File apache2-mod_gnutls.changes of Package apache2-mod_gnutls
-------------------------------------------------------------------
Mon Sep 30 05:42:57 UTC 2024 - pgajdos@suse.com
- version update to 0.12.2
* Convert README to Markdown
* Replace leftover pkg-config references with pkgconf
* Remove unused struct member (vhost_cb_rec in gnutls_hooks.c)
* Small improvements for Doxygen API documentation build
-------------------------------------------------------------------
Thu Jun 20 09:24:00 UTC 2024 - pgajdos@suse.com
- drop unmaintained apache-rex usage
-------------------------------------------------------------------
Thu Feb 23 20:11:12 UTC 2023 - pgajdos@suse.com
- version update to 0.12.1
- Security fix: Remove an infinite loop in blocking read on transport
timeout. Mod_gnutls versions from 0.9.0 to 0.12.0 (including) did
not properly fail blocking read operations on TLS connections when
the transport hit timeouts. Instead it entered an endless loop
retrying the read operation, consuming CPU resources. This could be
exploited for denial of service attacks. If trace level logging was
enabled, it would also produce an excessive amount of log output
during the loop, consuming disk space.
- Replace obsolete Autoconf macros. Generating ./configure now
requires Autoconf 2.69 (present in Debian Bullseye).
-------------------------------------------------------------------
Thu Feb 3 10:52:06 UTC 2022 - pgajdos@suse.com
- version update to 0.12.0
- Three fixes that make mod_gnutls compatible with the Let's Encrypt
OCSP responder for OCSP stapling:
1. Support OCSP responses that are signed directly with the private
key of the CA and do not embed a signer certificate.
2. If the path part of OCSP URI provided in the certificate is
empty, use "/".
3. Use SHA1 for issuer name hash and issuer key hash in OCSP
requests. Support for that is required by RFC 5019 and referenced
in CAB Forum Baseline Requirements, too. This particular hash
doesn't need to be cryptographically secure.
- Remove insecure algorithms that are still included in the GnuTLS
priority set "NORMAL" from the default priorities: plain RSA key
exchange, TLS 1.0, TLS 1.1
- Fix virtual host references when retrieving OCSP responses for
stapling.
- Share server instances for tests where reasonably possible with the
same server configuration. Starting/stopping server instances is the
slowest part of the tests, so this is a nice performance
improvement. The Automake test harness now reports fewer tests, but
some include a lot more client connections and requests to keep
coverage at least as good as before.
- Various improvements to tests and logging infrastructure.
- test only on Tumbleweed for now
-------------------------------------------------------------------
Mon Jun 29 09:07:43 UTC 2020 - pgajdos@suse.com
- version update to 0.11.0
- Change default for GnuTLSOCSPCheckNonce to "off", and send OCSP
nonces only if it has been enabled. The reason for this change is
that in practice most public CAs do not support OCSP nonces, which
is permitted by both RFC 6960 and the CA/Browser Forum baseline
requirements (as of version 1.6.9). In this situation enforcing
correct nonces by default makes the automatic OCSP stapling support
mostly useless.
- Add a test for correct nonce handling with "GnuTLSOCSPCheckNonce
on", thanks to Krista Karppinen for that and a rewrite of the OCSP
responder script in Python!
- Support session resumption using session tickets for proxy
connections (TLS 1.3 connections only). Requires a suitable
GnuTLSCache configuration.
- Disable session tickets by default. The GnuTLS built-in key rotation
for session tickets never actually changes the primary key, just
derives keys from it, so it does not provide forward secrecy in case
an attacker learns the primary key (by gaining access to server
RAM). A reload of the server is enough to generate a new key, so
consider enabling session tickets and reloading the server every few
hours, at least until a forward-secret rotation can be implemented.
- Fix a bug that mostly prevented searching ServerAliases when
selecting the virtual host from SNI.
- Deprecate SRP and disable it by default.
-------------------------------------------------------------------
Thu Feb 13 09:14:02 UTC 2020 - pgajdos@suse.com
- version update to 0.10.0
- Added support for stapling multiple OCSP responses (TLS 1.3
only). mod_gnutls will staple for as many consecutive certificates
in the certificate chain as possible.
- Added support for TLS 1.3 post-handshake authentication, used if TLS
client authentication is required only for some resources on the
server. Rehandshake (for older TLS versions) is not supported, the
existing but broken code has been removed.
- The test infrastructure has been mostly rewritten in Python, note
the new dependencies (Python 3, Pyyaml). Tests can run multiple TLS
connections and HTTP(S) requests as well as custom hooks now, see
test/README.md for details.
- Server certificates are checked for the must-staple TLS feature
extension, stapling must be enabled if it is present.
- Compatibility fix for GnuTLS 3.6.11 in the test suite: Handle
peer certificate type in TLS session information strings.
- The test system will automatically detect if it needs to load
critical modules (e.g. mod_logio) that are built-in with the Debian
packages. This makes the tests work on Fedora without modifications,
and likely on similar distributions too.
- Tests can optionally run with Valgrind for the primary HTTPD
instance by running ./configure with --enable-valgrind-test, see
test/README.md for details.
- Known issue: When using MSVA client certificate validation the
Valgrind tests indicate memory leaks from libcurl, which is used by
libmsv to send requests to the MSVA. For details see the bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950359
- run testsuite
-------------------------------------------------------------------
Wed Dec 18 12:22:50 UTC 2019 - pgajdos@suse.com
- version update to 0.9.1
- Fix possible segfault (NULL pointer dereference) on failed TLS
handshake. Calling ssl_var_lookup() after a failed handshake could
lead to GnuTLS session information functions being called on a NULL
session pointer, leading to segfault.
- Remove URLs from expected error responses in the test suite. Apache
HTTPD removed request URLs from canned error messages to prevent
misleading text/links being displayed via crafted links
(CVE-2019-10092). Adjust the expected error responses in our tests
so they can pass again.
- Test suite: Ignore "Content-Length" header of responses. Thanks to
Krista Karppinen!
- Add a section about module dependencies on socache to the handbook
- Restructure the manpage build and move it to section 5 (config
files)
- Test suite: Restructure certificate directories
-------------------------------------------------------------------
Wed Jun 26 13:27:54 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
- updated to 0.9.0
- Security fix: Refuse to send or receive any data over a failed TLS
connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The
previous behavior could lead to requests on reverse proxy TLS
connections being sent in plain text, and might have allowed faking
requests in plain text.
- Security fix: Reject HTTP requests if they try to access virtual
hosts that do not match their TLS connections (commit
de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
and Host header match. Thanks to Krista Karppinen for contributing
tests!
- OCSP stapling is now enabled by default, if possible. OCSP responses
are updated regularly and stored in a cache separate from the
session cache. The OCSP cache uses mod_socache_shmcb by default
(if the module is loaded, no other configuration required).
- Session tickets are now enabled by default if using GnuTLS 3.6.4 or
newer. GnuTLS 3.6.4 introduced automatic rotation for the used key,
and TLS 1.3 takes care of other reasons not to use tickets while
requiring them for session resumption. Note that there is currently
no mechanism to synchronize ticket keys across a cluster of servers.
- The internal cache implementation has been replaced with
mod_socache. Users may need to update their GnuTLSCache settings and
load the appropriate socache modules.
- ALPN (required for HTTP/2) now works correctly with different
"Protocols" directives between virtual hosts if building with GnuTLS
3.6.3 or newer. Older versions require identical "Protocols"
directives for overlapping virtual hosts. Thanks to Vincent Tamet
for the bug report!
- ALPN is now supported for proxy connections, making HTTP/2 proxy
connections using mod_proxy_http2 possible.
- GnuTLSPriorities is optional now and defaults to "NORMAL" if
missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is
enabled).
- The manual is now built as a manual page, too, if pandoc is
available.
- OpenPGP support has been removed.
- Don't require pem2openpgp for tests when building without MSVA
support.
- Support Apache HTTPD 2.4.33 API for proxy TLS connections
- Support TLS for HTTP/2 connections with mod_http2
- Fix configuration of OCSP stapling callback
-------------------------------------------------------------------
Wed Dec 20 07:57:14 UTC 2017 - pgajdos@suse.com
- updated to 0.8.3
- Use GnuTLS' default DH parameters by default
- Handle long Server Name Indication data and gracefully ignore
unknown SNI types
- Send SNI for proxy connections
- Deprecate OpenPGP support like GnuTLS did (will be removed
completely in a future release)
- Do not announce session ticket support for proxy connections
- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
- Bugfix: Use APR_SIZE_T_FMT for portable apr_size_t formatting
- New: Support for OCSP stapling
- Bugfix: Access to DBM cache is locked using global mutex
"gnutls-cache"
- Bugfix: GnuTLSSessionTickets is now disabled by default as described
in the handbook
- Fixed memory leak while checking proxy backend certificate
- Fixed memory leaks in post_config
- Safely delete session ticket key (requires GnuTLS >= 3.4)
- Improved error handling in post_config hook
- Various handbook updates
- Internal API documentation can be generated using Doxygen
- Unused code has been removed (conditionals for GnuTLS 2.x and Apache
versions before 2.2, internal Lua bytecode structure last used in
2011).
certificate authority
- Sunil Mohan Adapa reported retry loops during session shutdown in
cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
errno in mgs_transport_write() fixes the problem.
- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
Debian package.
- Build system improvements that allow VPATH builds and get "make
distcheck" to work
- Support SoftHSM 2 for PKCS #11 testing
- Increase verbosity of test logs
- Update test suite for compatibility with GnuTLS 3.4, which has
stricter key usage checks and priorities than 3.3.
- Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
set (mod_status sets it for requests with the "auto" parameter, e.g.
https://localhost/server-status?auto).
- Register "ssl_is_https" function so the special mod_rewrite variable
%{HTTPS} works correctly with mod_gnutls. The new test case for this
requires Wget or curl. Fixes Debian bug #514005.
- Support for local Apache drop-in config files in the test suite
(e.g. to load additional modules needed on Fedora).
- Try to use markdown to build HTML documentation if pandoc is not
available.
- Disable use of flock if it is unavailable or does not support
timeouts (the latter caused the build to fail on Debian Hurd).
- New test: Disable TLS 1.0 (regression test for Debian bug #754960).
- Bugfix: Non-blocking reads in the input filter could lead to a busy
wait in the gnutls_io_input_read function, causing high load on
Keep-Alive connections waiting for data, until either more data
could be received or the connection was closed. The fix is to pass
EAGAIN/EINTR results up to the input filter so they can be handled
properly.
- Close TLS session if the input filter receives EOF (mostly relevant
for proper termination of proxy connections).
- Remove dependency on APR Memcache, which is replaced by the newer
version included in the APR Utility Library (libaprutil).
- Remove dependency on bc. It was used for floating point arithmetic
in the test suite, the calculations have been changed to use
integers and pure bash code.
- Improved handling of PKCS #11 modules: mod_gnutls now loads either
modules specified using GnuTLSP11Module, or the system defaults, but
not both. Thanks to Nikos Mavrogiannopoulos for the report and
initial patch!
- Initialize variables to safe defaults during client certificate
verification. Certain error code paths did not set them, but they
should never be hit due to config validation. This adds another line
of defense.
-------------------------------------------------------------------
Tue Mar 14 06:18:19 UTC 2017 - pgajdos@suse.com
- reverted to 0.7, because 0.8.2 needs gnutls >= 3.3.0 which is
currently satisfied only by Tumbleweed
-------------------------------------------------------------------
Mon Mar 13 14:46:17 UTC 2017 - pgajdos@suse.com
- updated to 0.8.2
- fix build with new gnutls
+ apache2-mod_gnutls-no-error-deprecated-declarations.patch
- add a true example in %check
-------------------------------------------------------------------
Wed Sep 9 07:34:57 UTC 2015 - pgajdos@suse.com
- test module with %apache_test_module_load
-------------------------------------------------------------------
Wed Sep 9 07:23:16 UTC 2015 - pgajdos@suse.com
- updated to 0.7
-------------------------------------------------------------------
Thu Jul 16 07:22:02 UTC 2015 - pgajdos@suse.com
- Requries: %{apache_suse_maintenance_mmn}
This will pull this module to the update (in released distribution)
when apache maintainer thinks it is good (due api/abi changes).
-------------------------------------------------------------------
Fri Oct 31 10:21:04 UTC 2014 - pgajdos@suse.com
- call spec-cleaner
- use apache rpm macros
-------------------------------------------------------------------
Fri Sep 27 00:00:00 UTC 2013 - Mathias.Homann@opensuse.org
- update to 0.6.0 from git
-------------------------------------------------------------------
Fri Nov 26 00:00:00 UTC 2010 - clauded1
- update to version 0.5.9.
-------------------------------------------------------------------
Sun Feb 7 00:00:00 UTC 2010 - stefan@invis-server.org
- Initial build for SuSE Linux. (Testing State)
