Changeset 96e2ea8 in mod_gnutls

Nov 2, 2018, 7:19:15 AM (5 months ago)
Fiona Klute <fiona.klute@…>
debian/master, master

Update changelog

1 edited



    ra997449 r96e2ea8  
     1** Version 0.9.0 UNRELEASED
     2- Security fix: Refuse to send or receive any data over a failed TLS
     3  connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). This
     4  could lead to requests on reverse proxy TLS connections being sent
     5  in plain text, and might allow faking requests in plain text.
     6- Security fix: Reject HTTP requests if they try to access virtual
     7  hosts that do not match their TLS connections (commit
     8  de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
     9  and Host header match.
     10- OCSP stapling is now enabled by default, if possible. OCSP responses
     11  are updated regularly and stored in a cache separate from the
     12  session cache. The OCSP cache uses mod_socache_shmcb by default
     13  (if the module is loaded, no other configuration required).
     14- Session tickets are now enabled by default if using GnuTLS 3.6.4 or
     15  newer. GnuTLS 3.6.4 introduced automatic rotation for the used key,
     16  and TLS 1.3 takes care of other reasons not to use tickets while
     17  requiring them for session resumption. Note that there is currently
     18  no mechanism to synchronize ticket keys across a cluster of servers.
     19- The internal cache implementation has been replaced with
     20  mod_socache. Users may need to update their GnuTLSCache settings and
     21  load the appropriate socache modules.
     22- Known issue: ALPN (required for HTTP/2) works correctly only if all
     23  virtual hosts using mod_gnutls share the same Protocols setting,
     24  reported by Vincent Tamet.
     25- GnuTLSPriorities is optional now and defaults to "NORMAL" if
     26  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
     27  enabled).
     28- The manual is now built as a manual page, too, if pandoc is
     29  available.
     30- OpenPGP support has been removed.
    132** Version 0.8.4 (2018-04-13)
    233- Support Apache HTTPD 2.4.33 API for proxy TLS connections
Note: See TracChangeset for help on using the changeset viewer.