From fiona.klute at gmx.de Wed Jan 23 21:31:00 2019 From: fiona.klute at gmx.de (Fiona Klute) Date: Wed, 23 Jan 2019 21:31:00 +0100 Subject: [mod_gnutls-devel] New release: mod_gnutls 0.9.0 Message-ID: <45625579-2c54-51c0-2d03-467621b62770@gmx.de> Hi everyone, I have just uploaded a new source archive and matching signature to https://mod.gnutls.org/downloads/ as well as the signed mod_gnutls/0.9.0 tag to the git repositories [1, 2]. Security fixes: * Refuse to send or receive any data over a failed TLS connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The previous behavior could lead to requests on reverse proxy TLS connections being sent in plain text. * Reject HTTP requests if they try to access virtual hosts that do not match their TLS connections (commit de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI and Host header match. Thanks to Krista Karppinen for contributing tests! Other major changes: * The internal cache implementation has been replaced with mod_socache. You may need to update your GnuTLSCache settings and load the appropriate socache modules. * OCSP stapling is now enabled by default, if possible. OCSP responses are updated regularly and stored in a cache separate from the session cache. The automatic OCSP cache requires mod_socache_shmcb, you can configure a different type of cache as before. * HTTP/2 is now fully supported (including proxy connections). However, you need to build with GnuTLS version 3.6.3 or later to allow different "Protocols" directives between virtual hosts. Older versions require identical "Protocols" directives for overlapping virtual hosts. Thanks to Vincent Tamet for the bug report! * Session tickets are now enabled by default if using GnuTLS 3.6.4 or newer. * OpenPGP support has been removed. Hints to distributors: * I recommend enabling mod_socache_shmcb by default along with mod_gnutls, or advising users to do so, to take advantage of OCSP stapling by default. * The manual is now additionally built as a manual page if pandoc is available. Personally, I'd prefer a manual page over a HTML or PDF file on a server system. For more details, please see the changelog. Regards, Fiona [1] https://mod.gnutls.org/git/mod_gnutls [2] https://github.com/airtower-luna/mod_gnutls.git -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: