[4bc17ae] | 1 | ** Version 0.8.0-alpha (2016-06-21) |
---|
| 2 | - New: Support for OCSP stapling |
---|
| 3 | - Bugfix: Access to DBM cache is locked using global mutex |
---|
| 4 | "gnutls-cache" |
---|
| 5 | - Bugfix: GnuTLSSessionTickets is now disabled by default as described |
---|
| 6 | in the handbook |
---|
| 7 | - Fixed memory leak while checking proxy backend certificate |
---|
| 8 | - Fixed memory leaks in post_config |
---|
| 9 | - Safely delete session ticket key (requires GnuTLS >= 3.4) |
---|
| 10 | - Improved error handling in post_config hook |
---|
| 11 | - Various handbook updates |
---|
| 12 | - Unused code has been removed (conditionals for GnuTLS 2.x and Apache |
---|
| 13 | versions before 2.2, internal Lua bytecode structure last used in |
---|
| 14 | 2011). |
---|
| 15 | - Test suite: Fixed locking for access to the PGP keyring of the test |
---|
| 16 | certificate authority |
---|
| 17 | - mod_gnutls can be built using Clang (unsupported) |
---|
| 18 | - Known Issues: |
---|
| 19 | * OCSP cache refresh stalls other requests on the virtual host and |
---|
| 20 | other vhosts that need a cache refresh at the same time. Requests |
---|
| 21 | to vhosts with a fresh response in the cache or OCSP stapling |
---|
| 22 | disabled are not affected. |
---|
| 23 | * Rate limiting for OCSP requests is not yet implemented. |
---|
| 24 | You can work around both issues using the GnuTLSOCSPResponseFile |
---|
| 25 | option. |
---|
[460c048] | 26 | |
---|
[086cea9] | 27 | ** Version 0.7.5 (2016-05-28) |
---|
| 28 | - Sunil Mohan Adapa reported retry loops during session shutdown in |
---|
| 29 | cleanup_gnutls_session() due to gnutls_bye() incorrectly returning |
---|
| 30 | GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session |
---|
| 31 | errno in mgs_transport_write() fixes the problem. |
---|
| 32 | - Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the |
---|
| 33 | Debian package. |
---|
| 34 | - Build system improvements that allow VPATH builds and get "make |
---|
| 35 | distcheck" to work |
---|
| 36 | |
---|
[c6cfe6e] | 37 | ** Version 0.7.4 (2016-04-13) |
---|
| 38 | - Support SoftHSM 2 for PKCS #11 testing |
---|
| 39 | - Increase verbosity of test logs |
---|
| 40 | |
---|
[f0923c4] | 41 | ** Version 0.7.3 (2016-01-12) |
---|
| 42 | - Update test suite for compatibility with GnuTLS 3.4, which has |
---|
| 43 | stricter key usage checks and priorities than 3.3. |
---|
| 44 | - Write non-HTML output to mod_status reports if AP_STATUS_SHORT is |
---|
| 45 | set (mod_status sets it for requests with the "auto" parameter, e.g. |
---|
| 46 | https://localhost/server-status?auto). |
---|
| 47 | - Register "ssl_is_https" function so the special mod_rewrite variable |
---|
| 48 | %{HTTPS} works correctly with mod_gnutls. The new test case for this |
---|
| 49 | requires Wget or curl. Fixes Debian bug #514005. |
---|
| 50 | - Test suite servers listen on IPv4 *and* IPv6 loopback addresses by |
---|
| 51 | default (other addresses configurable), which should fix failures |
---|
| 52 | due to localhost randomly resolving to either on some distributions. |
---|
| 53 | - Isolate tests using network namespaces, if possible. This avoids |
---|
| 54 | port conflicts with other test cases (so they can run in parallel) |
---|
| 55 | and host services. |
---|
| 56 | - Support for local Apache drop-in config files in the test suite |
---|
| 57 | (e.g. to load additional modules needed on Fedora). |
---|
| 58 | - Try to use markdown to build HTML documentation if pandoc is not |
---|
| 59 | available. |
---|
| 60 | - Disable use of flock if it is unavailable or does not support |
---|
| 61 | timeouts (the latter caused the build to fail on Debian Hurd). |
---|
| 62 | - New test: Disable TLS 1.0 (regression test for Debian bug #754960). |
---|
| 63 | |
---|
[07cc51f] | 64 | ** Version 0.7.2 (2015-11-21) |
---|
| 65 | - Bugfix: Non-blocking reads in the input filter could lead to a busy |
---|
| 66 | wait in the gnutls_io_input_read function, causing high load on |
---|
| 67 | Keep-Alive connections waiting for data, until either more data |
---|
| 68 | could be received or the connection was closed. The fix is to pass |
---|
| 69 | EAGAIN/EINTR results up to the input filter so they can be handled |
---|
| 70 | properly. |
---|
| 71 | - Close TLS session if the input filter receives EOF (mostly relevant |
---|
| 72 | for proper termination of proxy connections). |
---|
| 73 | - Remove dependency on APR Memcache, which is replaced by the newer |
---|
| 74 | version included in the APR Utility Library (libaprutil). |
---|
| 75 | - Remove dependency on bc. It was used for floating point arithmetic |
---|
| 76 | in the test suite, the calculations have been changed to use |
---|
| 77 | integers and pure bash code. |
---|
| 78 | |
---|
[71cac80] | 79 | ** Version 0.7.1 (2015-10-18) |
---|
| 80 | - Improved handling of PKCS #11 modules: mod_gnutls now loads either |
---|
| 81 | modules specified using GnuTLSP11Module, or the system defaults, but |
---|
| 82 | not both. Thanks to Nikos Mavrogiannopoulos for the report and |
---|
| 83 | initial patch! |
---|
| 84 | - Initialize variables to safe defaults during client certificate |
---|
| 85 | verification. Certain error code paths did not set them, but they |
---|
| 86 | should never be hit due to config validation. This adds another line |
---|
| 87 | of defense. |
---|
| 88 | - Enable C99 support via autoconf |
---|
| 89 | - Test suite improvements. Most importantly, automake now handles |
---|
| 90 | environment setup without any external make calls. Rules to build |
---|
| 91 | the certificates are included from the old test makefile. Note that |
---|
| 92 | the dependency on GNU make is not new (the test makefile always used |
---|
| 93 | GNU make syntax), it just wasn't listed explicitly. |
---|
| 94 | |
---|
[ff46fc2] | 95 | ** Version 0.7 (2015-07-12) |
---|
[90d8480] | 96 | - Security fix for TLS client authentication (CVE-2015-2091) |
---|
[94a7c7a] | 97 | - Bug fixes that enable support for reverse proxy operation |
---|
[90d8480] | 98 | - Various test suite improvements. Tests are configured through autoconf, |
---|
| 99 | so the test suite now works for builds without Monkeysphere support. |
---|
| 100 | - Add support for TLS connections to back end servers when operating as a |
---|
| 101 | reverse proxy (X.509 authentication only at the moment). |
---|
| 102 | - PKCS #11 support for server keys and certificates |
---|
[94a7c7a] | 103 | - Use strict compiler arguments by default (-Wall -Werror -Wextra) |
---|
| 104 | - Allow limiting the size of certificates exported as SSL_SERVER_CERT |
---|
| 105 | and SSL_CLIENT_CERT through the GnuTLSExportCertificates directive |
---|
[90d8480] | 106 | |
---|
[460c048] | 107 | ** Version 0.6 (2014-02-17) |
---|
| 108 | - Generating DH Params instead of using static ones. |
---|
| 109 | - Now considering ServerAlias Directives. |
---|
| 110 | - Major Legacy Code Cleanup. |
---|
| 111 | - html and pdf and manual documentation generated from markdown sources |
---|
| 112 | - support monkeysphere validation agent (MSVA) client-certificate verification |
---|
| 113 | - wider test suite |
---|
| 114 | - GnuTLSExportCertificates off by default |
---|
[9ee7549] | 115 | |
---|
| 116 | ** Version 0.5.10 (2011-07-12) |
---|
[460c048] | 117 | - Patched a bug responsible for excessive memory consumption by mod_gnutls. |
---|
| 118 | - Support for proxying from SSL to plain HTTP was added (ie. proxy termination). |
---|
[9ee7549] | 119 | |
---|
| 120 | ** Version 0.5.9 (2010-09-24) |
---|
| 121 | - GnuTLSCache none is now an allowed option. |
---|
| 122 | - Corrected behavior in Keep-Alive connections (do not |
---|
| 123 | terminate the connection prematurely) |
---|
| 124 | - The GnuTLSCache variable now can be given the specific |
---|
| 125 | option "gdbm" instead of "dbm". "dbm" will use the berkeley |
---|
| 126 | db type of libapr while gdbm will force gdbm to be used. |
---|
| 127 | sdbm is no longer being used due to serious limitations. |
---|
| 128 | |
---|
| 129 | ** Version 0.5.8 (2010-08-18) |
---|
| 130 | - Session tickets are enabled by default. |
---|
| 131 | - Fixes some segmentation faults noticed in some |
---|
| 132 | configurations. |
---|
| 133 | |
---|
| 134 | ** Version 0.5.7 (2010-07-01) |
---|
| 135 | - Force usage of SDBM. For some reason the default in |
---|
| 136 | my system had issues after reaching a limit of entries. |
---|
| 137 | SDBM seems stable so force it. |
---|
| 138 | - Optimizations in session caching. |
---|
| 139 | - Added support for session tickets. This allows a |
---|
| 140 | server to avoid using a session cache and still support |
---|
| 141 | session resumption. This is at the cost of transporting |
---|
| 142 | session data during handshake. New option |
---|
| 143 | GnuTLSSessionTickets [on|off] |
---|
| 144 | - Depend on gnutls 2.10.0 to force support for safe |
---|
| 145 | renegotiation. |
---|
| 146 | |
---|
| 147 | ** Version 0.5.6 (2010-03-24) |
---|
| 148 | - Corrected issue with firefox and long POST data (by |
---|
| 149 | handling EINTR and EAGAIN errors in read). |
---|
| 150 | - Added support for chained client certificates |
---|
| 151 | - Corrected more issues related to double frees |
---|
| 152 | http://issues.outoforder.cc/view.php?id=102 |
---|
| 153 | |
---|
| 154 | ** Version 0.5.5 (2009-06-13) |
---|
| 155 | - Removed limits on CA certificate loading. Reported by |
---|
| 156 | Sander Marechal and Jack Bates. |
---|
| 157 | - Do not allow sending empty TLS packets even when instructed to. |
---|
| 158 | This had the side effect of clients closing connection. |
---|
| 159 | |
---|
| 160 | ** Version 0.5.4 (2009-01-04) |
---|
| 161 | - mod_gnutls.h: modified definition to extern to avoid compilation |
---|
| 162 | errors in darwin. |
---|
| 163 | - Added patch to fix issue with mod_proxy. Investigation and patch by Alain |
---|
| 164 | Knaff. |
---|
| 165 | - libgnutls detection uses pkg-config. |
---|
| 166 | |
---|
| 167 | ** Version 0.5.3 (2008-10-16) |
---|
| 168 | - Corrected bug to allow having an OpenPGP-only web site. |
---|
| 169 | - Increased Max handshake tries due to interrupted system calls. |
---|
| 170 | |
---|
| 171 | ** Version 0.5.2 (2008-06-29) |
---|
| 172 | - Depend on gnutls 2.4 which has openpgp support in main library. |
---|
| 173 | |
---|
| 174 | ** Version 0.5.1 (2008-03-05) |
---|
| 175 | - Added --disable-srp configure option |
---|
| 176 | - Better check for memcache (patch by Guillaume Rousse) |
---|
| 177 | - Corrected possible memory leak in DBM support for resuming sessions. |
---|
| 178 | |
---|
| 179 | ** Version 0.5.0-alpha (2008-01-24) |
---|
| 180 | - Added support for OpenPGP keys. The new directives are: |
---|
| 181 | GnuTLSPGPKeyringFile, GnuTLSPGPCertificateFile, GnuTLSPGPKeyFile |
---|
| 182 | |
---|
| 183 | ** Version 0.4.2 (2007-12-10) |
---|
| 184 | - Added support for sending a certificate chain. |
---|
| 185 | - Corrected bug which did not allow the TLS session cache to be used. |
---|
| 186 | - Do not allow resuming sessions on different servers. |
---|
| 187 | |
---|
| 188 | ** Version 0.4.1 (2007-12-03) |
---|
| 189 | - Added support for subject alternative names in certificates. |
---|
| 190 | Only one per certificate is supported. |
---|
[90d8480] | 191 | - New enviroment variables: SSL_CLIENT_M_VERSION, SSL_CLIENT_S_SAN%, |
---|
[9ee7549] | 192 | SSL_CLIENT_S_TYPE, SSL_SERVER_M_VERSION, SSL_SERVER_S_SAN%, SSL_SERVER_S_TYPE |
---|
| 193 | - The compatibility mode can now be enabled explicitely with the |
---|
| 194 | %COMPAT keyword at the GnuTLSPriorities string. It is no longer the default. |
---|
| 195 | - Check for GnuTLSPriorities directive. This corrects a segfault. Thanks |
---|
| 196 | to David Hrbáč. |
---|
| 197 | - Better handling of GnuTLSDHFile and GnuTLSRSAFile. |
---|
| 198 | - No longer default paths for RSA and DH parameter files. |
---|