Changeset ea9c699 in mod_gnutls for CHANGELOG

Jan 28, 2019, 2:50:38 PM (22 months ago)
Fiona Klute <fiona.klute@…>
8a264b0 (diff), 510764a (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

New upstream version 0.9.0

1 edited



    r8a264b0 rea9c699  
    1 **TODO:
    2 - Handle Unclean Shutdowns
    3 - make session cache use generic apache caches
     1** Version 0.9.0 (2019-01-23)
     2- Security fix: Refuse to send or receive any data over a failed TLS
     3  connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The
     4  previous behavior could lead to requests on reverse proxy TLS
     5  connections being sent in plain text, and might have allowed faking
     6  requests in plain text.
     7- Security fix: Reject HTTP requests if they try to access virtual
     8  hosts that do not match their TLS connections (commit
     9  de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
     10  and Host header match. Thanks to Krista Karppinen for contributing
     11  tests!
     12- OCSP stapling is now enabled by default, if possible. OCSP responses
     13  are updated regularly and stored in a cache separate from the
     14  session cache. The OCSP cache uses mod_socache_shmcb by default
     15  (if the module is loaded, no other configuration required).
     16- Session tickets are now enabled by default if using GnuTLS 3.6.4 or
     17  newer. GnuTLS 3.6.4 introduced automatic rotation for the used key,
     18  and TLS 1.3 takes care of other reasons not to use tickets while
     19  requiring them for session resumption. Note that there is currently
     20  no mechanism to synchronize ticket keys across a cluster of servers.
     21- The internal cache implementation has been replaced with
     22  mod_socache. Users may need to update their GnuTLSCache settings and
     23  load the appropriate socache modules.
     24- ALPN (required for HTTP/2) now works correctly with different
     25  "Protocols" directives between virtual hosts if building with GnuTLS
     26  3.6.3 or newer. Older versions require identical "Protocols"
     27  directives for overlapping virtual hosts. Thanks to Vincent Tamet
     28  for the bug report!
     29- ALPN is now supported for proxy connections, making HTTP/2 proxy
     30  connections using mod_proxy_http2 possible.
     31- GnuTLSPriorities is optional now and defaults to "NORMAL" if
     32  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
     33  enabled).
     34- The manual is now built as a manual page, too, if pandoc is
     35  available.
     36- OpenPGP support has been removed.
     37- Don't require pem2openpgp for tests when building without MSVA
     38  support.
     40** Version 0.8.4 (2018-04-13)
     41- Support Apache HTTPD 2.4.33 API for proxy TLS connections
     42- Support TLS for HTTP/2 connections with mod_http2
     43- Fix configuration of OCSP stapling callback
     45** Version 0.8.3 (2017-10-20)
     46- Use GnuTLS' default DH parameters by default
     47- Handle long Server Name Indication data and gracefully ignore
     48  unknown SNI types
     49- Send SNI for proxy connections
     50- Deprecate OpenPGP support like GnuTLS did (will be removed
     51  completely in a future release)
     52- Do not announce session ticket support for proxy connections
     53- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
     54- Test suite: Simplify handling of proxy backend servers and OCSP
     55  responders
     56- Test suite: stability/compatibility fixes
     58** Version 0.8.2 (2017-01-08)
     59- Test suite: Ensure CRLF line ends in HTTP headers
     60- Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array
     62** Version 0.8.1 (2016-12-20)
     63- Bugfix: Use APR_SIZE_T_FMT for portable apr_size_t formatting
     65** Version 0.8.0 (2016-12-11)
     66- New: Support for OCSP stapling
     67- Bugfix: Access to DBM cache is locked using global mutex
     68  "gnutls-cache"
     69- Bugfix: GnuTLSSessionTickets is now disabled by default as described
     70  in the handbook
     71- Fixed memory leak while checking proxy backend certificate
     72- Fixed memory leaks in post_config
     73- Safely delete session ticket key (requires GnuTLS >= 3.4)
     74- Improved error handling in post_config hook
     75- Various handbook updates
     76- Internal API documentation can be generated using Doxygen
     77- Unused code has been removed (conditionals for GnuTLS 2.x and Apache
     78  versions before 2.2, internal Lua bytecode structure last used in
     79  2011).
     80- Test suite: Fixed locking for access to the PGP keyring of the test
     81  certificate authority
     82- mod_gnutls can be built using Clang (unsupported)
     84** Version 0.7.5 (2016-05-28)
     85- Sunil Mohan Adapa reported retry loops during session shutdown in
     86  cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
     87  GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
     88  errno in mgs_transport_write() fixes the problem.
     89- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
     90  Debian package.
     91- Build system improvements that allow VPATH builds and get "make
     92  distcheck" to work
     94** Version 0.7.4 (2016-04-13)
     95- Support SoftHSM 2 for PKCS #11 testing
     96- Increase verbosity of test logs
    598** Version 0.7.3 (2016-01-12)
Note: See TracChangeset for help on using the changeset viewer.