Tags: airtower-luna/mod_gnutls
Tags
mod_gnutls version 0.12.2 Changelog since version 0.12.1: - Update project URL - Deprecate Monkeysphere integration - Convert README to Markdown - Replace leftover pkg-config references with pkgconf - Remove unused struct member (vhost_cb_rec in gnutls_hooks.c) - Small improvements for Doxygen API documentation build
mod_gnutls version 0.12.1 Changelog since version 0.12.0: - Security fix: Remove an infinite loop in blocking read on transport timeout. Mod_gnutls versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space. - Replace obsolete Autoconf macros. Generating ./configure now requires Autoconf 2.69 (present in Debian Bullseye).
mod_gnutls version 0.12.0
Changelog since version 0.11.0:
- Three fixes that make mod_gnutls compatible with the Let's Encrypt
OCSP responder for OCSP stapling:
1. Support OCSP responses that are signed directly with the private
key of the CA and do not embed a signer certificate.
2. If the path part of OCSP URI provided in the certificate is
empty, use "/".
3. Use SHA1 for issuer name hash and issuer key hash in OCSP
requests. Support for that is required by RFC 5019 and referenced
in CAB Forum Baseline Requirements, too. This particular hash
doesn't need to be cryptographically secure.
- Remove insecure algorithms that are still included in the GnuTLS
priority set "NORMAL" from the default priorities: plain RSA key
exchange, TLS 1.0, TLS 1.1
- Fix virtual host references when retrieving OCSP responses for
stapling.
- Share server instances for tests where reasonably possible with the
same server configuration. Starting/stopping server instances is the
slowest part of the tests, so this is a nice performance
improvement. The Automake test harness now reports fewer tests, but
some include a lot more client connections and requests to keep
coverage at least as good as before.
- Various improvements to tests and logging infrastructure.
Release version 0.11.0 Changelog since 0.10.0: - Change default for GnuTLSOCSPCheckNonce to "off", and send OCSP nonces only if it has been enabled. The reason for this change is that in practice most public CAs do not support OCSP nonces, which is permitted by both RFC 6960 and the CA/Browser Forum baseline requirements (as of version 1.6.9). In this situation enforcing correct nonces by default makes the automatic OCSP stapling support mostly useless. - Add a test for correct nonce handling with "GnuTLSOCSPCheckNonce on", thanks to Krista Karppinen for that and a rewrite of the OCSP responder script in Python! - Support session resumption using session tickets for proxy connections (TLS 1.3 connections only). Requires a suitable GnuTLSCache configuration. - Disable session tickets by default. The GnuTLS built-in key rotation for session tickets never actually changes the primary key, just derives keys from it, so it does not provide forward secrecy in case an attacker learns the primary key (by gaining access to server RAM). A reload of the server is enough to generate a new key, so consider enabling session tickets and reloading the server every few hours, at least until a forward-secret rotation can be implemented. - Fix a bug that mostly prevented searching ServerAliases when selecting the virtual host from SNI. - Add ./configure option to disable building PDF documentation - Deprecate SRP and disable it by default. - Add support for building coverage reports using clang's source-based code coverage. - Make ./configure check if both [::1] and 127.0.0.1 are available, disable either if not. This makes the build work out-of-the-box in Docker containers, which by default use IPv4 only.
Release version 0.10.0 Changelog since 0.9.1: - Added support for stapling multiple OCSP responses (TLS 1.3 only). mod_gnutls will staple for as many consecutive certificates in the certificate chain as possible. - Added support for TLS 1.3 post-handshake authentication, used if TLS client authentication is required only for some resources on the server. Rehandshake (for older TLS versions) is not supported, the existing but broken code has been removed. - The test infrastructure has been mostly rewritten in Python, note the new dependencies (Python 3, Pyyaml). Tests can run multiple TLS connections and HTTP(S) requests as well as custom hooks now, see test/README.md for details. - Server certificates are checked for the must-staple TLS feature extension, stapling must be enabled if it is present. - Compatibility fix for GnuTLS 3.6.11 in the test suite: Handle peer certificate type in TLS session information strings. - The test system will automatically detect if it needs to load critical modules (e.g. mod_logio) that are built-in with the Debian packages. This makes the tests work on Fedora without modifications, and likely on similar distributions too. - Tests can optionally run with Valgrind for the primary HTTPD instance by running ./configure with --enable-valgrind-test, see test/README.md for details. - Known issue: When using MSVA client certificate validation the Valgrind tests indicate memory leaks from libcurl, which is used by libmsv to send requests to the MSVA. For details see the bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950359
Release version 0.9.1 Bugfixes: * Fix possible segfault (NULL pointer dereference) on failed TLS handshake. Calling ssl_var_lookup() after a failed handshake could lead to GnuTLS session information functions being called on a NULL session pointer, leading to segfault. * Remove URLs from expected error responses in the test suite. Apache HTTPD removed request URLs from canned error messages to prevent misleading text/links being displayed via crafted links (CVE-2019-10092). Adjust the expected error responses in our tests so they can pass again. Other changes: * Test suite: Ignore "Content-Length" header of responses. Thanks to Krista Karppinen! * Add a section about module dependencies on socache to the handbook * Restructure the manpage build and move it to section 5 (config files) * Test suite: Restructure certificate directories
Release version 0.9.0 Security fixes: * Refuse to send or receive any data over a failed TLS connection (commit 72b669e). The previous behavior could lead to requests on reverse proxy TLS connections being sent in plain text. * Reject HTTP requests if they try to access virtual hosts that do not match their TLS connections (commit de3fad3). Additionally check if SNI and Host header match. Thanks to Krista Karppinen for contributing tests! Other major changes: * The internal cache implementation has been replaced with mod_socache. You may need to update your GnuTLSCache settings and load the appropriate socache modules. * OCSP stapling is now enabled by default, if possible. OCSP responses are updated regularly and stored in a cache separate from the session cache. The automatic OCSP cache requires mod_socache_shmcb, you can configure a different type of cache as before. * HTTP/2 is now fully supported (including proxy connections). However, you need to build with GnuTLS version 3.6.3 or later to allow different "Protocols" directives between virtual hosts. Older versions require identical "Protocols" directives for overlapping virtual hosts. Thanks to Vincent Tamet for the bug report! * Session tickets are now enabled by default if using GnuTLS 3.6.4 or newer. * OpenPGP support has been removed. For more details, please see the changelog.
Release version 0.8.4 Changelog since mod_gnutls 0.8.3: * Support Apache HTTPD 2.4.33 API for proxy TLS connections * Support TLS for HTTP/2 connections with mod_http2. This means mod_gnutls now requires Apache HTTPD 2.4.17 or newer. * Fix configuration of OCSP stapling callback
Release version 0.8.3 Changelog since mod_gnutls 0.8.2: * Use GnuTLS' default DH parameters by default * Handle long Server Name Indication data and gracefully ignore unknown SNI types * Send SNI for proxy connections * Deprecate OpenPGP support like GnuTLS did (will be removed completely in a future release) * Do not announce session ticket support for proxy connections * Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI) * Test suite: Simplify handling of proxy backend servers and OCSP responders * Test suite: stability/compatibility fixes
Release version 0.8.2 Changelog since mod_gnutls 0.8.1: * Test suite: Ensure CRLF line ends in HTTP headers * Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array
PreviousNext