Bug#1125385: IO::Socket::SSL.3pm: Some remarks and a patch with editorial changes for this man page
Bjarni Ingi Gislason
bjarniig at simnet.is
Tue Jan 13 09:47:37 GMT 2026
Package: libio-socket-ssl-perl
Version: 2.098-1
Severity: minor
Tags: patch
Dear Maintainer,
>From "/usr/share/doc/debian/bug-reporting.txt.gz":
Don't file bugs upstream
If you file a bug in Debian, don't send a copy to the upstream software
maintainers yourself, as it is possible that the bug exists only in
Debian. If necessary, the maintainer of the package will forward the
bug upstream.
-.-
I do not send reports upstream if I have to get an account there.
The Debian maintainers have one already.
If I get a negative (or no) response from upstream, I send henceforth
bugs to Debian.
-.-
* What led up to the situation?
Checking for defects with a new version
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z < "man page"
[Use
grep -n -e ' $' -e '\\~$' -e ' \\f.$' -e ' \\"' <file>
to find (most) trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z ":
troff:<stdin>:1038: warning: [page 13, 8.7i]: cannot adjust line; underset by 2.521n
Output from "test-nroff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z ":
troff:<stdin>:1037: warning [page 1, line 963]: cannot break line in l adjust mode; overset by 14n
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: forky/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.17.13+deb14-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.94-3
ii netbase 6.5
ii perl 5.40.1-7
Versions of packages libio-socket-ssl-perl recommends:
pn libio-socket-ip-perl | libio-socket-inet6-perl <none>
ii libsocket6-perl 0.29-3+b4
ii liburi-perl 5.34-2
ii perl-base [libsocket-perl] 5.40.1-7
Versions of packages libio-socket-ssl-perl suggests:
ii ca-certificates 20250419
-- no debconf information
-------------- next part --------------
Input file is IO::Socket::SSL.3pm
Output from "mandoc -T lint IO::Socket::SSL.3pm": (shortened list)
129 STYLE: input text line longer than 80 bytes:
6 WARNING: empty block: RS
-.-.
Output from
test-nroff -mandoc -t -ww -z IO::Socket::SSL.3pm: (shortened list)
1 cannot break line in l adjust mode; overset by 14n
-.-.
Input file is IO::Socket::SSL.3pm
Show if Pod::Man generated this.
2:.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
Latest version in Debian testing:
This is perl 5, version 40, subversion 1 (v5.40.1) built for x86_64-linux-gnu-thread-multi
(with 48 registered patches, see perl -V for more detail)
-.-.
Change '-' (\-) to '\(en' (en-dash) for a (numeric) range.
GNU gnulib has recently (2023-06-18) updated its
"build_aux/update-copyright" to recognize "\(en" in man pages.
IO::Socket::SSL.3pm:2204:The original versions of this module are Copyright (C) 1999\-2002 Marko Asplund.
IO::Socket::SSL.3pm:2206:The rewrite of this module is Copyright (C) 2002\-2005 Peter Behroozi.
IO::Socket::SSL.3pm:2208:Versions 0.98 and newer are Copyright (C) 2006\-2014 Steffen Ullrich.
-.-.
Change (or include a "FIXME" paragraph about) misused SI (metric)
numeric prefixes (or names) to the binary ones, like Ki (kibi), Mi
(mebi), Gi (gibi), or Ti (tebi), if indicated.
If the metric prefixes are correct, add the definitions or an
explanation to avoid misunderstanding.
450:Another way might be if you try to sysread at least 16kByte all the time.
451:16kByte is the maximum size of an SSL frame and because sysread returns data
947:IO::Socket::SSL::Utils::PEM_xxx2key).
1485:might save lots of memory in the mean time though, about 34k per idle SSL
-.-.
Add a (no-break, "\ " or "\~") space between a number and a unit,
as these are not one entity.
450:Another way might be if you try to sysread at least 16kByte all the time.
451:16kByte is the maximum size of an SSL frame and because sysread returns data
1485:might save lots of memory in the mean time though, about 34k per idle SSL
-.-.
Strings longer than 3/4 of a standard line length (80).
Use "\:" to split the string at the end of an output line, for example a
long URL (web address).
This is a groff extension.
1037 (<https://www.openssl.org/docs/manmaster/man1/openssl\-ciphers.html#CIPHER\-STRINGS>)
1053 (<https://www.openssl.org/docs/manmaster/man1/openssl\-ciphers.html>) for
1271 \&\f(CW\*(C`IO::Socket::SSL::OCSP_Cache\->new([size])\*(C'\fR or implement your own cache,
2073 .IP \fBIO::Socket::SSL::set_args_filter_hack(\e&code|'use_defaults')\fR 4
-.-.
Add a "\&" (or a comma (Oxford comma)) after an abbreviation
or use English words
(man-pages(7)).
Abbreviation points should be marked as such and protected against being
interpreted as an end of sentence, if they are not, and that independent
of the current place on the line.
143:attacks, e.g. if Alice wants to talk to Bob it would be possible for Mallory to
163:Check if we trust the certificate, e.g. make sure it's not a forgery.
192:for multiple hosts (e.g. *.example.com and *.example.org).
216:identity is usually only checked one way, e.g. the client wants to make sure it
433:Polling of SSL sockets (e.g. select, poll and other event loops).
446:Thus, in order to decide if you can read more data (e.g. if sysread will block)
496:notice that 'HIGH' includes anonymous ciphers, e.g. without identification of
557:different SSL implementation (e.g. a web browser).
564:certificates into their server setup, e.g. everything needed to build the trust
579:SSL version, e.g. by setting \f(CW\*(C`SSL_version\*(C'\fR. Modern Browsers usually deal with
637:will try to emulate the behavior seen there, e.g. to return the received data
643:this is that \f(CW\*(C`accept\*(C'\fR on a non-blocking TCP socket (e.g. IO::Socket::IP,
817:Both \f(CW$SSL_ERROR\fR and the \f(CW\*(C`errstr\*(C'\fR method give a dualvar similar to \f(CW$!\fR, e.g.
823:that came bundled with the super class (e.g. IO::Socket::IP,
826:secure defaults, e.g. choosing good ciphers, enabling proper verification, etc.
890:supported by OpenSSL, e.g. 'sha1','sha256'... and \f(CW\*(C`hex_fingerprint\*(C'\fR is the
899:It is also possible to skip \f(CW\*(C`algo$\*(C'\fR, i.e. only specify the fingerprint. In
913:If a fingerprint matches the topmost (i.e. leaf) certificate no additional
939:(e.g. all except the first) will be "consumed" by openssl and will be freed
941:the servers certificate (e.g. the first) will not be consumed by openssl and
960:\&\f(CW\*(C`hostname%whatever\*(C'\fR, i.e. \f(CW\*(C`hostname%ecc\*(C'\fR or similar. This needs at least
1035:given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. This will only affect
1080:want this (e.g. disable DH key exchange) explicitly set this or the \f(CW\*(C`SSL_dh\*(C'\fR
1103:preference, i.e. \f(CW\*(C`P\-521:P\-384:P\-256\*(C'\fR. When used at the client side this
1121:The default is SSL_VERIFY_NONE for server (e.g. no check for client
1161:verification fail. THIS WILL CHANGE, e.g. it will let the certificate
1168:better should use the scheme specific to your application protocol, e.g. 'http',
1178:for public suffixes, e.g. no wildcard certificates for *.com or *.co.uk should
1234:Soft errors mean, that the OCSP response is not usable, e.g. no response,
1239:Soft errors inside a stapled response are never considered hard, e.g. it is
1253:response handle obtained from the peer, e.g. \f(CW\*(C`<$cb\-\*(C'\fR($ssl,$resp)>>.
1345:e.g. it does not affect SSL objects with SSL_server set.
1382:server as an array ref, e.g. ['spdy/2','http1.1'].
1395:server as an array ref, e.g. ['http/2.0', 'spdy/3.1','http/1.1'].
1492:While this will add some overhead it makes it possible to stack TLS layers, i.e.
1569:IO::Socket objects, e.g. it returns at most LEN bytes of data.
1577:sysread will only return data from a single SSL frame, e.g. either the pending
1591:IO::Socket objects, e.g. it will write at most LEN bytes to the socket, but
1685:This returns all the certificates send by the peer, e.g. first the peers own
1711:Extended wildcards in subjectAltNames and common name are possible, e.g.
1721:Simple wildcards in subjectAltNames are possible, e.g. *.example.org matches
1789:This method returns the name of negotiated protocol \- e.g. 'http/1.1'. It works
1796:Returns the protocol negotiated via ALPN as a string, e.g. 'http/1.1',
1829:an \fBaccept()\fRed socket, you must set the parameter "SSL_server" to 1, i.e.
1852:This is the opposite of \fBstart_SSL()\fR, \fBconnect_SSL()\fR and \fBaccept_SSL()\fR, e.g. it
1862:For calling from \f(CW\*(C`stop_SSL\*(C'\fR \f(CW\*(C`SSL_fast_shutdown\*(C'\fR default to false, e.g. it
1946:SSL_OCSP_FAIL_HARD any soft error (e.g. failures to get signed information
1959:This will return a hash consisting of \f(CW\*(C`(url,request)\*(C'\fR\-tuples, e.g. which
1978:The method returns the current value of \f(CW\*(C`hard_error\*(C'\fR, e.g. a defined value
2018:The detection of system defaults works similar to OpenSSL, e.g. it will check
2044:object or similar (e.g. something which implements get_session, add_session and
2167:If you use IO::Socket::SSL together with threads you should load it (e.g. use or
-.-.
Wrong distance (not two spaces) between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
Mark a final abbreviation point as such by suffixing it with "\&".
Some sentences (etc.) do not begin on a new line.
Split (sometimes) lines after a punctuation mark; before a conjunction.
Lines with only one (or two) space(s) between sentences could be split,
so latter sentences begin on a new line.
Use
#!/usr/bin/sh
sed -e '/^\./n' \
-e 's/\([[:alpha:]]\)\. */\1.\n/g' $1
to split lines after a sentence period.
Check result with the difference between the formatted outputs.
See also the attachment "general.bugs"
[List of affected lines removed.]
-.-.
Split lines longer than 80 characters (fill completely
an A4 sized page line on a terminal)
into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
Add "\:" to split the string for the output, "\<newline>" in the source.
[List of affected lines removed.]
Longest line is number 1137 with 139 characters
.IP "5. a C\-style memory address of the peer's own certificate (convertible to PEM form with \fBNet::SSLeay::PEM_get_string_X509()\fR)." 4
-.-.
Remove unnecessary double font change (e.g., \fR\fI) in a row or (better)
use a two-fonts macro.
[List with affected lines removed.]
1679:certificate. The same arguments for \fR\f(CB$field\fR\fB\fR can be used.
1680:If no \fB\fR\f(CB$field\fR\fB\fR is given the certificate handle from the underlying OpenSSL will
1993:.ie n .IP "\fBIO::Socket::SSL\->new_from_fd($fd, [mode], \fR\fB%sslargs\fR\fB)\fR" 4
1994:.el .IP "\fBIO::Socket::SSL\->new_from_fd($fd, [mode], \fR\f(CB%sslargs\fR\fB)\fR" 4
-.-.
Add a zero (0) in front of a decimal fraction that begins with a period
(.)
7:.if t .sp .5v
-.-.
Put a parenthetical sentence, phrase on a separate line,
if not part of a code.
See man-pages(7), item "semantic newline".
[List of affected lines removed.]
-.-.
Change a HYPHEN-MINUS (code 0x55, 2D) to a dash
(\-, minus) if it matches "[[:alph:]]-[[:alpha:]]" in the name of an
option).
Facilitates the copy and paste of
a) an option in UTF-8 text
b) web addresses (URL).
Is not needed in ordinary words like "mother-in-law", that are not
copied and pasted to a command line (which needs ASCII code)
122:IO::Socket::SSL::Intercept \- Doing Man-In-The-Middle with SSL
128:protocols to facilitate end-to-end security. These protocols are used when
133:SSL enables end-to-end security by providing two essential functions:
142:If the identification is done incorrectly it is easy to mount man-in-the-middle
145:All the data would still be encrypted, but not end-to-end between Alice and Bob,
402:Man-In-The-Middle attacks possible.
-.-.
Use a character "\(->" instead of plain "->" or "\->", if not typeset with
a constant width font.
[List of affected lines removed.]
-.-.
Protect "^From " from forcing a mail software to use "quoted-printable"
encoding, by adding "\&" in front of it.
577:From time to time one encounters an SSL peer, which just closes the connection
-.-.
Only one space character is after a possible end of sentence
(after a punctuation, that can end a sentence).
[List of affected lines removed.]
-.-.
Add lines to use the CR font for groff instead of CW.
.if t \{\
. ie \\n(.g .ft CR
. el .ft CW
.\}
11:.ft CW
-.-.
.\" Define a fallback for the CW font
.
.if \n(.g \{\
. ie t .ftr CW CR
. el .ftr CW R
.\}
[List of affected lines removed.]
-.-.
Put a (long) web address on a new output line to reduce the posibility of
splitting the address between two output lines.
Or inhibit hyphenation with "\%" in front of the name.
129:accessing web sites (https), delivering or retrieving email, and in lots of other
268:\& PeerPort => "https",
286:\& SSL_verifycn_scheme => \*(Aqhttp\*(Aq,
555:<https://github.com/noxxi/p5\-ssl\-tools> might be a helpful tool when debugging
1037:(<https://www.openssl.org/docs/manmaster/man1/openssl\-ciphers.html#CIPHER\-STRINGS>)
1053:(<https://www.openssl.org/docs/manmaster/man1/openssl\-ciphers.html>) for
1168:better should use the scheme specific to your application protocol, e.g. 'http',
1382:server as an array ref, e.g. ['spdy/2','http1.1'].
1395:server as an array ref, e.g. ['http/2.0', 'spdy/3.1','http/1.1'].
1500:\& # create TLS connection to TLS enabled http proxy
1714:.IP "http (alias www)" 8
1715:.IX Item "http (alias www)"
1757:given in subjectAltNames (like in http), for any other values the common name
1763:\&'anywhere' www*.example.org is possible too (like http), dangerous things like
1789:This method returns the name of negotiated protocol \- e.g. 'http/1.1'. It works
1796:Returns the protocol negotiated via ALPN as a string, e.g. 'http/1.1',
1797:\&'http/2.0' or 'spdy/3.1'.
-.-.
Change comment lines of type '.\" ====' (and an empty '.\"' line) to
a single period, as they contain no information and waste work each time
they are processed.
3:.\"
5:.\" ========================================================================
28:.\"
32:.\"
37:.\"
55:.\" ========================================================================
56:.\"
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z ":
troff:<stdin>:1038: warning: [page 13, 8.7i]: cannot adjust line; underset by 2.521n
Output from "test-nroff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=0 -ww -z ":
troff:<stdin>:1037: warning [page 1, line 963]: cannot break line in l adjust mode; overset by 14n
-.-
Generally:
Split (sometimes) lines after a punctuation mark; before a conjunction.
-------------- next part --------------
--- IO::Socket::SSL.3pm 2026-01-13 08:53:25.616774544 +0000
+++ IO::Socket::SSL.3pm.new 2026-01-13 09:21:56.341356737 +0000
@@ -574,7 +574,7 @@ IO::Socket::SSL.
Old versions of servers or load balancers which do not understand specific TLS
versions or croak on specific data.
.Sp
-From time to time one encounters an SSL peer, which just closes the connection
+\&From time to time one encounters an SSL peer, which just closes the connection
inside the SSL handshake. This can usually be worked around by downgrading the
SSL version, e.g. by setting \f(CW\*(C`SSL_version\*(C'\fR. Modern Browsers usually deal with
such servers by automatically downgrading the SSL version and repeat the
@@ -1034,7 +1034,13 @@ version 1.1 request. In this case settin
If this option is set the cipher list for the connection will be set to the
given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. This will only affect
ciphers for TLS 1.2 and lower. See the OpenSSL documentation
-(<https://www.openssl.org/docs/manmaster/man1/openssl\-ciphers.html#CIPHER\-STRINGS>)
+.ie \n(.g \{\
+(<https://www.openssl.org/\:docs/\:manmaster/\:man1/\:openssl\-ciphers.html#CIPHER\-STRINGS>)
+.\}
+.el \{\
+(<https://www.openssl.org/docs/manmaster/man1/
+openssl\-ciphers.html#CIPHER\-STRINGS>)
+.\}
for more details.
.Sp
Unless you fail to contact your peer because of no shared ciphers it is
@@ -1245,8 +1251,8 @@ This will set up the \f(CW\*(C`ocsp_reso
chain will be checked, otherwise only the leaf certificate will be checked
against revocation.
.RE
-.RS 2
-.RE
+.\".RS 2
+.\".RE
.IP SSL_ocsp_staple_callback 2
.IX Item "SSL_ocsp_staple_callback"
If this callback is defined, it will be called with the SSL object and the OCSP
@@ -1515,8 +1521,8 @@ Example:
\& ... # read response from server on $inner
.Ve
.RE
-.RS 4
-.RE
+.\".RS 4
+.\".RE
.IP \fBaccept\fR 4
.IX Item "accept"
This behaves similar to the accept function of the underlying socket class, but
@@ -1671,8 +1677,8 @@ It returns a list of (typ,value) with ty
constants are exported from IO::Socket::SSL).
See Net::SSLeay::X509_get_subjectAltNames.
.RE
-.RS 4
-.RE
+.\".RS 4
+.\".RE
.IP \fBsock_certificate($field)\fR 4
.IX Item "sock_certificate($field)"
This is similar to \f(CW\*(C`peer_certificate\*(C'\fR but will return the sites own
@@ -1782,8 +1788,8 @@ subjectAltNames is the result from peer_
.Sp
All other arguments for the verification scheme will be ignored in this case.
.RE
-.RS 4
-.RE
+.\".RS 4
+.\".RE
.IP \fBnext_proto_negotiated()\fR 4
.IX Item "next_proto_negotiated()"
This method returns the name of negotiated protocol \- e.g. 'http/1.1'. It works
@@ -1988,8 +1994,8 @@ no extra SSL verification is needed.
If you don't want to use blocking requests you need to roll your own user agent
with \f(CW\*(C`requests\*(C'\fR and \f(CW\*(C`add_response\*(C'\fR.
.RE
-.RS 4
-.RE
+.\".RS 4
+.\".RE
.ie n .IP "\fBIO::Socket::SSL\->new_from_fd($fd, [mode], \fR\fB%sslargs\fR\fB)\fR" 4
.el .IP "\fBIO::Socket::SSL\->new_from_fd($fd, [mode], \fR\f(CB%sslargs\fR\fB)\fR" 4
.IX Item "IO::Socket::SSL->new_from_fd($fd, [mode], %sslargs)"
@@ -2061,8 +2067,8 @@ be given or the following short versions
.IP "name \- SSL_verifycn_name" 8
.IX Item "name - SSL_verifycn_name"
.RE
-.RS 4
-.RE
+.\".RS 4
+.\".RE
.IP \fBIO::Socket::SSL::set_client_defaults(%args)\fR 4
.IX Item "IO::Socket::SSL::set_client_defaults(%args)"
.PD
@@ -2201,11 +2207,11 @@ Marko Asplund, <marko.asplund at kronodo
Patches incorporated from various people, see file Changes.
.SH COPYRIGHT
.IX Header "COPYRIGHT"
-The original versions of this module are Copyright (C) 1999\-2002 Marko Asplund.
+The original versions of this module are Copyright (C) 1999\(en2002 Marko Asplund.
.PP
-The rewrite of this module is Copyright (C) 2002\-2005 Peter Behroozi.
+The rewrite of this module is Copyright (C) 2002\(en2005 Peter Behroozi.
.PP
-Versions 0.98 and newer are Copyright (C) 2006\-2014 Steffen Ullrich.
+Versions 0.98 and newer are Copyright (C) 2006\(en2014 Steffen Ullrich.
.PP
This module is free software; you can redistribute it and/or
modify it under the same terms as Perl itself.
-------------- next part --------------
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
To find trailing space use
grep -n -e ' $' -e ' \\f.$' -e ' \\"' <man page>
The same goes for man pages that are used as an input.
-.-
For a style guide use
mandoc -T lint
-.-
For general input conventions consult the man page "nroff(7)" (item
"Input conventions") or the Texinfo manual about the same item.
-.-
Any "autogenerator" should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
It should also check its input files for too long (> 80) lines.
This is just a simple quality control measure.
The "autogenerator" may have to be corrected to get a better man page,
the source file may, and any additional file may.
-.-
Common defects:
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
"git" has a "tool" to point out whitespace,
see for example "git-apply(1)" and git-config(1)")
-.-
Not beginning each input sentence on a new line.
Line length and patch size should thus be reduced when that has been fixed.
The script "reportbug" uses 'quoted-printable' encoding when a line is
longer than 1024 characters in an 'ascii' file.
See man-pages(7), item "semantic newline".
-.-
The difference between the formatted output of the original
and patched file can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -d -u <out1> <out2>
and for groff, using
\"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - \"
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output from 'diff -d -u ...' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option "-warnings=w"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT="-ww -b -z"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-
More information about the pkg-perl-maintainers
mailing list