[mod_gnutls-devel] New release: mod_gnutls 0.9.0

Fiona Klute fiona.klute at gmx.de
Wed Jan 23 21:31:00 CET 2019

Hi everyone,

I have just uploaded a new source archive and matching signature to
https://mod.gnutls.org/downloads/ as well as the signed mod_gnutls/0.9.0
tag to the git repositories [1, 2].

Security fixes:

* Refuse to send or receive any data over a failed TLS
  connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The
  previous behavior could lead to requests on reverse proxy TLS
  connections being sent in plain text.

* Reject HTTP requests if they try to access virtual hosts that do not
  match their TLS connections (commit
  de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI
  and Host header match. Thanks to Krista Karppinen for contributing

Other major changes:

* The internal cache implementation has been replaced with
  mod_socache. You may need to update your GnuTLSCache settings and
  load the appropriate socache modules.

* OCSP stapling is now enabled by default, if possible. OCSP responses
  are updated regularly and stored in a cache separate from the
  session cache. The automatic OCSP cache requires mod_socache_shmcb,
  you can configure a different type of cache as before.

* HTTP/2 is now fully supported (including proxy connections). However,
  you need to build with GnuTLS version 3.6.3 or later to allow
  different "Protocols" directives between virtual hosts. Older versions
  require identical "Protocols" directives for overlapping virtual
  hosts. Thanks to Vincent Tamet for the bug report!

* Session tickets are now enabled by default if using GnuTLS 3.6.4 or

* OpenPGP support has been removed.

Hints to distributors:

* I recommend enabling mod_socache_shmcb by default along with
  mod_gnutls, or advising users to do so, to take advantage of OCSP
  stapling by default.

* The manual is now additionally built as a manual page if pandoc is
  available. Personally, I'd prefer a manual page over a HTML or PDF
  file on a server system.

For more details, please see the changelog.


[1] https://mod.gnutls.org/git/mod_gnutls
[2] https://github.com/airtower-luna/mod_gnutls.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/mod_gnutls-devel/attachments/20190123/8bd3a717/attachment.sig>

More information about the mod_gnutls-devel mailing list