[mod_gnutls-devel] New release: mod_gnutls 0.9.0
Fiona Klute
fiona.klute at gmx.de
Wed Jan 23 21:31:00 CET 2019
Hi everyone,
I have just uploaded a new source archive and matching signature to
https://mod.gnutls.org/downloads/ as well as the signed mod_gnutls/0.9.0
tag to the git repositories [1, 2].
Security fixes:
* Refuse to send or receive any data over a failed TLS
connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The
previous behavior could lead to requests on reverse proxy TLS
connections being sent in plain text.
* Reject HTTP requests if they try to access virtual hosts that do not
match their TLS connections (commit
de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
and Host header match. Thanks to Krista Karppinen for contributing
tests!
Other major changes:
* The internal cache implementation has been replaced with
mod_socache. You may need to update your GnuTLSCache settings and
load the appropriate socache modules.
* OCSP stapling is now enabled by default, if possible. OCSP responses
are updated regularly and stored in a cache separate from the
session cache. The automatic OCSP cache requires mod_socache_shmcb,
you can configure a different type of cache as before.
* HTTP/2 is now fully supported (including proxy connections). However,
you need to build with GnuTLS version 3.6.3 or later to allow
different "Protocols" directives between virtual hosts. Older versions
require identical "Protocols" directives for overlapping virtual
hosts. Thanks to Vincent Tamet for the bug report!
* Session tickets are now enabled by default if using GnuTLS 3.6.4 or
newer.
* OpenPGP support has been removed.
Hints to distributors:
* I recommend enabling mod_socache_shmcb by default along with
mod_gnutls, or advising users to do so, to take advantage of OCSP
stapling by default.
* The manual is now additionally built as a manual page if pandoc is
available. Personally, I'd prefer a manual page over a HTML or PDF
file on a server system.
For more details, please see the changelog.
Regards,
Fiona
[1] https://mod.gnutls.org/git/mod_gnutls
[2] https://github.com/airtower-luna/mod_gnutls.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/mod_gnutls-devel/attachments/20190123/8bd3a717/attachment.sig>
More information about the mod_gnutls-devel
mailing list