** Version 0.9.0 UNRELEASED - Security fix: Refuse to send or receive any data over a failed TLS connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). This could lead to requests on reverse proxy TLS connections being sent in plain text, and might allow faking requests in plain text. - Security fix: Reject HTTP requests if they try to access virtual hosts that do not match their TLS connections (commit de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI and Host header match. - OCSP stapling is now enabled by default, if possible. OCSP responses are updated regularly and stored in a cache separate from the session cache. The OCSP cache uses mod_socache_shmcb by default (if the module is loaded, no other configuration required). - Session tickets are now enabled by default if using GnuTLS 3.6.4 or newer. GnuTLS 3.6.4 introduced automatic rotation for the used key, and TLS 1.3 takes care of other reasons not to use tickets while requiring them for session resumption. Note that there is currently no mechanism to synchronize ticket keys across a cluster of servers. - The internal cache implementation has been replaced with mod_socache. Users may need to update their GnuTLSCache settings and load the appropriate socache modules. - ALPN (required for HTTP/2) now works correctly with different "Protocols" directives between virtual hosts if building with GnuTLS 3.6.3 or newer. Older versions require identical "Protocols" directives for overlapping virtual hosts. Thanks to Vincent Tamet for the bug report! - GnuTLSPriorities is optional now and defaults to "NORMAL" if missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is enabled). - The manual is now built as a manual page, too, if pandoc is available. - OpenPGP support has been removed. ** Version 0.8.4 (2018-04-13) - Support Apache HTTPD 2.4.33 API for proxy TLS connections - Support TLS for HTTP/2 connections with mod_http2 - Fix configuration of OCSP stapling callback ** Version 0.8.3 (2017-10-20) - Use GnuTLS' default DH parameters by default - Handle long Server Name Indication data and gracefully ignore unknown SNI types - Send SNI for proxy connections - Deprecate OpenPGP support like GnuTLS did (will be removed completely in a future release) - Do not announce session ticket support for proxy connections - Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI) - Test suite: Simplify handling of proxy backend servers and OCSP responders - Test suite: stability/compatibility fixes ** Version 0.8.2 (2017-01-08) - Test suite: Ensure CRLF line ends in HTTP headers - Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array ** Version 0.8.1 (2016-12-20) - Bugfix: Use APR_SIZE_T_FMT for portable apr_size_t formatting ** Version 0.8.0 (2016-12-11) - New: Support for OCSP stapling - Bugfix: Access to DBM cache is locked using global mutex "gnutls-cache" - Bugfix: GnuTLSSessionTickets is now disabled by default as described in the handbook - Fixed memory leak while checking proxy backend certificate - Fixed memory leaks in post_config - Safely delete session ticket key (requires GnuTLS >= 3.4) - Improved error handling in post_config hook - Various handbook updates - Internal API documentation can be generated using Doxygen - Unused code has been removed (conditionals for GnuTLS 2.x and Apache versions before 2.2, internal Lua bytecode structure last used in 2011). - Test suite: Fixed locking for access to the PGP keyring of the test certificate authority - mod_gnutls can be built using Clang (unsupported) ** Version 0.7.5 (2016-05-28) - Sunil Mohan Adapa reported retry loops during session shutdown in cleanup_gnutls_session() due to gnutls_bye() incorrectly returning GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session errno in mgs_transport_write() fixes the problem. - Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the Debian package. - Build system improvements that allow VPATH builds and get "make distcheck" to work ** Version 0.7.4 (2016-04-13) - Support SoftHSM 2 for PKCS #11 testing - Increase verbosity of test logs ** Version 0.7.3 (2016-01-12) - Update test suite for compatibility with GnuTLS 3.4, which has stricter key usage checks and priorities than 3.3. - Write non-HTML output to mod_status reports if AP_STATUS_SHORT is set (mod_status sets it for requests with the "auto" parameter, e.g. https://localhost/server-status?auto). - Register "ssl_is_https" function so the special mod_rewrite variable %{HTTPS} works correctly with mod_gnutls. The new test case for this requires Wget or curl. Fixes Debian bug #514005. - Test suite servers listen on IPv4 *and* IPv6 loopback addresses by default (other addresses configurable), which should fix failures due to localhost randomly resolving to either on some distributions. - Isolate tests using network namespaces, if possible. This avoids port conflicts with other test cases (so they can run in parallel) and host services. - Support for local Apache drop-in config files in the test suite (e.g. to load additional modules needed on Fedora). - Try to use markdown to build HTML documentation if pandoc is not available. - Disable use of flock if it is unavailable or does not support timeouts (the latter caused the build to fail on Debian Hurd). - New test: Disable TLS 1.0 (regression test for Debian bug #754960). ** Version 0.7.2 (2015-11-21) - Bugfix: Non-blocking reads in the input filter could lead to a busy wait in the gnutls_io_input_read function, causing high load on Keep-Alive connections waiting for data, until either more data could be received or the connection was closed. The fix is to pass EAGAIN/EINTR results up to the input filter so they can be handled properly. - Close TLS session if the input filter receives EOF (mostly relevant for proper termination of proxy connections). - Remove dependency on APR Memcache, which is replaced by the newer version included in the APR Utility Library (libaprutil). - Remove dependency on bc. It was used for floating point arithmetic in the test suite, the calculations have been changed to use integers and pure bash code. ** Version 0.7.1 (2015-10-18) - Improved handling of PKCS #11 modules: mod_gnutls now loads either modules specified using GnuTLSP11Module, or the system defaults, but not both. Thanks to Nikos Mavrogiannopoulos for the report and initial patch! - Initialize variables to safe defaults during client certificate verification. Certain error code paths did not set them, but they should never be hit due to config validation. This adds another line of defense. - Enable C99 support via autoconf - Test suite improvements. Most importantly, automake now handles environment setup without any external make calls. Rules to build the certificates are included from the old test makefile. Note that the dependency on GNU make is not new (the test makefile always used GNU make syntax), it just wasn't listed explicitly. ** Version 0.7 (2015-07-12) - Security fix for TLS client authentication (CVE-2015-2091) - Bug fixes that enable support for reverse proxy operation - Various test suite improvements. Tests are configured through autoconf, so the test suite now works for builds without Monkeysphere support. - Add support for TLS connections to back end servers when operating as a reverse proxy (X.509 authentication only at the moment). - PKCS #11 support for server keys and certificates - Use strict compiler arguments by default (-Wall -Werror -Wextra) - Allow limiting the size of certificates exported as SSL_SERVER_CERT and SSL_CLIENT_CERT through the GnuTLSExportCertificates directive ** Version 0.6 (2014-02-17) - Generating DH Params instead of using static ones. - Now considering ServerAlias Directives. - Major Legacy Code Cleanup. - html and pdf and manual documentation generated from markdown sources - support monkeysphere validation agent (MSVA) client-certificate verification - wider test suite - GnuTLSExportCertificates off by default ** Version 0.5.10 (2011-07-12) - Patched a bug responsible for excessive memory consumption by mod_gnutls. - Support for proxying from SSL to plain HTTP was added (ie. proxy termination). ** Version 0.5.9 (2010-09-24) - GnuTLSCache none is now an allowed option. - Corrected behavior in Keep-Alive connections (do not terminate the connection prematurely) - The GnuTLSCache variable now can be given the specific option "gdbm" instead of "dbm". "dbm" will use the berkeley db type of libapr while gdbm will force gdbm to be used. sdbm is no longer being used due to serious limitations. ** Version 0.5.8 (2010-08-18) - Session tickets are enabled by default. - Fixes some segmentation faults noticed in some configurations. ** Version 0.5.7 (2010-07-01) - Force usage of SDBM. For some reason the default in my system had issues after reaching a limit of entries. SDBM seems stable so force it. - Optimizations in session caching. - Added support for session tickets. This allows a server to avoid using a session cache and still support session resumption. This is at the cost of transporting session data during handshake. New option GnuTLSSessionTickets [on|off] - Depend on gnutls 2.10.0 to force support for safe renegotiation. ** Version 0.5.6 (2010-03-24) - Corrected issue with firefox and long POST data (by handling EINTR and EAGAIN errors in read). - Added support for chained client certificates - Corrected more issues related to double frees http://issues.outoforder.cc/view.php?id=102 ** Version 0.5.5 (2009-06-13) - Removed limits on CA certificate loading. Reported by Sander Marechal and Jack Bates. - Do not allow sending empty TLS packets even when instructed to. This had the side effect of clients closing connection. ** Version 0.5.4 (2009-01-04) - mod_gnutls.h: modified definition to extern to avoid compilation errors in darwin. - Added patch to fix issue with mod_proxy. Investigation and patch by Alain Knaff. - libgnutls detection uses pkg-config. ** Version 0.5.3 (2008-10-16) - Corrected bug to allow having an OpenPGP-only web site. - Increased Max handshake tries due to interrupted system calls. ** Version 0.5.2 (2008-06-29) - Depend on gnutls 2.4 which has openpgp support in main library. ** Version 0.5.1 (2008-03-05) - Added --disable-srp configure option - Better check for memcache (patch by Guillaume Rousse) - Corrected possible memory leak in DBM support for resuming sessions. ** Version 0.5.0-alpha (2008-01-24) - Added support for OpenPGP keys. The new directives are: GnuTLSPGPKeyringFile, GnuTLSPGPCertificateFile, GnuTLSPGPKeyFile ** Version 0.4.2 (2007-12-10) - Added support for sending a certificate chain. - Corrected bug which did not allow the TLS session cache to be used. - Do not allow resuming sessions on different servers. ** Version 0.4.1 (2007-12-03) - Added support for subject alternative names in certificates. Only one per certificate is supported. - New enviroment variables: SSL_CLIENT_M_VERSION, SSL_CLIENT_S_SAN%, SSL_CLIENT_S_TYPE, SSL_SERVER_M_VERSION, SSL_SERVER_S_SAN%, SSL_SERVER_S_TYPE - The compatibility mode can now be enabled explicitely with the %COMPAT keyword at the GnuTLSPriorities string. It is no longer the default. - Check for GnuTLSPriorities directive. This corrects a segfault. Thanks to David Hrbáč. - Better handling of GnuTLSDHFile and GnuTLSRSAFile. - No longer default paths for RSA and DH parameter files.