source: mod_gnutls/CHANGELOG

debian/master debian/0.8.4-2
Last change on this file was e00a037, checked in by Fiona Klute <fiona.klute@…>, 5 months ago

Release version 0.8.4

  • Property mode set to 100644
File size: 9.6 KB
Line 
1** Version 0.8.4 (2018-04-13)
2- Support Apache HTTPD 2.4.33 API for proxy TLS connections
3- Support TLS for HTTP/2 connections with mod_http2
4- Fix configuration of OCSP stapling callback
5
6** Version 0.8.3 (2017-10-20)
7- Use GnuTLS' default DH parameters by default
8- Handle long Server Name Indication data and gracefully ignore
9  unknown SNI types
10- Send SNI for proxy connections
11- Deprecate OpenPGP support like GnuTLS did (will be removed
12  completely in a future release)
13- Do not announce session ticket support for proxy connections
14- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
15- Test suite: Simplify handling of proxy backend servers and OCSP
16  responders
17- Test suite: stability/compatibility fixes
18
19** Version 0.8.2 (2017-01-08)
20- Test suite: Ensure CRLF line ends in HTTP headers
21- Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array
22
23** Version 0.8.1 (2016-12-20)
24- Bugfix: Use APR_SIZE_T_FMT for portable apr_size_t formatting
25
26** Version 0.8.0 (2016-12-11)
27- New: Support for OCSP stapling
28- Bugfix: Access to DBM cache is locked using global mutex
29  "gnutls-cache"
30- Bugfix: GnuTLSSessionTickets is now disabled by default as described
31  in the handbook
32- Fixed memory leak while checking proxy backend certificate
33- Fixed memory leaks in post_config
34- Safely delete session ticket key (requires GnuTLS >= 3.4)
35- Improved error handling in post_config hook
36- Various handbook updates
37- Internal API documentation can be generated using Doxygen
38- Unused code has been removed (conditionals for GnuTLS 2.x and Apache
39  versions before 2.2, internal Lua bytecode structure last used in
40  2011).
41- Test suite: Fixed locking for access to the PGP keyring of the test
42  certificate authority
43- mod_gnutls can be built using Clang (unsupported)
44
45** Version 0.7.5 (2016-05-28)
46- Sunil Mohan Adapa reported retry loops during session shutdown in
47  cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
48  GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
49  errno in mgs_transport_write() fixes the problem.
50- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
51  Debian package.
52- Build system improvements that allow VPATH builds and get "make
53  distcheck" to work
54
55** Version 0.7.4 (2016-04-13)
56- Support SoftHSM 2 for PKCS #11 testing
57- Increase verbosity of test logs
58
59** Version 0.7.3 (2016-01-12)
60- Update test suite for compatibility with GnuTLS 3.4, which has
61  stricter key usage checks and priorities than 3.3.
62- Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
63  set (mod_status sets it for requests with the "auto" parameter, e.g.
64  https://localhost/server-status?auto).
65- Register "ssl_is_https" function so the special mod_rewrite variable
66  %{HTTPS} works correctly with mod_gnutls. The new test case for this
67  requires Wget or curl. Fixes Debian bug #514005.
68- Test suite servers listen on IPv4 *and* IPv6 loopback addresses by
69  default (other addresses configurable), which should fix failures
70  due to localhost randomly resolving to either on some distributions.
71- Isolate tests using network namespaces, if possible. This avoids
72  port conflicts with other test cases (so they can run in parallel)
73  and host services.
74- Support for local Apache drop-in config files in the test suite
75  (e.g. to load additional modules needed on Fedora).
76- Try to use markdown to build HTML documentation if pandoc is not
77  available.
78- Disable use of flock if it is unavailable or does not support
79  timeouts (the latter caused the build to fail on Debian Hurd).
80- New test: Disable TLS 1.0 (regression test for Debian bug #754960).
81
82** Version 0.7.2 (2015-11-21)
83- Bugfix: Non-blocking reads in the input filter could lead to a busy
84  wait in the gnutls_io_input_read function, causing high load on
85  Keep-Alive connections waiting for data, until either more data
86  could be received or the connection was closed. The fix is to pass
87  EAGAIN/EINTR results up to the input filter so they can be handled
88  properly.
89- Close TLS session if the input filter receives EOF (mostly relevant
90  for proper termination of proxy connections).
91- Remove dependency on APR Memcache, which is replaced by the newer
92  version included in the APR Utility Library (libaprutil).
93- Remove dependency on bc. It was used for floating point arithmetic
94  in the test suite, the calculations have been changed to use
95  integers and pure bash code.
96
97** Version 0.7.1 (2015-10-18)
98- Improved handling of PKCS #11 modules: mod_gnutls now loads either
99  modules specified using GnuTLSP11Module, or the system defaults, but
100  not both. Thanks to Nikos Mavrogiannopoulos for the report and
101  initial patch!
102- Initialize variables to safe defaults during client certificate
103  verification. Certain error code paths did not set them, but they
104  should never be hit due to config validation. This adds another line
105  of defense.
106- Enable C99 support via autoconf
107- Test suite improvements. Most importantly, automake now handles
108  environment setup without any external make calls. Rules to build
109  the certificates are included from the old test makefile. Note that
110  the dependency on GNU make is not new (the test makefile always used
111  GNU make syntax), it just wasn't listed explicitly.
112
113** Version 0.7 (2015-07-12)
114- Security fix for TLS client authentication (CVE-2015-2091)
115- Bug fixes that enable support for reverse proxy operation
116- Various test suite improvements. Tests are configured through autoconf,
117  so the test suite now works for builds without Monkeysphere support.
118- Add support for TLS connections to back end servers when operating as a
119  reverse proxy (X.509 authentication only at the moment).
120- PKCS #11 support for server keys and certificates
121- Use strict compiler arguments by default (-Wall -Werror -Wextra)
122- Allow limiting the size of certificates exported as SSL_SERVER_CERT
123  and SSL_CLIENT_CERT through the GnuTLSExportCertificates directive
124
125** Version 0.6 (2014-02-17)
126- Generating DH Params instead of using static ones.
127- Now considering ServerAlias Directives.
128- Major Legacy Code Cleanup.
129- html and pdf and manual documentation generated from markdown sources
130- support monkeysphere validation agent (MSVA) client-certificate verification
131- wider test suite
132- GnuTLSExportCertificates off by default
133
134** Version 0.5.10 (2011-07-12)
135- Patched a bug responsible for excessive memory consumption by mod_gnutls.
136- Support for proxying from SSL to plain HTTP was added (ie. proxy termination).
137
138** Version 0.5.9 (2010-09-24)
139- GnuTLSCache none is now an allowed option.
140- Corrected behavior in Keep-Alive connections (do not
141  terminate the connection prematurely)
142- The GnuTLSCache variable now can be given the specific
143  option "gdbm" instead of "dbm". "dbm" will use the berkeley
144  db type of libapr while gdbm will force gdbm to be used.
145  sdbm is no longer being used due to serious limitations.
146
147** Version 0.5.8 (2010-08-18)
148- Session tickets are enabled by default.
149- Fixes some segmentation faults noticed in some
150  configurations.
151
152** Version 0.5.7 (2010-07-01)
153- Force usage of SDBM. For some reason the default in
154  my system had issues after reaching a limit of entries.
155  SDBM seems stable so force it.
156- Optimizations in session caching.
157- Added support for session tickets. This allows a
158  server to avoid using a session cache and still support
159  session resumption. This is at the cost of transporting
160  session data during handshake. New option
161  GnuTLSSessionTickets [on|off]
162- Depend on gnutls 2.10.0 to force support for safe
163  renegotiation.
164
165** Version 0.5.6 (2010-03-24)
166- Corrected issue with firefox and long POST data (by
167  handling EINTR and EAGAIN errors in read).
168- Added support for chained client certificates
169- Corrected more issues related to double frees
170http://issues.outoforder.cc/view.php?id=102
171
172** Version 0.5.5 (2009-06-13)
173- Removed limits on CA certificate loading. Reported by
174  Sander Marechal and Jack Bates.
175- Do not allow sending empty TLS packets even when instructed to.
176  This had the side effect of clients closing connection.
177
178** Version 0.5.4 (2009-01-04)
179- mod_gnutls.h: modified definition to extern to avoid compilation
180  errors in darwin.
181- Added patch to fix issue with mod_proxy. Investigation and patch by Alain
182  Knaff.
183- libgnutls detection uses pkg-config.
184
185** Version 0.5.3 (2008-10-16)
186- Corrected bug to allow having an OpenPGP-only web site.
187- Increased Max handshake tries due to interrupted system calls.
188
189** Version 0.5.2 (2008-06-29)
190- Depend on gnutls 2.4 which has openpgp support in main library.
191
192** Version 0.5.1 (2008-03-05)
193- Added --disable-srp configure option
194- Better check for memcache (patch by Guillaume Rousse)
195- Corrected possible memory leak in DBM support for resuming sessions.
196
197** Version 0.5.0-alpha (2008-01-24)
198- Added support for OpenPGP keys. The new directives are:
199  GnuTLSPGPKeyringFile, GnuTLSPGPCertificateFile, GnuTLSPGPKeyFile
200
201** Version 0.4.2 (2007-12-10)
202- Added support for sending a certificate chain.
203- Corrected bug which did not allow the TLS session cache to be used.
204- Do not allow resuming sessions on different servers.
205
206** Version 0.4.1 (2007-12-03)
207- Added support for subject alternative names in certificates.
208Only one per certificate is supported.
209- New enviroment variables: SSL_CLIENT_M_VERSION, SSL_CLIENT_S_SAN%,
210SSL_CLIENT_S_TYPE, SSL_SERVER_M_VERSION, SSL_SERVER_S_SAN%, SSL_SERVER_S_TYPE
211- The compatibility mode can now be enabled explicitely with the
212%COMPAT keyword at the GnuTLSPriorities string. It is no longer the default.
213- Check for GnuTLSPriorities directive. This corrects a segfault. Thanks
214to David Hrbáč.
215- Better handling of GnuTLSDHFile and GnuTLSRSAFile.
216- No longer default paths for RSA and DH parameter files.
Note: See TracBrowser for help on using the repository browser.