lib/XML/Stream.pm | 7 6 1 - 0 !
1 file changed, 6 insertions( ), 1 deletion(-)

 fix an 'uninitialized value' warning

lib/XML/Stream.pm | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 provide a default ssl_ca_path
 ssl_verify is on by default, but will fail unless provided with a valid
 ssl_ca_path. On Debian, commonly trusted CA certificates are stored in
 /etc/ssl/certs
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908027

lib/XML/Stream.pm | 3 1 2 - 0 !
1 file changed, 1 insertion( ), 2 deletions(-)

 [patch] do not die when hostname cannot be resolved.
Bug-Debian: https://bugs.debian.org/692311

lib/XML/Stream.pm | 3 3 0 - 0 !
t/tcpip2ssl.t | 21 17 4 - 0 !
2 files changed, 20 insertions( ), 4 deletions(-)

 [patch] set ssl_verifycn_name parameter to fix hostname verification

IO-Socket-SSL 2.078 reverted a "decision from 2014 to not verify
hostname by default if hostname is IP address but no explicit
verification scheme given" [1]. Since start_SSL uses SSL_verifycn_name
or SSL_hostname when verifying the hostname and falls back to the IP
address of the peer if neither of them are set, the hostname
verification failed with newer versions of IO-Socket-SSL even if the
certificate presented by the peer was valid.

Passing SSL_verifycn_name to start_SSL fixes this issue. The logic to
determine the parameter value is based on my current understanding of
[2] and thus uses the same logic that is also used in OpenStream to
determine the 'to' address in the initial stream header.

[1]: https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0
[2]: https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1


Bug: https://github.com/dap/XML-Stream/pull/28
Bug-Debian: https://bugs.debian.org/1064058