Changeset 19e80a5 in mod_gnutls for CHANGELOG

Jan 28, 2019, 2:50:38 PM (20 months ago)
Fiona Klute <fiona.klute@…>
0931b35 (diff), ea9c699 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Update upstream source from tag 'upstream/0.9.0'

Update to upstream version '0.9.0'
with Debian dir 619b546038886b240d2c8e61ee1a1b13ce0867d7

1 edited



    r0931b35 r19e80a5  
     1** Version 0.9.0 (2019-01-23)
     2- Security fix: Refuse to send or receive any data over a failed TLS
     3  connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The
     4  previous behavior could lead to requests on reverse proxy TLS
     5  connections being sent in plain text, and might have allowed faking
     6  requests in plain text.
     7- Security fix: Reject HTTP requests if they try to access virtual
     8  hosts that do not match their TLS connections (commit
     9  de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
     10  and Host header match. Thanks to Krista Karppinen for contributing
     11  tests!
     12- OCSP stapling is now enabled by default, if possible. OCSP responses
     13  are updated regularly and stored in a cache separate from the
     14  session cache. The OCSP cache uses mod_socache_shmcb by default
     15  (if the module is loaded, no other configuration required).
     16- Session tickets are now enabled by default if using GnuTLS 3.6.4 or
     17  newer. GnuTLS 3.6.4 introduced automatic rotation for the used key,
     18  and TLS 1.3 takes care of other reasons not to use tickets while
     19  requiring them for session resumption. Note that there is currently
     20  no mechanism to synchronize ticket keys across a cluster of servers.
     21- The internal cache implementation has been replaced with
     22  mod_socache. Users may need to update their GnuTLSCache settings and
     23  load the appropriate socache modules.
     24- ALPN (required for HTTP/2) now works correctly with different
     25  "Protocols" directives between virtual hosts if building with GnuTLS
     26  3.6.3 or newer. Older versions require identical "Protocols"
     27  directives for overlapping virtual hosts. Thanks to Vincent Tamet
     28  for the bug report!
     29- ALPN is now supported for proxy connections, making HTTP/2 proxy
     30  connections using mod_proxy_http2 possible.
     31- GnuTLSPriorities is optional now and defaults to "NORMAL" if
     32  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
     33  enabled).
     34- The manual is now built as a manual page, too, if pandoc is
     35  available.
     36- OpenPGP support has been removed.
     37- Don't require pem2openpgp for tests when building without MSVA
     38  support.
    140** Version 0.8.4 (2018-04-13)
    241- Support Apache HTTPD 2.4.33 API for proxy TLS connections
Note: See TracChangeset for help on using the changeset viewer.