source: mod_gnutls/CHANGELOG @ b0e5dae

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since b0e5dae was f0923c4, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Release version 0.7.3

  • Property mode set to 100644
File size: 7.3 KB
Line 
1**TODO:
2- Handle Unclean Shutdowns
3- make session cache use generic apache caches
4
5** Version 0.7.3 (2016-01-12)
6- Update test suite for compatibility with GnuTLS 3.4, which has
7  stricter key usage checks and priorities than 3.3.
8- Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
9  set (mod_status sets it for requests with the "auto" parameter, e.g.
10  https://localhost/server-status?auto).
11- Register "ssl_is_https" function so the special mod_rewrite variable
12  %{HTTPS} works correctly with mod_gnutls. The new test case for this
13  requires Wget or curl. Fixes Debian bug #514005.
14- Test suite servers listen on IPv4 *and* IPv6 loopback addresses by
15  default (other addresses configurable), which should fix failures
16  due to localhost randomly resolving to either on some distributions.
17- Isolate tests using network namespaces, if possible. This avoids
18  port conflicts with other test cases (so they can run in parallel)
19  and host services.
20- Support for local Apache drop-in config files in the test suite
21  (e.g. to load additional modules needed on Fedora).
22- Try to use markdown to build HTML documentation if pandoc is not
23  available.
24- Disable use of flock if it is unavailable or does not support
25  timeouts (the latter caused the build to fail on Debian Hurd).
26- New test: Disable TLS 1.0 (regression test for Debian bug #754960).
27
28** Version 0.7.2 (2015-11-21)
29- Bugfix: Non-blocking reads in the input filter could lead to a busy
30  wait in the gnutls_io_input_read function, causing high load on
31  Keep-Alive connections waiting for data, until either more data
32  could be received or the connection was closed. The fix is to pass
33  EAGAIN/EINTR results up to the input filter so they can be handled
34  properly.
35- Close TLS session if the input filter receives EOF (mostly relevant
36  for proper termination of proxy connections).
37- Remove dependency on APR Memcache, which is replaced by the newer
38  version included in the APR Utility Library (libaprutil).
39- Remove dependency on bc. It was used for floating point arithmetic
40  in the test suite, the calculations have been changed to use
41  integers and pure bash code.
42
43** Version 0.7.1 (2015-10-18)
44- Improved handling of PKCS #11 modules: mod_gnutls now loads either
45  modules specified using GnuTLSP11Module, or the system defaults, but
46  not both. Thanks to Nikos Mavrogiannopoulos for the report and
47  initial patch!
48- Initialize variables to safe defaults during client certificate
49  verification. Certain error code paths did not set them, but they
50  should never be hit due to config validation. This adds another line
51  of defense.
52- Enable C99 support via autoconf
53- Test suite improvements. Most importantly, automake now handles
54  environment setup without any external make calls. Rules to build
55  the certificates are included from the old test makefile. Note that
56  the dependency on GNU make is not new (the test makefile always used
57  GNU make syntax), it just wasn't listed explicitly.
58
59** Version 0.7 (2015-07-12)
60- Security fix for TLS client authentication (CVE-2015-2091)
61- Bug fixes that enable support for reverse proxy operation
62- Various test suite improvements. Tests are configured through autoconf,
63  so the test suite now works for builds without Monkeysphere support.
64- Add support for TLS connections to back end servers when operating as a
65  reverse proxy (X.509 authentication only at the moment).
66- PKCS #11 support for server keys and certificates
67- Use strict compiler arguments by default (-Wall -Werror -Wextra)
68- Allow limiting the size of certificates exported as SSL_SERVER_CERT
69  and SSL_CLIENT_CERT through the GnuTLSExportCertificates directive
70
71** Version 0.6 (2014-02-17)
72- Generating DH Params instead of using static ones.
73- Now considering ServerAlias Directives.
74- Major Legacy Code Cleanup.
75- html and pdf and manual documentation generated from markdown sources
76- support monkeysphere validation agent (MSVA) client-certificate verification
77- wider test suite
78- GnuTLSExportCertificates off by default
79
80** Version 0.5.10 (2011-07-12)
81- Patched a bug responsible for excessive memory consumption by mod_gnutls.
82- Support for proxying from SSL to plain HTTP was added (ie. proxy termination).
83
84** Version 0.5.9 (2010-09-24)
85- GnuTLSCache none is now an allowed option.
86- Corrected behavior in Keep-Alive connections (do not
87  terminate the connection prematurely)
88- The GnuTLSCache variable now can be given the specific
89  option "gdbm" instead of "dbm". "dbm" will use the berkeley
90  db type of libapr while gdbm will force gdbm to be used.
91  sdbm is no longer being used due to serious limitations.
92
93** Version 0.5.8 (2010-08-18)
94- Session tickets are enabled by default.
95- Fixes some segmentation faults noticed in some
96  configurations.
97
98** Version 0.5.7 (2010-07-01)
99- Force usage of SDBM. For some reason the default in
100  my system had issues after reaching a limit of entries.
101  SDBM seems stable so force it.
102- Optimizations in session caching.
103- Added support for session tickets. This allows a
104  server to avoid using a session cache and still support
105  session resumption. This is at the cost of transporting
106  session data during handshake. New option
107  GnuTLSSessionTickets [on|off]
108- Depend on gnutls 2.10.0 to force support for safe
109  renegotiation.
110
111** Version 0.5.6 (2010-03-24)
112- Corrected issue with firefox and long POST data (by
113  handling EINTR and EAGAIN errors in read).
114- Added support for chained client certificates
115- Corrected more issues related to double frees
116http://issues.outoforder.cc/view.php?id=102
117
118** Version 0.5.5 (2009-06-13)
119- Removed limits on CA certificate loading. Reported by
120  Sander Marechal and Jack Bates.
121- Do not allow sending empty TLS packets even when instructed to.
122  This had the side effect of clients closing connection.
123
124** Version 0.5.4 (2009-01-04)
125- mod_gnutls.h: modified definition to extern to avoid compilation
126  errors in darwin.
127- Added patch to fix issue with mod_proxy. Investigation and patch by Alain
128  Knaff.
129- libgnutls detection uses pkg-config.
130
131** Version 0.5.3 (2008-10-16)
132- Corrected bug to allow having an OpenPGP-only web site.
133- Increased Max handshake tries due to interrupted system calls.
134
135** Version 0.5.2 (2008-06-29)
136- Depend on gnutls 2.4 which has openpgp support in main library.
137
138** Version 0.5.1 (2008-03-05)
139- Added --disable-srp configure option
140- Better check for memcache (patch by Guillaume Rousse)
141- Corrected possible memory leak in DBM support for resuming sessions.
142
143** Version 0.5.0-alpha (2008-01-24)
144- Added support for OpenPGP keys. The new directives are:
145  GnuTLSPGPKeyringFile, GnuTLSPGPCertificateFile, GnuTLSPGPKeyFile
146
147** Version 0.4.2 (2007-12-10)
148- Added support for sending a certificate chain.
149- Corrected bug which did not allow the TLS session cache to be used.
150- Do not allow resuming sessions on different servers.
151
152** Version 0.4.1 (2007-12-03)
153- Added support for subject alternative names in certificates.
154Only one per certificate is supported.
155- New enviroment variables: SSL_CLIENT_M_VERSION, SSL_CLIENT_S_SAN%,
156SSL_CLIENT_S_TYPE, SSL_SERVER_M_VERSION, SSL_SERVER_S_SAN%, SSL_SERVER_S_TYPE
157- The compatibility mode can now be enabled explicitely with the
158%COMPAT keyword at the GnuTLSPriorities string. It is no longer the default.
159- Check for GnuTLSPriorities directive. This corrects a segfault. Thanks
160to David Hrbáč.
161- Better handling of GnuTLSDHFile and GnuTLSRSAFile.
162- No longer default paths for RSA and DH parameter files.
Note: See TracBrowser for help on using the repository browser.