $self->{soft_error}; $self->{soft_error} .= "$uri: ".join('; ',@soft_error); } if (@hard_error) { $self->{hard_error} = "$uri: ".join('; ',@hard_error); %{$self->{todo}} = (); } elsif ( ! %{$self->{todo}} ) { $self->{hard_error} = '' } return $self->{hard_error}; } # make all necessary requests to get OCSP responses blocking sub resolve_blocking { my ($self,%args) = @_; while ( my %todo = $self->requests ) { eval { require HTTP::Tiny } or die "need HTTP::Tiny installed"; # OCSP responses have their own signature, so we don't need SSL verification my $ua = HTTP::Tiny->new(verify_SSL => 0,%args); while (my ($uri,$reqdata) = each %todo) { $DEBUG && DEBUG("sending OCSP request to $uri"); my $resp = $ua->request('POST',$uri, { headers => { 'Content-type' => 'application/ocsp-request' }, content => $reqdata }); $DEBUG && DEBUG("got OCSP response from $uri code=$resp->{status}"); defined ($self->add_response($uri, $resp->{success} && $resp->{content})) && last; } } $DEBUG>=2 && DEBUG("no more open OCSP requests"); return $self->{hard_error}; } 1; __END__ IO-Socket-SSL-2.024/lib/IO/Socket/SSL.pod0000644000175100017510000022737212627645435016152 0ustar workwork =head1 NAME IO::Socket::SSL - SSL sockets with IO::Socket interface =head1 SYNOPSIS use strict; use IO::Socket::SSL; # simple client my $cl = IO::Socket::SSL->new('www.google.com:443'); print $cl "GET / HTTP/1.0\r\n\r\n"; print <$cl>; # simple server my $srv = IO::Socket::SSL->new( LocalAddr => '0.0.0.0:1234', Listen => 10, SSL_cert_file => 'server-cert.pem', SSL_key_file => 'server-key.pem', ); $srv->accept; =head1 DESCRIPTION IO::Socket::SSL makes using SSL/TLS much easier by wrapping the necessary functionality into the familiar L interface and providing secure defaults whenever possible. This way, existing applications can be made SSL-aware without much effort, at least if you do blocking I/O and don't use select or poll. But, under the hood, SSL is a complex beast. So there are lots of methods to make it do what you need if the default behavior is not adequate. Because it is easy to inadvertently introduce critical security bugs or just hard to debug problems, I would recommend studying the following documentation carefully. The documentation consists of the following parts: =over 4 =item * L =item * L =item * L =item * L =item * L =item * L =item * L =item * L =item * L =back Additional documentation can be found in =over 4 =item * L - Doing Man-In-The-Middle with SSL =item * L - Useful functions for certificates etc =back =head1 Essential Information About SSL/TLS SSL (Secure Socket Layer) or its successor TLS (Transport Layer Security) are protocols to facilitate end-to-end security. These protocols are used when accessing web sites (https), delivering or retrieving email, and in lots of other use cases. In the following documentation we will refer to both SSL and TLS as simply 'SSL'. SSL enables end-to-end security by providing two essential functions: =over 4 =item Encryption This part encrypts the data for transit between the communicating parties, so that nobody in between can read them. It also provides tamper resistance so that nobody in between can manipulate the data. =item Identification This part makes sure that you talk to the right peer. If the identification is done incorrectly it is easy to mount man-in-the-middle attacks, e.g. if Alice wants to talk to Bob it would be possible for Mallory to put itself in the middle, so that Alice talks to Mallory and Mallory to Bob. All the data would still be encrypted, but not end-to-end between Alice and Bob, but only between Alice and Mallory and then between Mallory and Bob. Thus Mallory would be able to read and modify all traffic between Alice and Bob. =back Identification is the part which is the hardest to understand and the easiest to get wrong. With SSL, the Identification is usually done with B inside a B (Public Key Infrastructure). These Certificates are comparable to an identity card, which contains information about the owner of the card. The card then is somehow B by the B of the card, the B (Certificate Agency). To verify the identity of the peer the following must be done inside SSL: =over 4 =item * Get the certificate from the peer. If the peer does not present a certificate we cannot verify it. =item * Check if we trust the certificate, e.g. make sure it's not a forgery. We believe that a certificate is not a fake if we either know the certificate already or if we B the issuer (the CA) and can verify the issuers signature on the certificate. In reality there is often a hierarchy of certificate agencies and we only directly trust the root of this hierarchy. In this case the peer not only sends his own certificate, but also all B. Verification will be done by building a B from the trusted root up to the peers certificate and checking in each step if the we can verify the issuer's signature. This step often causes problems because the client does not know the necessary trusted root certificates. These are usually stored in a system dependent CA store, but often the browsers have their own CA store. =item * Check if the certificate is still valid. Each certificate has a lifetime and should not be used after that time because it might be compromised or the underlying cryptography got broken in the mean time. =item * Check if the subject of the certificate matches the peer. This is like comparing the picture on the identity card against the person representing the identity card. When connecting to a server this is usually done by comparing the hostname used for connecting against the names represented in the certificate. A certificate might contain multiple names or wildcards, so that it can be used for multiple hosts (e.g. *.example.com and *.example.org). Although nobody sane would accept an identity card where the picture does not match the person we see, it is a common implementation error with SSL to omit this check or get it wrong. =item * Check if the certificate was revoked by the issuer. This might be the case if the certificate was compromised somehow and now somebody else might use it to claim the wrong identity. Such revocations happened a lot after the heartbleed attack. For SSL there are two ways to verify a revocation, CRL and OCSP. With CRLs (Certificate Revocation List) the CA provides a list of serial numbers for revoked certificates. The client somehow has to download the list (which can be huge) and keep it up to date. With OCSP (Online Certificate Status Protocol) the client can check a single certificate directly by asking the issuer. Revocation is the hardest part of the verification and none of today's browsers get it fully correct. But, they are still better than most other implementations which don't implement revocation checks or leave the hard parts to the developer. =back When accessing a web site with SSL or delivering mail in a secure way the identity is usually only checked one way, e.g. the client wants to make sure it talks to the right server, but the server usually does not care which client it talks to. But, sometimes the server wants to identify the client too and will request a certificate from the client which the server must verify in a similar way. =head1 Basic SSL Client A basic SSL client is simple: my $client = IO::Socket::SSL->new('www.example.com:443') or die "error=$!, ssl_error=$SSL_ERROR"; This will take the OpenSSL default CA store as the store for the trusted CA. This usually works on UNIX systems. If there are no certificates in the store it will try use L which provides the default CAs of Firefox. In the default settings, L will use a safer cipher set and SSL version, do a proper hostname check against the certificate, and use SNI (server name indication) to send the hostname inside the SSL handshake. This is necessary to work with servers which have different certificates behind the same IP address. It will also check the revocation of the certificate with OCSP, but currently only if the server provides OCSP stapling (for deeper checks see C method). Lots of options can be used to change ciphers, SSL version, location of CA and much more. See documentation of methods for details. With protocols like SMTP it is necessary to upgrade an existing socket to SSL. This can be done like this: my $client = IO::Socket::INET->new('mx.example.com:25') or die $!; # .. read greeting from server # .. send EHLO and read response # .. send STARTTLS command and read response # .. if response was successful we can upgrade the socket to SSL now: IO::Socket::SSL->start_SSL($client, # explicitly set hostname we should use for SNI SSL_hostname => 'mx.example.com' ) or die $SSL_ERROR; A more complete example for a simple HTTP client: my $client = IO::Socket::SSL->new( # where to connect PeerHost => "www.example.com", PeerPort => "https", # certificate verification - VERIFY_PEER is default SSL_verify_mode => SSL_VERIFY_PEER, # location of CA store # need only be given if default store should not be used SSL_ca_path => '/etc/ssl/certs', # typical CA path on Linux SSL_ca_file => '/etc/ssl/cert.pem', # typical CA file on BSD # or just use default path on system: IO::Socket::SSL::default_ca(), # either explicitly # or implicitly by not giving SSL_ca_* # easy hostname verification # It will use PeerHost as default name a verification # scheme as default, which is safe enough for most purposes. SSL_verifycn_name => 'foo.bar', SSL_verifycn_scheme => 'http', # SNI support - defaults to PeerHost SSL_hostname => 'foo.bar', ) or die "failed connect or ssl handshake: $!,$SSL_ERROR"; # send and receive over SSL connection print $client "GET / HTTP/1.0\r\n\r\n"; print <$client>; And to do revocation checks with OCSP (only available with OpenSSL 1.0.0 or higher and L 1.59 or higher): # default will try OCSP stapling and check only leaf certificate my $client = IO::Socket::SSL->new($dst); # better yet: require checking of full chain my $client = IO::Socket::SSL->new( PeerAddr => $dst, SSL_ocsp_mode => SSL_OCSP_FULL_CHAIN, ); # even better: make OCSP errors fatal # (this will probably fail with lots of sites because of bad OCSP setups) # also use common OCSP response cache my $ocsp_cache = IO::Socket::SSL::OCSP_Cache->new; my $client = IO::Socket::SSL->new( PeerAddr => $dst, SSL_ocsp_mode => SSL_OCSP_FULL_CHAIN|SSL_OCSP_FAIL_HARD, SSL_ocsp_cache => $ocsp_cache, ); # disable OCSP stapling in case server has problems with it my $client = IO::Socket::SSL->new( PeerAddr => $dst, SSL_ocsp_mode => SSL_OCSP_NO_STAPLE, ); # check any certificates which are not yet checked by OCSP stapling or # where we have already cached results. For your own resolving combine # $ocsp->requests with $ocsp->add_response(uri,response). my $ocsp = $client->ocsp_resolver(); my $errors = $ocsp->resolve_blocking(); if ($errors) { warn "OCSP verification failed: $errors"; close($client); } =head1 Basic SSL Server A basic SSL server looks similar to other L servers, only that it also contains settings for certificate and key: # simple server my $server = IO::Socket::SSL->new( # where to listen LocalAddr => '127.0.0.1', LocalPort => 8080, Listen => 10, # which certificate to offer # with SNI support there can be different certificates per hostname SSL_cert_file => 'cert.pem', SSL_key_file => 'key.pem', ) or die "failed to listen: $!"; # accept client my $client = $server->accept or die "failed to accept or ssl handshake: $!,$SSL_ERROR"; This will automatically use a secure set of ciphers and SSL version and also supports Forward Secrecy with (Elliptic-Curve) Diffie-Hellmann Key Exchange. If you are doing a forking or threading server, we recommend that you do the SSL handshake inside the new process/thread so that the master is free for new connections. We recommend this because a client with improper or slow SSL handshake could make the server block in the handshake which would be bad to do on the listening socket: # inet server my $server = IO::Socket::INET->new( # where to listen LocalAddr => '127.0.0.1', LocalPort => 8080, Listen => 10, ); # accept client my $client = $server->accept or die; # SSL upgrade client (in new process/thread) IO::Socket::SSL->start_SSL($client, SSL_server => 1, SSL_cert_file => 'cert.pem', SSL_key_file => 'key.pem', ) or die "failed to ssl handshake: $SSL_ERROR"; Like with normal sockets, neither forking nor threading servers scale well. It is recommended to use non-blocking sockets instead, see L =head1 Common Usage Errors This is a list of typical errors seen with the use of L: =over 4 =item * Disabling verification with C. As described in L, a proper identification of the peer is essential and failing to verify makes Man-In-The-Middle attacks possible. Nevertheless, lots of scripts and even public modules or applications disable verification, because it is probably the easiest way to make the thing work and usually nobody notices any security problems anyway. If the verification does not succeed with the default settings, one can do the following: =over 8 =item * Make sure the needed CAs are in the store, maybe use C or C to specify a different CA store. =item * If the validation fails because the certificate is self-signed and that's what you expect, you can use the C option to accept specific certificates by their certificate fingerprint. =item * If the validation failed because the hostname does not match and you cannot access the host with the name given in the certificate, you can use C to specify they hostname you expect in the certificate. =back A common error pattern is also to disable verification if they found no CA store (different modules look at different "default" places). Because L is now able to provide a usable CA store on most platforms (UNIX, Mac OSX and Windows) it is better to use the defaults provided by L. If necessary these can be checked with the C method. =item * Polling of SSL sockets (e.g. select, poll and other event loops). If you sysread one byte on a normal socket it will result in a syscall to read one byte. Thus, if more than one byte is available on the socket it will be kept in the network stack of your OS and the next select or poll call will return the socket as readable. But, with SSL you don't deliver single bytes. Multiple data bytes are packaged and encrypted together in an SSL frame. Decryption can only be done on the whole frame, so a sysread for one byte actually reads the complete SSL frame from the socket, decrypts it and returns the first decrypted byte. Further sysreads will return more bytes from the same frame until all bytes are returned and the next SSL frame will be read from the socket. Thus, in order to decide if you can read more data (e.g. if sysread will block) you must check if there are still data in the current SSL frame by calling C and if there are no data pending you might check the underlying socket with select or poll. Another way might be if you try to sysread at least 16kByte all the time. 16kByte is the maximum size of an SSL frame and because sysread returns data from only a single SSL frame you can guarantee that there are no pending data. See also L. =item * Set 'SSL_version' or 'SSL_cipher_list' to a "better" value. L tries to set these values to reasonable, secure values which are compatible with the rest of the world. But, there are some scripts or modules out there which tried to be smart and get more secure or compatible settings. Unfortunately, they did this years ago and never updated these values, so they are still forced to do only 'TLSv1' (instead of also using TLSv12 or TLSv11). Or they set 'HIGH' as the cipher list and thought they were secure, but did not notice that 'HIGH' includes anonymous ciphers, e.g. without identification of the peer. So it is recommended to leave the settings at the secure defaults which L sets and which get updated from time to time to better fit the real world. =item * Make SSL settings inaccessible by the user, together with bad builtin settings. Some modules use L, but don't make the SSL settings available to the user. This is often combined with bad builtin settings or defaults (like switching verification off). Thus the user needs to hack around these restrictions by using C or similar. =item * Use of constants as strings. Constants like C or C should be used as constants and not be put inside quotes, because they represent numerical values. =back =head1 Common Problems with SSL SSL is a complex protocol with multiple implementations and each of these has their own quirks. While most of these implementations work together, it often gets problematic with older versions, minimal versions in load balancers, or plain wrong setups. Unfortunately these problems are hard to debug. Helpful for debugging are a knowledge of SSL internals, wireshark and the use of the debug settings of L and L, which can both be set with C<$IO::Socket::SSL::DEBUG>. The following debugs levels are defined, but used not in any consistent way: =over 4 =item * 0 - No debugging (default). =item * 1 - Print out errors from L and ciphers from L. =item * 2 - Print also information about call flow from L and progress information from L. =item * 3 - Print also some data dumps from L and from L. =back Also, C from the ssl-tools repository at L might be a helpful tool when debugging SSL problems, as do the C command line tool and a check with a different SSL implementation (e.g. a web browser). The following problems are not uncommon: =over 4 =item * Bad server setup: missing intermediate certificates. It is a regular problem that administrators fail to include all necessary certificates into their server setup, e.g. everything needed to build the trust chain from the trusted root. If they check the setup with the browser everything looks ok, because browsers work around these problems by caching any intermediate certificates and apply them to new connections if certificates are missing. But, fresh browser profiles which have never seen these intermediates cannot fill in the missing certificates and fail to verify; the same is true with L. =item * Old versions of servers or load balancers which do not understand specific TLS versions or croak on specific data. From time to time one encounters an SSL peer, which just closes the connection inside the SSL handshake. This can usually be worked around by downgrading the SSL version, e.g. by setting C. Modern Browsers usually deal with such servers by automatically downgrading the SSL version and repeat the connection attempt until they succeed. Worse servers do not close the underlying TCP connection but instead just drop the relevant packet. This is harder to detect because it looks like a stalled connection. But downgrading the SSL version often works here too. A cause of such problems are often load balancers or security devices, which have hardware acceleration and only a minimal (and less robust) SSL stack. They can often be detected because they support much fewer ciphers than other implementations. =item * Bad or old OpenSSL versions. L uses OpenSSL with the help of the L library. It is recommend to have a recent version of this library, because it has more features and usually fewer known bugs. =item * Validation of client certificates fail. Make sure that the purpose of the certificate allows use as ssl client (check with C<< openssl x509 -purpose >>, that the necessary root certificate is in the path specified by C (or the default path) and that any intermediate certificates needed to build the trust chain are sent by the client. =back =head1 Using Non-Blocking Sockets If you have a non-blocking socket, the expected behavior on read, write, accept or connect is to set C<$!> to EWOULDBLOCK if the operation can not be completed immediately. Note that EWOULDBLOCK is the same as EAGAIN on UNIX systems, but is different on Windows. With SSL, handshakes might occur at any time, even within an established connection. In these cases it is necessary to finish the handshake before you can read or write data. This might result in situations where you want to read but must first finish the write of a handshake or where you want to write but must first finish a read. In these cases C<$!> is set to EAGAIN like expected, and additionally C<$SSL_ERROR> is set to either SSL_WANT_READ or SSL_WANT_WRITE. Thus if you get EWOULDBLOCK on a SSL socket you must check C<$SSL_ERROR> for SSL_WANT_* and adapt your event mask accordingly. Using readline on non-blocking sockets does not make much sense and I would advise against using it. And, while the behavior is not documented for other L classes, it will try to emulate the behavior seen there, e.g. to return the received data instead of blocking, even if the line is not complete. If an unrecoverable error occurs it will return nothing, even if it already received some data. Also, I would advise against using C with a non-blocking SSL object because it might block and this is not what most would expect. The reason for this is that C on a non-blocking TCP socket (e.g. L, L..) results in a new TCP socket which does not inherit the non-blocking behavior of the master socket. And thus, the initial SSL handshake on the new socket inside C will be done in a blocking way. To work around this you are safer by doing a TCP accept and later upgrade the TCP socket in a non-blocking way with C and C. my $cl = IO::Socket::SSL->new($dst); $cl->blocking(0); my $sel = IO::Select->new($cl); while (1) { # with SSL a call for reading n bytes does not result in reading of n # bytes from the socket, but instead it must read at least one full SSL # frame. If the socket has no new bytes, but there are unprocessed data # from the SSL frame can_read will block! # wait for data on socket $sel->can_read(); # new data on socket or eof READ: # this does not read only 1 byte from socket, but reads the complete SSL # frame and then just returns one byte. On subsequent calls it than # returns more byte of the same SSL frame until it needs to read the # next frame. my $n = sysread( $cl,my $buf,1); if ( ! defined $n ) { die $! if not ${EWOULDBLOCK}; next if $SSL_ERROR == SSL_WANT_READ; if ( $SSL_ERROR == SSL_WANT_WRITE ) { # need to write data on renegotiation $sel->can_write; next; } die "something went wrong: $SSL_ERROR"; } elsif ( ! $n ) { last; # eof } else { # read next bytes # we might have still data within the current SSL frame # thus first process these data instead of waiting on the underlying # socket object goto READ if $cl->pending; # goto sysread next; # goto $sel->can_read } } =head1 Advanced Usage =head2 SNI Support Newer extensions to SSL can distinguish between multiple hostnames on the same IP address using Server Name Indication (SNI). Support for SNI on the client side was added somewhere in the OpenSSL 0.9.8 series, but with 1.0 a bug was fixed when the server could not decide about its hostname. Therefore client side SNI is only supported with OpenSSL 1.0 or higher in L. With a supported version, SNI is used automatically on the client side, if it can determine the hostname from C or C (which are synonyms in the underlying IO::Socket:: classes and thus should never be set both or at least not to different values). On unsupported OpenSSL versions it will silently not use SNI. The hostname can also be given explicitly given with C, but in this case it will throw in error, if SNI is not supported. To check for support you might call C<< IO::Socket::SSL->can_client_sni() >>. On the server side, earlier versions of OpenSSL are supported, but only together with L version >= 1.50. To check for support you might call C<< IO::Socket::SSL->can_server_sni() >>. If server side SNI is supported, you might specify different certificates per host with C and C, and check the requested name using C. =head2 Talk Plain and SSL With The Same Socket It is often required to first exchange some plain data and then upgrade the socket to SSL after some kind of STARTTLS command. Protocols like FTPS even need a way to downgrade the socket again back to plain. The common way to do this would be to create a normal socket and use C to upgrade and stop_SSL to downgrade: my $sock = IO::Socket::INET->new(...) or die $!; ... exchange plain data on $sock until starttls command ... IO::Socket::SSL->start_SSL($sock,%sslargs) or die $SSL_ERROR; ... now $sock is a IO::Socket::SSL object ... ... exchange data with SSL on $sock until stoptls command ... $sock->stop_SSL or die $SSL_ERROR; ... now $sock is again a IO::Socket::INET object ... But, lots of modules just derive directly from L. While this base class can be replaced with L, these modules cannot easily support different base classes for SSL and plain data and switch between these classes on a starttls command. To help in this case, L can be reduced to a plain socket on startup, and connect_SSL/accept_SSL/start_SSL can be used to enable SSL and C to talk plain again: my $sock = IO::Socket::SSL->new( PeerAddr => ... SSL_startHandshake => 0, %sslargs ) or die $!; ... exchange plain data on $sock until starttls command ... $sock->connect_SSL or die $SSL_ERROR; ... now $sock is a IO::Socket::SSL object ... ... exchange data with SSL on $sock until stoptls command ... $sock->stop_SSL or die $SSL_ERROR; ... $sock is still a IO::Socket::SSL object ... ... but data exchanged again in plain ... =head1 Integration Into Own Modules L behaves similarly to other L modules and thus could be integrated in the same way, but you have to take special care when using non-blocking I/O (like for handling timeouts) or using select or poll. Please study the documentation on how to deal with these differences. Also, it is recommended to not set or touch most of the C options, so that they keep their secure defaults. It is also recommended to let the user override these SSL specific settings without the need of global settings or hacks like C. The notable exception is C. This should be set to the hostname verification scheme required by the module or protocol. =head1 Description Of Methods L inherits from another L module. The choice of the super class depends on the installed modules: =over 4 =item * If L with at least version 0.20 is installed it will use this module as super class, transparently providing IPv6 and IPv4 support. =item * If L is installed it will use this module as super class, transparently providing IPv6 and IPv4 support. =item * Otherwise it will fall back to L, which is a perl core module. With L you only get IPv4 support. =back Please be aware that with the IPv6 capable super classes, it will look first for the IPv6 address of a given hostname. If the resolver provides an IPv6 address, but the host cannot be reached by IPv6, there will be no automatic fallback to IPv4. To avoid these problems you can enforce IPv4 for a specific socket by using the C or C option with the value AF_INET as described in L. Alternatively you can enforce IPv4 globally by loading L with the option 'inet4', in which case it will use the IPv4 only class L as the super class. L will provide all of the methods of its super class, but sometimes it will override them to match the behavior expected from SSL or to provide additional arguments. The new or changed methods are described below, but please also read the section about SSL specific error handling. =over 4 =item Error Handling If an SSL specific error occurs, the global variable C<$SSL_ERROR> will be set. If the error occurred on an existing SSL socket, the method C will give access to the latest socket specific error. Both C<$SSL_ERROR> and the C method give a dualvar similar to C<$!>, e.g. providing an error number in numeric context or an error description in string context. =item B Creates a new L object. You may use all the friendly options that came bundled with the super class (e.g. L, L, ...) plus (optionally) the ones described below. If you don't specify any SSL related options it will do its best in using secure defaults, e.g. choosing good ciphers, enabling proper verification, etc. =over 2 =item SSL_server Set this option to a true value if the socket should be used as a server. If this is not explicitly set it is assumed if the C parameter is given when creating the socket. =item SSL_hostname This can be given to specify the hostname used for SNI, which is needed if you have multiple SSL hostnames on the same IP address. If not given it will try to determine the hostname from C, which will fail if only an IP was given or if this argument is used within C. If you want to disable SNI, set this argument to ''. Currently only supported for the client side and will be ignored for the server side. See section "SNI Support" for details of SNI the support. =item SSL_startHandshake If this option is set to false (defaults to true) it will not start the SSL handshake yet. This has to be done later with C or C. Before the handshake is started read/write/etc. can be used to exchange plain data. =item SSL_ca | SSL_ca_file | SSL_ca_path Usually you want to verify that the peer certificate has been signed by a trusted certificate authority. In this case you should use this option to specify the file (C) or directory (C) containing the certificateZ<>(s) of the trusted certificate authorities. C can also be an array or a string containing multiple path, where the path are separated by the platform specific separator. This separator is C<;> on DOS, Windows, Netware, C<,> on VMS and C<:> for all the other systems. If multiple path are given at least one of these must be accessible. You can also give a list of X509* certificate handles (like you get from L or L) with C. These will be added to the CA store before path and file and thus take precedence. If neither SSL_ca, nor SSL_ca_file or SSL_ca_path are set it will use C to determine the user-set or system defaults. If you really don't want to set a CA set SSL_ca_file or SSL_ca_path to C<\undef> or SSL_ca to an empty list. (unfortunately C<''> is used by some modules using L when CA is not explicitly given). =item SSL_client_ca | SSL_client_ca_file If verify_mode is VERIFY_PEER on the server side these options can be used to set the list of acceptable CAs for the client. This way the client can select they required certificate from a list of certificates. The value for these options is similar to C and C. =item SSL_fingerprint Sometimes you have a self-signed certificate or a certificate issued by an unknown CA and you really want to accept it, but don't want to disable verification at all. In this case you can specify the fingerprint of the certificate as C<'algo$hex_fingerprint'>. C is a fingerprint algorithm supported by OpenSSL, e.g. 'sha1','sha256'... and C is the hexadecimal representation of the binary fingerprint. To get the fingerprint of an established connection you can use C. You can specify a list of fingerprints in case you have several acceptable certificates. If a fingerprint matches the topmost certificate no additional validations can make the verification fail. =item SSL_cert_file | SSL_cert | SSL_key_file | SSL_key If you create a server you usually need to specify a server certificate which should be verified by the client. Same is true for client certificates, which should be verified by the server. The certificate can be given as a file with SSL_cert_file or as an internal representation of a X509* object (like you get from L or L) with SSL_cert. If given as a file it will automatically detect the format. Supported file formats are PEM, DER and PKCS#12, where PEM and PKCS#12 can contain the certificate and the chain to use, while DER can only contain a single certificate. If given as a list of X509* please note, that the all the chain certificates (e.g. all except the first) will be "consumed" by openssl and will be freed if the SSL context gets destroyed - so you should never free them yourself. But the servers certificate (e.g. the first) will not be consumed by openssl and thus must be freed by the application. For each certificate a key is need, which can either be given as a file with SSL_key_file or as an internal representation of a EVP_PKEY* object with SSL_key (like you get from L or L). If a key was already given within the PKCS#12 file specified by SSL_cert_file it will ignore any SSL_key or SSL_key_file. If no SSL_key or SSL_key_file was given it will try to use the PEM file given with SSL_cert_file again, maybe it contains the key too. If your SSL server should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with C< cert_file>>. In case certs and keys are needed but not given it might fall back to builtin defaults, see "Defaults for Cert, Key and CA". Examples: SSL_cert_file => 'mycert.pem', SSL_key_file => 'mykey.pem', SSL_cert_file => { "foo.example.org" => 'foo-cert.pem', "bar.example.org" => 'bar-cert.pem', # used when nothing matches or client does not support SNI '' => 'default-cert.pem', } SSL_key_file => { "foo.example.org" => 'foo-key.pem', "bar.example.org" => 'bar-key.pem', # used when nothing matches or client does not support SNI '' => 'default-key.pem', } =item SSL_passwd_cb If your private key is encrypted, you might not want the default password prompt from Net::SSLeay. This option takes a reference to a subroutine that should return the password required to decrypt your private key. =item SSL_use_cert If this is true, it forces IO::Socket::SSL to use a certificate and key, even if you are setting up an SSL client. If this is set to 0 (the default), then you will only need a certificate and key if you are setting up a server. SSL_use_cert will implicitly be set if SSL_server is set. For convenience it is also set if it was not given but a cert was given for use (SSL_cert_file or similar). =item SSL_version Sets the version of the SSL protocol used to transmit data. 'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict handshake and protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions of Net::SSLeay and openssl. Independent from the handshake format you can limit to set of accepted SSL versions by adding !version separated by ':'. The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the handshake format is compatible to SSL2.0 and higher, but that the successful handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because both of these versions have serious security issues and should not be used anymore. You can also use !TLSv1_1 and !TLSv1_2 to disable TLS versions 1.1 and 1.2 while still allowing TLS version 1.0. Setting the version instead to 'TLSv1' might break interaction with older clients, which need and SSL2.0 compatible handshake. On the other side some clients just close the connection when they receive a TLS version 1.1 request. In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help. =item SSL_cipher_list If this option is set the cipher list for the connection will be set to the given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. Look into the OpenSSL documentation (L) for more details. Unless you fail to contact your peer because of no shared ciphers it is recommended to leave this option at the default setting. The default setting prefers ciphers with forward secrecy, disables anonymous authentication and disables known insecure ciphers like MD5, DES etc. This gives a grade A result at the tests of SSL Labs. To use the less secure OpenSSL builtin default (whatever this is) set SSL_cipher_list to ''. In case different cipher lists are needed for different SNI hosts a hash can be given with the host as key and the cipher suite as value, similar to B. =item SSL_honor_cipher_order If this option is true the cipher order the server specified is used instead of the order proposed by the client. This option defaults to true to make use of our secure cipher list setting. =item SSL_dh_file If you want Diffie-Hellman key exchange you need to supply a suitable file here or use the SSL_dh parameter. See dhparam command in openssl for more information. To create a server which provides forward secrecy you need to either give the DH parameters or (better, because faster) the ECDH curve. If neither C not C is set a builtin DH parameter with a length of 2048 bit is used to offer DH key exchange by default. If you don't want this (e.g. disable DH key exchange) explicitly set this or the C parameter to undef. =item SSL_dh Like SSL_dh_file, but instead of giving a file you use a preloaded or generated DH*. =item SSL_ecdh_curve If you want Elliptic Curve Diffie-Hellmann key exchange you need to supply the OID or NID of a suitable curve (like 'prime256v1') here. To create a server which provides forward secrecy you need to either give the DH parameters or (better, because faster) the ECDH curve. This parameter defaults to 'prime256v1' (builtin of OpenSSL) to offer ECDH key exchange by default. If you don't want this explicitly set it to undef. You can check if ECDH support is available by calling C<< IO::Socket::SSL->can_ecdh >>. =item SSL_verify_mode This option sets the verification mode for the peer certificate. You may combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT (fail verification if no peer certificate exists; ignored for clients), SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See OpenSSL man page for SSL_CTX_set_verify for more information. The default is SSL_VERIFY_NONE for server (e.g. no check for client certificate) and SSL_VERIFY_PEER for client (check server certificate). =item SSL_verify_callback If you want to verify certificates yourself, you can pass a sub reference along with this parameter to do so. When the callback is called, it will be passed: =over 4 =item 1. a true/false value that indicates what OpenSSL thinks of the certificate, =item 2. a C-style memory address of the certificate store, =item 3. a string containing the certificate's issuer attributes and owner attributes, and =item 4. a string containing any errors encountered (0 if no errors). =item 5. a C-style memory address of the peer's own certificate (convertible to PEM form with Net::SSLeay::PEM_get_string_X509()). =item 6. The depth of the certificate in the chain. Depth 0 is the leaf certificate. =back The function should return 1 or 0, depending on whether it thinks the certificate is valid or invalid. The default is to let OpenSSL do all of the busy work. The callback will be called for each element in the certificate chain. See the OpenSSL documentation for SSL_CTX_set_verify for more information. =item SSL_verifycn_scheme The scheme is used to correctly verify the identity inside the certificate by using the hostname of the peer. See the information about the verification schemes in B. If you don't specify a scheme it will use 'default', but only complain loudly if the name verification fails instead of letting the whole certificate verification fail. THIS WILL CHANGE, e.g. it will let the certificate verification fail in the future if the hostname does not match the certificate !!!! To override the name used in verification use B. The scheme 'default' is a superset of the usual schemes, which will accept the hostname in common name and subjectAltName and allow wildcards everywhere. While using this scheme is way more secure than no name verification at all you better should use the scheme specific to your application protocol, e.g. 'http', 'ftp'... If you are really sure, that you don't want to verify the identity using the hostname you can use 'none' as a scheme. In this case you'd better have alternative forms of verification, like a certificate fingerprint or do a manual verification later by calling B yourself. =item SSL_verifycn_publicsuffix This option is used to specify the behavior when checking wildcards certificates for public suffixes, e.g. no wildcard certificates for *.com or *.co.uk should be accepted, while *.example.com or *.example.co.uk is ok. If not specified it will simply use the builtin default of L, you can create another object with from_string or from_file of this module. To disable verification of public suffix set this option to C<''>. =item SSL_verifycn_name Set the name which is used in verification of hostname. If SSL_verifycn_scheme is set and no SSL_verifycn_name is given it will try to use SSL_hostname or PeerHost and PeerAddr settings and fail if no name can be determined. If SSL_verifycn_scheme is not set it will use a default scheme and warn if it cannot determine a hostname, but it will not fail. Using PeerHost or PeerAddr works only if you create the connection directly with C<< IO::Socket::SSL->new >>, if an IO::Socket::INET object is upgraded with B the name has to be given in B or B. =item SSL_check_crl If you want to verify that the peer certificate has not been revoked by the signing authority, set this value to true. OpenSSL will search for the CRL in your SSL_ca_path, or use the file specified by SSL_crl_file. See the Net::SSLeay documentation for more details. Note that this functionality appears to be broken with OpenSSL < v0.9.7b, so its use with lower versions will result in an error. =item SSL_crl_file If you want to specify the CRL file to be used, set this value to the pathname to be used. This must be used in addition to setting SSL_check_crl. =item SSL_ocsp_mode Defines how certificate revocation is done using OCSP (Online Status Revocation Protocol). The default is to send a request for OCSP stapling to the server and if the server sends an OCSP response back the result will be used. Any other OCSP checking needs to be done manually with C. The following flags can be combined with C<|>: =over 8 =item SSL_OCSP_NO_STAPLE Don't ask for OCSP stapling. This is the default if SSL_verify_mode is VERIFY_NONE. =item SSL_OCSP_TRY_STAPLE Try OCSP stapling, but don't complain if it gets no stapled response back. This is the default if SSL_verify_mode is VERIFY_PEER (the default). =item SSL_OCSP_MUST_STAPLE Consider it a hard error, if the server does not send a stapled OCSP response back. Most servers currently send no stapled OCSP response back. =item SSL_OCSP_FAIL_HARD Fail hard on response errors, default is to fail soft like the browsers do. Soft errors mean, that the OCSP response is not usable, e.g. no response, error response, no valid signature etc. Certificate revocations inside a verified response are considered hard errors in any case. Soft errors inside a stapled response are never considered hard, e.g. it is expected that in this case an OCSP request will be send to the responsible OCSP responder. =item SSL_OCSP_FULL_CHAIN This will set up the C so that all certificates from the peer chain will be checked, otherwise only the leaf certificate will be checked against revocation. =back =item SSL_ocsp_staple_callback If this callback is defined, it will be called with the SSL object and the OCSP response handle obtained from the peer, e.g. C<<$cb->($ssl,$resp)>>. If the peer did not provide a stapled OCSP response the function will be called with C<$resp=undef>. Because the OCSP response handle is no longer valid after leaving this function it should not by copied or freed. If access to the response is necessary after leaving this function it can be serialized with C. If no such callback is provided, it will use the default one, which verifies the response and uses it to check if the certificate(s) of the connection got revoked. =item SSL_ocsp_cache With this option a cache can be given for caching OCSP responses, which could be shared between different SSL contextes. If not given a cache specific to the SSL context only will be used. You can either create a new cache with C<new([size]) >> or implement your own cache, which needs to have methods C and C\%entry> where entry is the hash representation of the OCSP response with fields like C. The default implementation of the cache will consider responses valid as long as C is less then the current time. =item SSL_reuse_ctx If you have already set the above options for a previous instance of IO::Socket::SSL, then you can reuse the SSL context of that instance by passing it as the value for the SSL_reuse_ctx parameter. You may also create a new instance of the IO::Socket::SSL::SSL_Context class, using any context options that you desire without specifying connection options, and pass that here instead. If you use this option, all other context-related options that you pass in the same call to new() will be ignored unless the context supplied was invalid. Note that, contrary to versions of IO::Socket::SSL below v0.90, a global SSL context will not be implicitly used unless you use the set_default_context() function. =item SSL_create_ctx_callback With this callback you can make individual settings to the context after it got created and the default setup was done. The callback will be called with the CTX object from Net::SSLeay as the single argument. Example for limiting the server session cache size: SSL_create_ctx_callback => sub { my $ctx = shift; Net::SSLeay::CTX_sess_set_cache_size($ctx,128); } =item SSL_session_cache_size If you make repeated connections to the same host/port and the SSL renegotiation time is an issue, you can turn on client-side session caching with this option by specifying a positive cache size. For successive connections, pass the SSL_reuse_ctx option to the new() calls (or use set_default_context()) to make use of the cached sessions. The session cache size refers to the number of unique host/port pairs that can be stored at one time; the oldest sessions in the cache will be removed if new ones are added. This option does not effect the session cache a server has for it's clients, e.g. it does not affect SSL objects with SSL_server set. =item SSL_session_cache Specifies session cache object which should be used instead of creating a new. Overrules SSL_session_cache_size. This option is useful if you want to reuse the cache, but not the rest of the context. A session cache object can be created using C<< IO::Socket::SSL::Session_Cache->new( cachesize ) >>. Use set_default_session_cache() to set a global cache object. =item SSL_session_key Specifies a key to use for lookups and inserts into client-side session cache. Per default ip:port of destination will be used, but sometimes you want to share the same session over multiple ports on the same server (like with FTPS). =item SSL_session_id_context This gives an id for the servers session cache. It's necessary if you want clients to connect with a client certificate. If not given but SSL_verify_mode specifies the need for client certificate a context unique id will be picked. =item SSL_error_trap When using the accept() or connect() methods, it may be the case that the actual socket connection works but the SSL negotiation fails, as in the case of an HTTP client connecting to an HTTPS server. Passing a subroutine ref attached to this parameter allows you to gain control of the orphaned socket instead of having it be closed forcibly. The subroutine, if called, will be passed two parameters: a reference to the socket on which the SSL negotiation failed and the full text of the error message. =item SSL_npn_protocols If used on the server side it specifies list of protocols advertised by SSL server as an array ref, e.g. ['spdy/2','http1.1']. On the client side it specifies the protocols offered by the client for NPN as an array ref. See also method C. Next Protocol Negotiation (NPN) is available with Net::SSLeay 1.46+ and openssl-1.0.1+. To check support you might call C<< IO::Socket::SSL->can_npn() >>. If you use this option with an unsupported Net::SSLeay/OpenSSL it will throw an error. =item SSL_alpn_protocols If used on the server side it specifies list of protocols supported by the SSL server as an array ref, e.g. ['http/2.0', 'spdy/3.1','http/1.1']. On the client side it specifies the protocols advertised by the client for ALPN as an array ref. See also method C. Application-Layer Protocol Negotiation (ALPN) is available with Net::SSLeay 1.56+ and openssl-1.0.2+. More details about the extension are in RFC7301. To check support you might call C< IO::Socket::SSL->can_alpn() >. If you use this option with an unsupported Net::SSLeay/OpenSSL it will throw an error. Note that some client implementations may encounter problems if both NPN and ALPN are specified. Since ALPN is intended as a replacement for NPN, try providing ALPN protocols then fall back to NPN if that fails. =back =item B This behaves similar to the accept function of the underlying socket class, but additionally does the initial SSL handshake. But because the underlying socket class does return a blocking file handle even when accept is called on a non-blocking socket, the SSL handshake on the new file object will be done in a blocking way. Please see the section about non-blocking I/O for details. If you don't like this behavior you should do accept on the TCP socket and then upgrade it with C later. =item B This behaves similar to the connect function but also does an SSL handshake. Because you cannot give SSL specific arguments to this function, you should better either use C to create a connect SSL socket or C to upgrade an established TCP socket to SSL. =item B There are a number of nasty traps that lie in wait if you are not careful about using close(). The first of these will bite you if you have been using shutdown() on your sockets. Since the SSL protocol mandates that a SSL "close notify" message be sent before the socket is closed, a shutdown() that closes the socket's write channel will cause the close() call to hang. For a similar reason, if you try to close a copy of a socket (as in a forking server) you will affect the original socket as well. To get around these problems, call close with an object-oriented syntax (e.g. $socket->close(SSL_no_shutdown => 1)) and one or more of the following parameters: =over 2 =item SSL_no_shutdown If set to a true value, this option will make close() not use the SSL_shutdown() call on the socket in question so that the close operation can complete without problems if you have used shutdown() or are working on a copy of a socket. Not using a real ssl shutdown on a socket will make session caching unusable. =item SSL_fast_shutdown If set to true only a unidirectional shutdown will be done, e.g. only the close_notify (see SSL_shutdown(3)) will be sent. Otherwise a bidirectional shutdown will be done where it waits for the close_notify of the peer too. Because a unidirectional shutdown is enough to keep session cache working it defaults to fast shutdown inside close. =item SSL_ctx_free If you want to make sure that the SSL context of the socket is destroyed when you close it, set this option to a true value. =back =item B This function behaves from the outside the same as B in other L objects, e.g. it returns at most LEN bytes of data. But in reality it reads not only LEN bytes from the underlying socket, but at a single SSL frame. It then returns up to LEN bytes it decrypted from this SSL frame. If the frame contained more data than requested it will return only LEN data, buffer the rest and return it on further read calls. This means, that it might be possible to read data, even if the underlying socket is not readable, so using poll or select might not be sufficient. sysread will only return data from a single SSL frame, e.g. either the pending data from the already buffered frame or it will read a frame from the underlying socket and return the decrypted data. It will not return data spanning several SSL frames in a single call. Also, calls to sysread might fail, because it must first finish an SSL handshake. To understand these behaviors is essential, if you write applications which use event loops and/or non-blocking sockets. Please read the specific sections in this documentation. =item B This functions behaves from the outside the same as B in other L objects, e.g. it will write at most LEN bytes to the socket, but there is no guarantee, that all LEN bytes are written. It will return the number of bytes written. syswrite will write all the data within a single SSL frame, which means, that no more than 16.384 bytes, which is the maximum size of an SSL frame, can be written at once. For non-blocking sockets SSL specific behavior applies. Pease read the specific section in this documentation. =item B This function has exactly the same syntax as B, and performs nearly the same task but will not advance the read position so that successive calls to peek() with the same arguments will return the same results. This function requires OpenSSL 0.9.6a or later to work. =item B This function gives you the number of bytes available without reading from the underlying socket object. This function is essential if you work with event loops, please see the section about polling SSL sockets. =item B This methods returns the fingerprint of the given certificate in the form C, where C is the used algorithm, default 'sha256'. If no certificate is given the peer certificate of the connection is used. =item B This methods returns the binary fingerprint of the given certificate by using the algorithm C, default 'sha256'. If no certificate is given the peer certificate of the connection is used. =item B Returns the string form of the cipher that the IO::Socket::SSL object is using. =item B Returns the string representation of the SSL version of an established connection. =item B Returns the integer representation of the SSL version of an established connection. =item B Returns a parsable string with select fields from the peer SSL certificate. This method directly returns the result of the dump_peer_certificate() method of Net::SSLeay. =item B If a peer certificate exists, this function can retrieve values from it. If no field is given the internal representation of certificate from Net::SSLeay is returned. If refresh is true it will not used a cached version, but check again in case the certificate of the connection has changed due to renegotiation. The following fields can be queried: =over 8 =item authority (alias issuer) The certificate authority which signed the certificate. =item owner (alias subject) The owner of the certificate. =item commonName (alias cn) - only for Net::SSLeay version >=1.30 The common name, usually the server name for SSL certificates. =item subjectAltNames - only for Net::SSLeay version >=1.33 Alternative names for the subject, usually different names for the same server, like example.org, example.com, *.example.com. It returns a list of (typ,value) with typ GEN_DNS, GEN_IPADD etc (these constants are exported from IO::Socket::SSL). See Net::SSLeay::X509_get_subjectAltNames. =back =item B This is similar to C but will return the sites own certificate. The same arguments for B<$field> can be used. If no B<$field> is given the certificate handle from the underlying OpenSSL will be returned. This handle will only be valid as long as the SSL connection exists and if used afterwards it might result in strange crashes of the application. =item B This returns all the certificates send by the peer, e.g. first the peers own certificate and then the rest of the chain. You might use B from L to inspect each of the certificates. This function depends on a version of Net::SSLeay >= 1.58 . =item B This gives the name requested by the client if Server Name Indication (SNI) was used. =item B This verifies the given hostname against the peer certificate using the given scheme. Hostname is usually what you specify within the PeerAddr. See the C parameter for an explanation of suffix checking and for the possible values. Verification of hostname against a certificate is different between various applications and RFCs. Some scheme allow wildcards for hostnames, some only in subjectAltNames, and even their different wildcard schemes are possible. RFC 6125 provides a good overview. To ease the verification the following schemes are predefined (both protocol name and rfcXXXX name can be used): =over 8 =item rfc2818, xmpp (rfc3920), ftp (rfc4217) Extended wildcards in subjectAltNames and common name are possible, e.g. *.example.org or even www*.example.org. The common name will be only checked if no DNS names are given in subjectAltNames. =item http (alias www) While name checking is defined in rfc2818 the current browsers usually accept also an IP address (w/o wildcards) within the common name as long as no subjectAltNames are defined. Thus this is rfc2818 extended with this feature. =item smtp (rfc2595), imap, pop3, acap (rfc4642), netconf (rfc5538), syslog (rfc5425), snmp (rfc5953) Simple wildcards in subjectAltNames are possible, e.g. *.example.org matches www.example.org but not lala.www.example.org. If nothing from subjectAltNames match it checks against the common name, where wildcards are also allowed to match the full leftmost label. =item ldap (rfc4513) Simple wildcards are allowed in subjectAltNames, but not in common name. Common name will be checked even if subjectAltNames exist. =item sip (rfc5922) No wildcards are allowed and common name is checked even if subjectAltNames exist. =item gist (rfc5971) Simple wildcards are allowed in subjectAltNames and common name, but common name will only be checked if their are no DNS names in subjectAltNames. =item default This is a superset of all the rules and is automatically used if no scheme is given but a hostname (instead of IP) is known. Extended wildcards are allowed in subjectAltNames and common name and common name is checked always. =item none No verification will be done. Actually is does not make any sense to call verify_hostname in this case. =back The scheme can be given either by specifying the name for one of the above predefined schemes, or by using a hash which can have the following keys and values: =over 8 =item check_cn: 0|'always'|'when_only' Determines if the common name gets checked. If 'always' it will always be checked (like in ldap), if 'when_only' it will only be checked if no names are given in subjectAltNames (like in http), for any other values the common name will not be checked. =item wildcards_in_alt: 0|'full_label'|'anywhere' Determines if and where wildcards in subjectAltNames are possible. If 'full_label' only cases like *.example.org will be possible (like in ldap), for 'anywhere' www*.example.org is possible too (like http), dangerous things like but www.*.org or even '*' will not be allowed. For compatibility with older versions 'leftmost' can be given instead of 'full_label'. =item wildcards_in_cn: 0|'full_label'|'anywhere' Similar to wildcards_in_alt, but checks the common name. There is no predefined scheme which allows wildcards in common names. =item ip_in_cn: 0|1|4|6 Determines if an IP address is allowed in the common name (no wildcards are allowed). If set to 4 or 6 it only allows IPv4 or IPv6 addresses, any other true value allows both. =item callback: \&coderef If you give a subroutine for verification it will be called with the arguments ($hostname,$commonName,@subjectAltNames), where hostname is the name given for verification, commonName is the result from peer_certificate('cn') and subjectAltNames is the result from peer_certificate('subjectAltNames'). All other arguments for the verification scheme will be ignored in this case. =back =item B This method returns the name of negotiated protocol - e.g. 'http/1.1'. It works for both client and server side of SSL connection. NPN support is available with Net::SSLeay 1.46+ and openssl-1.0.1+. To check support you might call C<< IO::Socket::SSL->can_npn() >>. =item B Returns the protocol negotiated via ALPN as a string, e.g. 'http/1.1', 'http/2.0' or 'spdy/3.1'. ALPN support is available with Net::SSLeay 1.56+ and openssl-1.0.2+. To check support, use C<< IO::Socket::SSL->can_alpn() >>. =item B Returns the last error (in string form) that occurred. If you do not have a real object to perform this method on, call IO::Socket::SSL::errstr() instead. For read and write errors on non-blocking sockets, this method may include the string C or C meaning that the other side is expecting to read from or write to the socket and wants to be satisfied before you get to do anything. But with version 0.98 you are better comparing the global exported variable $SSL_ERROR against the exported symbols SSL_WANT_READ and SSL_WANT_WRITE. =item B This returns false if the socket could not be opened, 1 if the socket could be opened and the SSL handshake was successful done and -1 if the underlying IO::Handle is open, but the SSL handshake failed. =item B<< IO::Socket::SSL->start_SSL($socket, ... ) >> This will convert a glob reference or a socket that you provide to an IO::Socket::SSL object. You may also pass parameters to specify context or connection options as with a call to new(). If you are using this function on an accept()ed socket, you must set the parameter "SSL_server" to 1, i.e. IO::Socket::SSL->start_SSL($socket, SSL_server => 1). If you have a class that inherits from IO::Socket::SSL and you want the $socket to be blessed into your own class instead, use MyClass->start_SSL($socket) to achieve the desired effect. Note that if start_SSL() fails in SSL negotiation, $socket will remain blessed in its original class. For non-blocking sockets you better just upgrade the socket to IO::Socket::SSL and call accept_SSL or connect_SSL and the upgraded object. To just upgrade the socket set B explicitly to 0. If you call start_SSL w/o this parameter it will revert to blocking behavior for accept_SSL and connect_SSL. If given the parameter "Timeout" it will stop if after the timeout no SSL connection was established. This parameter is only used for blocking sockets, if it is not given the default Timeout from the underlying IO::Socket will be used. =item B This is the opposite of start_SSL(), connect_SSL() and accept_SSL(), e.g. it will shutdown the SSL connection and return to the class before start_SSL(). It gets the same arguments as close(), in fact close() calls stop_SSL() (but without downgrading the class). Will return true if it succeeded and undef if failed. This might be the case for non-blocking sockets. In this case $! is set to EWOULDBLOCK and the ssl error to SSL_WANT_READ or SSL_WANT_WRITE. In this case the call should be retried again with the same arguments once the socket is ready. For calling from C C default to false, e.g. it waits for the close_notify of the peer. This is necessary in case you want to downgrade the socket and continue to use it as a plain socket. After stop_SSL the socket can again be used to exchange plain data. =item B, B These functions should be used to do the relevant handshake, if the socket got created with C or upgraded with C and C was set to false. They will return undef until the handshake succeeded or an error got thrown. As long as the function returns undef and $! is set to EWOULDBLOCK one could retry the call after the socket got readable (SSL_WANT_READ) or writeable (SSL_WANT_WRITE). =item B This will create an OCSP resolver object, which can be used to create OCSP requests for the certificates of the SSL connection. Which certificates are verified depends on the setting of C: by default only the leaf certificate will be checked, but with SSL_OCSP_FULL_CHAIN all chain certificates will be checked. Because to create an OCSP request the certificate and its issuer certificate need to be known it is not possible to check certificates when the trust chain is incomplete or if the certificate is self-signed. The OCSP resolver gets created by calling C<$ssl->ocsp_resolver> and provides the following methods: =over 8 =item hard_error This returns the hard error when checking the OCSP response. Hard errors are certificate revocations. With the C of SSL_OCSP_FAIL_HARD any soft error (e.g. failures to get signed information about the certificates) will be considered a hard error too. The OCSP resolving will stop on the first hard error. The method will return undef as long as no hard errors occurred and still requests to be resolved. If all requests got resolved and no hard errors occurred the method will return C<''>. =item soft_error This returns the soft error(s) which occurred when asking the OCSP responders. =item requests This will return a hash consisting of C<(url,request)>-tuples, e.g. which contain the OCSP request string and the URL where it should be sent too. The usual way to send such a request is as HTTP POST request with an content-type of C or as a GET request with the base64 and url-encoded request is added to the path of the URL. After you've handled all these requests and added the response with C you should better call this method again to make sure, that no more requests are outstanding. IO::Socket::SSL will combine multiple OCSP requests for the same server inside a single request, but some server don't give an response to all these requests, so that one has to ask again with the remaining requests. =item add_response($uri,$response) This method takes the HTTP body of the response which got received when sending the OCSP request to C<$uri>. If no response was received or an error occurred one should either retry or consider C<$response> as empty which will trigger a soft error. The method returns the current value of C, e.g. a defined value when no more requests need to be done. =item resolve_blocking(%args) This combines C and C which L to do all necessary requests in a blocking way. C<%args> will be given to L so that you can put proxy settings etc here. L will be called with C of false, because the OCSP responses have their own signatures so no extra SSL verification is needed. If you don't want to use blocking requests you need to roll your own user agent with C and C. =back =item B<< IO::Socket::SSL->new_from_fd($fd, [mode], %sslargs) >> This will convert a socket identified via a file descriptor into an SSL socket. Note that the argument list does not include a "MODE" argument; if you supply one, it will be thoughtfully ignored (for compatibility with IO::Socket::INET). Instead, a mode of '+<' is assumed, and the file descriptor passed must be able to handle such I/O because the initial SSL handshake requires bidirectional communication. Internally the given $fd will be upgraded to a socket object using the C method of the super class (L or similar) and then C will be called using the given C<%sslargs>. If C<$fd> is already an IO::Socket object you should better call C directly. =item B ..., SSL_ca_path => ... ])> Determines or sets the default CA path. If existing path or dir or a hash is given it will set the default CA path to this value and never try to detect it automatically. If C is given it will forget any stored defaults and continue with detection of system defaults. If no arguments are given it will start detection of system defaults, unless it has already stored user-set or previously detected values. The detection of system defaults works similar to OpenSSL, e.g. it will check the directory specified in environment variable SSL_CERT_DIR or the path OPENSSLDIR/certs (SSLCERTS: on VMS) and the file specified in environment variable SSL_CERT_FILE or the path OPENSSLDIR/cert.pem (SSLCERTS:cert.pem on VMS). Contrary to OpenSSL it will check if the SSL_ca_path contains PEM files with the hash as file name and if the SSL_ca_file looks like PEM. If no usable system default can be found it will try to load and use L and if not available give up detection. The result of the detection will be saved to speed up future calls. The function returns the saved default CA as hash with SSL_ca_file and SSL_ca_path. =item B You may use this to make IO::Socket::SSL automatically re-use a given context (unless specifically overridden in a call to new()). It accepts one argument, which should be either an IO::Socket::SSL object or an IO::Socket::SSL::SSL_Context object. See the SSL_reuse_ctx option of new() for more details. Note that this sets the default context globally, so use with caution (esp. in mod_perl scripts). =item B You may use this to make IO::Socket::SSL automatically re-use a given session cache (unless specifically overridden in a call to new()). It accepts one argument, which should be an IO::Socket::SSL::Session_Cache object or similar (e.g something which implements get_session and add_session like IO::Socket::SSL::Session_Cache does). See the SSL_session_cache option of new() for more details. Note that this sets the default cache globally, so use with caution. =item B With this function one can set defaults for all SSL_* parameter used for creation of the context, like the SSL_verify* parameter. Any SSL_* parameter can be given or the following short versions: =over 8 =item mode - SSL_verify_mode =item callback - SSL_verify_callback =item scheme - SSL_verifycn_scheme =item name - SSL_verifycn_name =back =item B Similar to C, but only sets the defaults for client mode. =item B Similar to C, but only sets the defaults for server mode. =item B Sometimes one has to use code which uses unwanted or invalid arguments for SSL, typically disabling SSL verification or setting wrong ciphers or SSL versions. With this hack it is possible to override these settings and restore sanity. Example: IO::Socket::SSL::set_args_filter_hack( sub { my ($is_server,$args) = @_; if ( ! $is_server ) { # client settings - enable verification with default CA # and fallback hostname verification etc delete @{$args}{qw( SSL_verify_mode SSL_ca_file SSL_ca_path SSL_verifycn_scheme SSL_version )}; # and add some fingerprints for known certs which are signed by # unknown CAs or are self-signed $args->{SSL_fingerprint} = ... } }); With the short setting C it will prefer the default settings in all cases. These default settings can be modified with C, C and C. =back The following methods are unsupported (not to mention futile!) and IO::Socket::SSL will emit a large CROAK() if you are silly enough to use them: =over 4 =item truncate =item stat =item ungetc =item setbuf =item setvbuf =item fdopen =item send/recv Note that send() and recv() cannot be reliably trapped by a tied filehandle (such as that used by IO::Socket::SSL) and so may send unencrypted data over the socket. Object-oriented calls to these functions will fail, telling you to use the print/printf/syswrite and read/sysread families instead. =back =head1 DEPRECATIONS The following functions are deprecated and are only retained for compatibility: =over 2 =item context_init() use the SSL_reuse_ctx option if you want to re-use a context =item socketToSSL() and socket_to_SSL() use IO::Socket::SSL->start_SSL() instead =item kill_socket() use close() instead =item get_peer_certificate() use the peer_certificate() function instead. Used to return X509_Certificate with methods subject_name and issuer_name. Now simply returns $self which has these methods (although deprecated). =item issuer_name() use peer_certificate( 'issuer' ) instead =item subject_name() use peer_certificate( 'subject' ) instead =back =head1 EXAMPLES See the 'example' directory, the tests in 't' and also the tools in 'util'. =head1 BUGS If you use IO::Socket::SSL together with threads you should load it (e.g. use or require) inside the main thread before creating any other threads which use it. This way it is much faster because it will be initialized only once. Also there are reports that it might crash the other way. Creating an IO::Socket::SSL object in one thread and closing it in another thread will not work. IO::Socket::SSL does not work together with Storable::fd_retrieve/fd_store. See BUGS file for more information and how to work around the problem. Non-blocking and timeouts (which are based on non-blocking) are not supported on Win32, because the underlying IO::Socket::INET does not support non-blocking on this platform. If you have a server and it looks like you have a memory leak you might check the size of your session cache. Default for Net::SSLeay seems to be 20480, see the example for SSL_create_ctx_callback for how to limit it. =head1 SEE ALSO IO::Socket::INET, IO::Socket::INET6, IO::Socket::IP, Net::SSLeay. =head1 THANKS Many thanks to all who added patches or reported bugs or helped IO::Socket::SSL another way. Please keep reporting bugs and help with patches, even if they just fix the documentation. Special thanks to the team of Net::SSLeay for the good cooperation. =head1 AUTHORS Steffen Ullrich, is the current maintainer. Peter Behroozi, (Note the lack of an "i" at the end of "behrooz") Marko Asplund, , was the original author of IO::Socket::SSL. Patches incorporated from various people, see file Changes. =head1 COPYRIGHT The original versions of this module are Copyright (C) 1999-2002 Marko Asplund. The rewrite of this module is Copyright (C) 2002-2005 Peter Behroozi. Versions 0.98 and newer are Copyright (C) 2006-2014 Steffen Ullrich. This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. IO-Socket-SSL-2.024/META.yml0000664000175100017510000000146312655445521013735 0ustar workwork--- abstract: 'Nearly transparent SSL encapsulation for IO::Socket::INET.' author: - 'Steffen Ullrich , Peter Behroozi, Marko Asplund' build_requires: ExtUtils::MakeMaker: '0' configure_requires: ExtUtils::MakeMaker: '0' dynamic_config: 1 generated_by: 'ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.120630' license: perl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html version: '1.4' name: IO-Socket-SSL no_index: directory: - t - inc requires: Net::SSLeay: '1.46' Scalar::Util: '0' resources: bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL homepage: https://github.com/noxxi/p5-io-socket-ssl license: http://dev.perl.org/licenses/ repository: https://github.com/noxxi/p5-io-socket-ssl version: '2.024'