source: mod_gnutls/CHANGELOG @ 38bf158

proxy-ticket
Last change on this file since 38bf158 was 38bf158, checked in by Fiona Klute <fiona.klute@…>, 9 months ago

Documentation for testing with Valgrind

  • Property mode set to 100644
File size: 13.3 KB
Line 
1** Version 0.10.0 (UNRELEASED)
2
3- Support for stapling multiple OCSP responses (TLS 1.3
4  only). mod_gnutls will staple for as many consecutive certificates
5  in the certificate chain as possible.
6
7- Support for TLS 1.3 post-handshake authentication, used if TLS
8  client authentication is required only for some resources on the
9  server. Rehandshake (for older TLS versions) is not supported.
10
11- The test infrastructure has been mostly rewritten in Python, note
12  the new dependencies (Python 3, Pyyaml).
13
14- Server certificates are checked for the must-staple TLS feature
15  extension, stapling must be enabled if it is present.
16
17- Compatibility fix for GnuTLS 3.6.11 in the test suite: Handle
18  certificate type in TLS session information strings.
19
20- Tests can optionally run with Valgrind for the primary HTTPD
21  instance by running ./configure with --enable-valgrind-test, see
22  test/README.md for details.
23
24** Version 0.9.1 (2019-11-29)
25- Fix possible segfault (NULL pointer dereference) on failed TLS
26  handshake. Calling ssl_var_lookup() after a failed handshake could
27  lead to GnuTLS session information functions being called on a NULL
28  session pointer, leading to segfault.
29- Remove URLs from expected error responses in the test suite. Apache
30  HTTPD removed request URLs from canned error messages to prevent
31  misleading text/links being displayed via crafted links
32  (CVE-2019-10092). Adjust the expected error responses in our tests
33  so they can pass again.
34- Test suite: Ignore "Content-Length" header of responses. Thanks to
35  Krista Karppinen!
36- Add a section about module dependencies on socache to the handbook
37- Restructure the manpage build and move it to section 5 (config
38  files)
39- Test suite: Restructure certificate directories
40
41** Version 0.9.0 (2019-01-23)
42- Security fix: Refuse to send or receive any data over a failed TLS
43  connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The
44  previous behavior could lead to requests on reverse proxy TLS
45  connections being sent in plain text, and might have allowed faking
46  requests in plain text.
47- Security fix: Reject HTTP requests if they try to access virtual
48  hosts that do not match their TLS connections (commit
49  de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
50  and Host header match. Thanks to Krista Karppinen for contributing
51  tests!
52- OCSP stapling is now enabled by default, if possible. OCSP responses
53  are updated regularly and stored in a cache separate from the
54  session cache. The OCSP cache uses mod_socache_shmcb by default
55  (if the module is loaded, no other configuration required).
56- Session tickets are now enabled by default if using GnuTLS 3.6.4 or
57  newer. GnuTLS 3.6.4 introduced automatic rotation for the used key,
58  and TLS 1.3 takes care of other reasons not to use tickets while
59  requiring them for session resumption. Note that there is currently
60  no mechanism to synchronize ticket keys across a cluster of servers.
61- The internal cache implementation has been replaced with
62  mod_socache. Users may need to update their GnuTLSCache settings and
63  load the appropriate socache modules.
64- ALPN (required for HTTP/2) now works correctly with different
65  "Protocols" directives between virtual hosts if building with GnuTLS
66  3.6.3 or newer. Older versions require identical "Protocols"
67  directives for overlapping virtual hosts. Thanks to Vincent Tamet
68  for the bug report!
69- ALPN is now supported for proxy connections, making HTTP/2 proxy
70  connections using mod_proxy_http2 possible.
71- GnuTLSPriorities is optional now and defaults to "NORMAL" if
72  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
73  enabled).
74- The manual is now built as a manual page, too, if pandoc is
75  available.
76- OpenPGP support has been removed.
77- Don't require pem2openpgp for tests when building without MSVA
78  support.
79
80** Version 0.8.4 (2018-04-13)
81- Support Apache HTTPD 2.4.33 API for proxy TLS connections
82- Support TLS for HTTP/2 connections with mod_http2
83- Fix configuration of OCSP stapling callback
84
85** Version 0.8.3 (2017-10-20)
86- Use GnuTLS' default DH parameters by default
87- Handle long Server Name Indication data and gracefully ignore
88  unknown SNI types
89- Send SNI for proxy connections
90- Deprecate OpenPGP support like GnuTLS did (will be removed
91  completely in a future release)
92- Do not announce session ticket support for proxy connections
93- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
94- Test suite: Simplify handling of proxy backend servers and OCSP
95  responders
96- Test suite: stability/compatibility fixes
97
98** Version 0.8.2 (2017-01-08)
99- Test suite: Ensure CRLF line ends in HTTP headers
100- Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array
101
102** Version 0.8.1 (2016-12-20)
103- Bugfix: Use APR_SIZE_T_FMT for portable apr_size_t formatting
104
105** Version 0.8.0 (2016-12-11)
106- New: Support for OCSP stapling
107- Bugfix: Access to DBM cache is locked using global mutex
108  "gnutls-cache"
109- Bugfix: GnuTLSSessionTickets is now disabled by default as described
110  in the handbook
111- Fixed memory leak while checking proxy backend certificate
112- Fixed memory leaks in post_config
113- Safely delete session ticket key (requires GnuTLS >= 3.4)
114- Improved error handling in post_config hook
115- Various handbook updates
116- Internal API documentation can be generated using Doxygen
117- Unused code has been removed (conditionals for GnuTLS 2.x and Apache
118  versions before 2.2, internal Lua bytecode structure last used in
119  2011).
120- Test suite: Fixed locking for access to the PGP keyring of the test
121  certificate authority
122- mod_gnutls can be built using Clang (unsupported)
123
124** Version 0.7.5 (2016-05-28)
125- Sunil Mohan Adapa reported retry loops during session shutdown in
126  cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
127  GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
128  errno in mgs_transport_write() fixes the problem.
129- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
130  Debian package.
131- Build system improvements that allow VPATH builds and get "make
132  distcheck" to work
133
134** Version 0.7.4 (2016-04-13)
135- Support SoftHSM 2 for PKCS #11 testing
136- Increase verbosity of test logs
137
138** Version 0.7.3 (2016-01-12)
139- Update test suite for compatibility with GnuTLS 3.4, which has
140  stricter key usage checks and priorities than 3.3.
141- Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
142  set (mod_status sets it for requests with the "auto" parameter, e.g.
143  https://localhost/server-status?auto).
144- Register "ssl_is_https" function so the special mod_rewrite variable
145  %{HTTPS} works correctly with mod_gnutls. The new test case for this
146  requires Wget or curl. Fixes Debian bug #514005.
147- Test suite servers listen on IPv4 *and* IPv6 loopback addresses by
148  default (other addresses configurable), which should fix failures
149  due to localhost randomly resolving to either on some distributions.
150- Isolate tests using network namespaces, if possible. This avoids
151  port conflicts with other test cases (so they can run in parallel)
152  and host services.
153- Support for local Apache drop-in config files in the test suite
154  (e.g. to load additional modules needed on Fedora).
155- Try to use markdown to build HTML documentation if pandoc is not
156  available.
157- Disable use of flock if it is unavailable or does not support
158  timeouts (the latter caused the build to fail on Debian Hurd).
159- New test: Disable TLS 1.0 (regression test for Debian bug #754960).
160
161** Version 0.7.2 (2015-11-21)
162- Bugfix: Non-blocking reads in the input filter could lead to a busy
163  wait in the gnutls_io_input_read function, causing high load on
164  Keep-Alive connections waiting for data, until either more data
165  could be received or the connection was closed. The fix is to pass
166  EAGAIN/EINTR results up to the input filter so they can be handled
167  properly.
168- Close TLS session if the input filter receives EOF (mostly relevant
169  for proper termination of proxy connections).
170- Remove dependency on APR Memcache, which is replaced by the newer
171  version included in the APR Utility Library (libaprutil).
172- Remove dependency on bc. It was used for floating point arithmetic
173  in the test suite, the calculations have been changed to use
174  integers and pure bash code.
175
176** Version 0.7.1 (2015-10-18)
177- Improved handling of PKCS #11 modules: mod_gnutls now loads either
178  modules specified using GnuTLSP11Module, or the system defaults, but
179  not both. Thanks to Nikos Mavrogiannopoulos for the report and
180  initial patch!
181- Initialize variables to safe defaults during client certificate
182  verification. Certain error code paths did not set them, but they
183  should never be hit due to config validation. This adds another line
184  of defense.
185- Enable C99 support via autoconf
186- Test suite improvements. Most importantly, automake now handles
187  environment setup without any external make calls. Rules to build
188  the certificates are included from the old test makefile. Note that
189  the dependency on GNU make is not new (the test makefile always used
190  GNU make syntax), it just wasn't listed explicitly.
191
192** Version 0.7 (2015-07-12)
193- Security fix for TLS client authentication (CVE-2015-2091)
194- Bug fixes that enable support for reverse proxy operation
195- Various test suite improvements. Tests are configured through autoconf,
196  so the test suite now works for builds without Monkeysphere support.
197- Add support for TLS connections to back end servers when operating as a
198  reverse proxy (X.509 authentication only at the moment).
199- PKCS #11 support for server keys and certificates
200- Use strict compiler arguments by default (-Wall -Werror -Wextra)
201- Allow limiting the size of certificates exported as SSL_SERVER_CERT
202  and SSL_CLIENT_CERT through the GnuTLSExportCertificates directive
203
204** Version 0.6 (2014-02-17)
205- Generating DH Params instead of using static ones.
206- Now considering ServerAlias Directives.
207- Major Legacy Code Cleanup.
208- html and pdf and manual documentation generated from markdown sources
209- support monkeysphere validation agent (MSVA) client-certificate verification
210- wider test suite
211- GnuTLSExportCertificates off by default
212
213** Version 0.5.10 (2011-07-12)
214- Patched a bug responsible for excessive memory consumption by mod_gnutls.
215- Support for proxying from SSL to plain HTTP was added (ie. proxy termination).
216
217** Version 0.5.9 (2010-09-24)
218- GnuTLSCache none is now an allowed option.
219- Corrected behavior in Keep-Alive connections (do not
220  terminate the connection prematurely)
221- The GnuTLSCache variable now can be given the specific
222  option "gdbm" instead of "dbm". "dbm" will use the berkeley
223  db type of libapr while gdbm will force gdbm to be used.
224  sdbm is no longer being used due to serious limitations.
225
226** Version 0.5.8 (2010-08-18)
227- Session tickets are enabled by default.
228- Fixes some segmentation faults noticed in some
229  configurations.
230
231** Version 0.5.7 (2010-07-01)
232- Force usage of SDBM. For some reason the default in
233  my system had issues after reaching a limit of entries.
234  SDBM seems stable so force it.
235- Optimizations in session caching.
236- Added support for session tickets. This allows a
237  server to avoid using a session cache and still support
238  session resumption. This is at the cost of transporting
239  session data during handshake. New option
240  GnuTLSSessionTickets [on|off]
241- Depend on gnutls 2.10.0 to force support for safe
242  renegotiation.
243
244** Version 0.5.6 (2010-03-24)
245- Corrected issue with firefox and long POST data (by
246  handling EINTR and EAGAIN errors in read).
247- Added support for chained client certificates
248- Corrected more issues related to double frees
249http://issues.outoforder.cc/view.php?id=102
250
251** Version 0.5.5 (2009-06-13)
252- Removed limits on CA certificate loading. Reported by
253  Sander Marechal and Jack Bates.
254- Do not allow sending empty TLS packets even when instructed to.
255  This had the side effect of clients closing connection.
256
257** Version 0.5.4 (2009-01-04)
258- mod_gnutls.h: modified definition to extern to avoid compilation
259  errors in darwin.
260- Added patch to fix issue with mod_proxy. Investigation and patch by Alain
261  Knaff.
262- libgnutls detection uses pkg-config.
263
264** Version 0.5.3 (2008-10-16)
265- Corrected bug to allow having an OpenPGP-only web site.
266- Increased Max handshake tries due to interrupted system calls.
267
268** Version 0.5.2 (2008-06-29)
269- Depend on gnutls 2.4 which has openpgp support in main library.
270
271** Version 0.5.1 (2008-03-05)
272- Added --disable-srp configure option
273- Better check for memcache (patch by Guillaume Rousse)
274- Corrected possible memory leak in DBM support for resuming sessions.
275
276** Version 0.5.0-alpha (2008-01-24)
277- Added support for OpenPGP keys. The new directives are:
278  GnuTLSPGPKeyringFile, GnuTLSPGPCertificateFile, GnuTLSPGPKeyFile
279
280** Version 0.4.2 (2007-12-10)
281- Added support for sending a certificate chain.
282- Corrected bug which did not allow the TLS session cache to be used.
283- Do not allow resuming sessions on different servers.
284
285** Version 0.4.1 (2007-12-03)
286- Added support for subject alternative names in certificates.
287Only one per certificate is supported.
288- New enviroment variables: SSL_CLIENT_M_VERSION, SSL_CLIENT_S_SAN%,
289SSL_CLIENT_S_TYPE, SSL_SERVER_M_VERSION, SSL_SERVER_S_SAN%, SSL_SERVER_S_TYPE
290- The compatibility mode can now be enabled explicitely with the
291%COMPAT keyword at the GnuTLSPriorities string. It is no longer the default.
292- Check for GnuTLSPriorities directive. This corrects a segfault. Thanks
293to David Hrbáč.
294- Better handling of GnuTLSDHFile and GnuTLSRSAFile.
295- No longer default paths for RSA and DH parameter files.
Note: See TracBrowser for help on using the repository browser.