source: mod_gnutls/CHANGELOG @ 96e2ea8

debian/masterproxy-ticket
Last change on this file since 96e2ea8 was 96e2ea8, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Update changelog

  • Property mode set to 100644
File size: 11.2 KB
Line 
1** Version 0.9.0 UNRELEASED
2- Security fix: Refuse to send or receive any data over a failed TLS
3  connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). This
4  could lead to requests on reverse proxy TLS connections being sent
5  in plain text, and might allow faking requests in plain text.
6- Security fix: Reject HTTP requests if they try to access virtual
7  hosts that do not match their TLS connections (commit
8  de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
9  and Host header match.
10- OCSP stapling is now enabled by default, if possible. OCSP responses
11  are updated regularly and stored in a cache separate from the
12  session cache. The OCSP cache uses mod_socache_shmcb by default
13  (if the module is loaded, no other configuration required).
14- Session tickets are now enabled by default if using GnuTLS 3.6.4 or
15  newer. GnuTLS 3.6.4 introduced automatic rotation for the used key,
16  and TLS 1.3 takes care of other reasons not to use tickets while
17  requiring them for session resumption. Note that there is currently
18  no mechanism to synchronize ticket keys across a cluster of servers.
19- The internal cache implementation has been replaced with
20  mod_socache. Users may need to update their GnuTLSCache settings and
21  load the appropriate socache modules.
22- Known issue: ALPN (required for HTTP/2) works correctly only if all
23  virtual hosts using mod_gnutls share the same Protocols setting,
24  reported by Vincent Tamet.
25- GnuTLSPriorities is optional now and defaults to "NORMAL" if
26  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
27  enabled).
28- The manual is now built as a manual page, too, if pandoc is
29  available.
30- OpenPGP support has been removed.
31
32** Version 0.8.4 (2018-04-13)
33- Support Apache HTTPD 2.4.33 API for proxy TLS connections
34- Support TLS for HTTP/2 connections with mod_http2
35- Fix configuration of OCSP stapling callback
36
37** Version 0.8.3 (2017-10-20)
38- Use GnuTLS' default DH parameters by default
39- Handle long Server Name Indication data and gracefully ignore
40  unknown SNI types
41- Send SNI for proxy connections
42- Deprecate OpenPGP support like GnuTLS did (will be removed
43  completely in a future release)
44- Do not announce session ticket support for proxy connections
45- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
46- Test suite: Simplify handling of proxy backend servers and OCSP
47  responders
48- Test suite: stability/compatibility fixes
49
50** Version 0.8.2 (2017-01-08)
51- Test suite: Ensure CRLF line ends in HTTP headers
52- Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array
53
54** Version 0.8.1 (2016-12-20)
55- Bugfix: Use APR_SIZE_T_FMT for portable apr_size_t formatting
56
57** Version 0.8.0 (2016-12-11)
58- New: Support for OCSP stapling
59- Bugfix: Access to DBM cache is locked using global mutex
60  "gnutls-cache"
61- Bugfix: GnuTLSSessionTickets is now disabled by default as described
62  in the handbook
63- Fixed memory leak while checking proxy backend certificate
64- Fixed memory leaks in post_config
65- Safely delete session ticket key (requires GnuTLS >= 3.4)
66- Improved error handling in post_config hook
67- Various handbook updates
68- Internal API documentation can be generated using Doxygen
69- Unused code has been removed (conditionals for GnuTLS 2.x and Apache
70  versions before 2.2, internal Lua bytecode structure last used in
71  2011).
72- Test suite: Fixed locking for access to the PGP keyring of the test
73  certificate authority
74- mod_gnutls can be built using Clang (unsupported)
75
76** Version 0.7.5 (2016-05-28)
77- Sunil Mohan Adapa reported retry loops during session shutdown in
78  cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
79  GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
80  errno in mgs_transport_write() fixes the problem.
81- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
82  Debian package.
83- Build system improvements that allow VPATH builds and get "make
84  distcheck" to work
85
86** Version 0.7.4 (2016-04-13)
87- Support SoftHSM 2 for PKCS #11 testing
88- Increase verbosity of test logs
89
90** Version 0.7.3 (2016-01-12)
91- Update test suite for compatibility with GnuTLS 3.4, which has
92  stricter key usage checks and priorities than 3.3.
93- Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
94  set (mod_status sets it for requests with the "auto" parameter, e.g.
95  https://localhost/server-status?auto).
96- Register "ssl_is_https" function so the special mod_rewrite variable
97  %{HTTPS} works correctly with mod_gnutls. The new test case for this
98  requires Wget or curl. Fixes Debian bug #514005.
99- Test suite servers listen on IPv4 *and* IPv6 loopback addresses by
100  default (other addresses configurable), which should fix failures
101  due to localhost randomly resolving to either on some distributions.
102- Isolate tests using network namespaces, if possible. This avoids
103  port conflicts with other test cases (so they can run in parallel)
104  and host services.
105- Support for local Apache drop-in config files in the test suite
106  (e.g. to load additional modules needed on Fedora).
107- Try to use markdown to build HTML documentation if pandoc is not
108  available.
109- Disable use of flock if it is unavailable or does not support
110  timeouts (the latter caused the build to fail on Debian Hurd).
111- New test: Disable TLS 1.0 (regression test for Debian bug #754960).
112
113** Version 0.7.2 (2015-11-21)
114- Bugfix: Non-blocking reads in the input filter could lead to a busy
115  wait in the gnutls_io_input_read function, causing high load on
116  Keep-Alive connections waiting for data, until either more data
117  could be received or the connection was closed. The fix is to pass
118  EAGAIN/EINTR results up to the input filter so they can be handled
119  properly.
120- Close TLS session if the input filter receives EOF (mostly relevant
121  for proper termination of proxy connections).
122- Remove dependency on APR Memcache, which is replaced by the newer
123  version included in the APR Utility Library (libaprutil).
124- Remove dependency on bc. It was used for floating point arithmetic
125  in the test suite, the calculations have been changed to use
126  integers and pure bash code.
127
128** Version 0.7.1 (2015-10-18)
129- Improved handling of PKCS #11 modules: mod_gnutls now loads either
130  modules specified using GnuTLSP11Module, or the system defaults, but
131  not both. Thanks to Nikos Mavrogiannopoulos for the report and
132  initial patch!
133- Initialize variables to safe defaults during client certificate
134  verification. Certain error code paths did not set them, but they
135  should never be hit due to config validation. This adds another line
136  of defense.
137- Enable C99 support via autoconf
138- Test suite improvements. Most importantly, automake now handles
139  environment setup without any external make calls. Rules to build
140  the certificates are included from the old test makefile. Note that
141  the dependency on GNU make is not new (the test makefile always used
142  GNU make syntax), it just wasn't listed explicitly.
143
144** Version 0.7 (2015-07-12)
145- Security fix for TLS client authentication (CVE-2015-2091)
146- Bug fixes that enable support for reverse proxy operation
147- Various test suite improvements. Tests are configured through autoconf,
148  so the test suite now works for builds without Monkeysphere support.
149- Add support for TLS connections to back end servers when operating as a
150  reverse proxy (X.509 authentication only at the moment).
151- PKCS #11 support for server keys and certificates
152- Use strict compiler arguments by default (-Wall -Werror -Wextra)
153- Allow limiting the size of certificates exported as SSL_SERVER_CERT
154  and SSL_CLIENT_CERT through the GnuTLSExportCertificates directive
155
156** Version 0.6 (2014-02-17)
157- Generating DH Params instead of using static ones.
158- Now considering ServerAlias Directives.
159- Major Legacy Code Cleanup.
160- html and pdf and manual documentation generated from markdown sources
161- support monkeysphere validation agent (MSVA) client-certificate verification
162- wider test suite
163- GnuTLSExportCertificates off by default
164
165** Version 0.5.10 (2011-07-12)
166- Patched a bug responsible for excessive memory consumption by mod_gnutls.
167- Support for proxying from SSL to plain HTTP was added (ie. proxy termination).
168
169** Version 0.5.9 (2010-09-24)
170- GnuTLSCache none is now an allowed option.
171- Corrected behavior in Keep-Alive connections (do not
172  terminate the connection prematurely)
173- The GnuTLSCache variable now can be given the specific
174  option "gdbm" instead of "dbm". "dbm" will use the berkeley
175  db type of libapr while gdbm will force gdbm to be used.
176  sdbm is no longer being used due to serious limitations.
177
178** Version 0.5.8 (2010-08-18)
179- Session tickets are enabled by default.
180- Fixes some segmentation faults noticed in some
181  configurations.
182
183** Version 0.5.7 (2010-07-01)
184- Force usage of SDBM. For some reason the default in
185  my system had issues after reaching a limit of entries.
186  SDBM seems stable so force it.
187- Optimizations in session caching.
188- Added support for session tickets. This allows a
189  server to avoid using a session cache and still support
190  session resumption. This is at the cost of transporting
191  session data during handshake. New option
192  GnuTLSSessionTickets [on|off]
193- Depend on gnutls 2.10.0 to force support for safe
194  renegotiation.
195
196** Version 0.5.6 (2010-03-24)
197- Corrected issue with firefox and long POST data (by
198  handling EINTR and EAGAIN errors in read).
199- Added support for chained client certificates
200- Corrected more issues related to double frees
201http://issues.outoforder.cc/view.php?id=102
202
203** Version 0.5.5 (2009-06-13)
204- Removed limits on CA certificate loading. Reported by
205  Sander Marechal and Jack Bates.
206- Do not allow sending empty TLS packets even when instructed to.
207  This had the side effect of clients closing connection.
208
209** Version 0.5.4 (2009-01-04)
210- mod_gnutls.h: modified definition to extern to avoid compilation
211  errors in darwin.
212- Added patch to fix issue with mod_proxy. Investigation and patch by Alain
213  Knaff.
214- libgnutls detection uses pkg-config.
215
216** Version 0.5.3 (2008-10-16)
217- Corrected bug to allow having an OpenPGP-only web site.
218- Increased Max handshake tries due to interrupted system calls.
219
220** Version 0.5.2 (2008-06-29)
221- Depend on gnutls 2.4 which has openpgp support in main library.
222
223** Version 0.5.1 (2008-03-05)
224- Added --disable-srp configure option
225- Better check for memcache (patch by Guillaume Rousse)
226- Corrected possible memory leak in DBM support for resuming sessions.
227
228** Version 0.5.0-alpha (2008-01-24)
229- Added support for OpenPGP keys. The new directives are:
230  GnuTLSPGPKeyringFile, GnuTLSPGPCertificateFile, GnuTLSPGPKeyFile
231
232** Version 0.4.2 (2007-12-10)
233- Added support for sending a certificate chain.
234- Corrected bug which did not allow the TLS session cache to be used.
235- Do not allow resuming sessions on different servers.
236
237** Version 0.4.1 (2007-12-03)
238- Added support for subject alternative names in certificates.
239Only one per certificate is supported.
240- New enviroment variables: SSL_CLIENT_M_VERSION, SSL_CLIENT_S_SAN%,
241SSL_CLIENT_S_TYPE, SSL_SERVER_M_VERSION, SSL_SERVER_S_SAN%, SSL_SERVER_S_TYPE
242- The compatibility mode can now be enabled explicitely with the
243%COMPAT keyword at the GnuTLSPriorities string. It is no longer the default.
244- Check for GnuTLSPriorities directive. This corrects a segfault. Thanks
245to David Hrbáč.
246- Better handling of GnuTLSDHFile and GnuTLSRSAFile.
247- No longer default paths for RSA and DH parameter files.
Note: See TracBrowser for help on using the repository browser.