- Timestamp:
- Nov 2, 2018, 7:19:15 AM (2 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- 3c6645b
- Parents:
- a997449
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
CHANGELOG
ra997449 r96e2ea8 1 ** Version 0.9.0 UNRELEASED 2 - Security fix: Refuse to send or receive any data over a failed TLS 3 connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). This 4 could lead to requests on reverse proxy TLS connections being sent 5 in plain text, and might allow faking requests in plain text. 6 - Security fix: Reject HTTP requests if they try to access virtual 7 hosts that do not match their TLS connections (commit 8 de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI 9 and Host header match. 10 - OCSP stapling is now enabled by default, if possible. OCSP responses 11 are updated regularly and stored in a cache separate from the 12 session cache. The OCSP cache uses mod_socache_shmcb by default 13 (if the module is loaded, no other configuration required). 14 - Session tickets are now enabled by default if using GnuTLS 3.6.4 or 15 newer. GnuTLS 3.6.4 introduced automatic rotation for the used key, 16 and TLS 1.3 takes care of other reasons not to use tickets while 17 requiring them for session resumption. Note that there is currently 18 no mechanism to synchronize ticket keys across a cluster of servers. 19 - The internal cache implementation has been replaced with 20 mod_socache. Users may need to update their GnuTLSCache settings and 21 load the appropriate socache modules. 22 - Known issue: ALPN (required for HTTP/2) works correctly only if all 23 virtual hosts using mod_gnutls share the same Protocols setting, 24 reported by Vincent Tamet. 25 - GnuTLSPriorities is optional now and defaults to "NORMAL" if 26 missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is 27 enabled). 28 - The manual is now built as a manual page, too, if pandoc is 29 available. 30 - OpenPGP support has been removed. 31 1 32 ** Version 0.8.4 (2018-04-13) 2 33 - Support Apache HTTPD 2.4.33 API for proxy TLS connections
Note: See TracChangeset
for help on using the changeset viewer.