Skip to content

Releases: airtower-luna/mod_gnutls

0.12.2

14 Apr 09:22
mod_gnutls/0.12.2
Compare
Choose a tag to compare

Changelog since version 0.12.1:

  • Update project URL
  • Deprecate Monkeysphere integration
  • Convert README to Markdown
  • Replace leftover pkg-config references with pkgconf
  • Remove unused struct member (vhost_cb_rec in gnutls_hooks.c)
  • Small improvements for Doxygen API documentation build

I intent for this to be the last release using Autotools.

0.12.1

23 Feb 18:38
mod_gnutls/0.12.1
82cb66b
Compare
Choose a tag to compare

Changelog since version 0.12.0:

  • Security fix ⚠️ (CVE-2023-25824): Remove an infinite loop in blocking read on transport timeout. Mod_gnutls versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space.

  • Replace obsolete Autoconf macros. Generating ./configure now requires Autoconf 2.69 (present in Debian Bullseye).

0.12.0

14 Aug 12:05
mod_gnutls/0.12.0
b6ce8ad
Compare
Choose a tag to compare

Changelog since version 0.11.0:

  • Three fixes that make mod_gnutls compatible with the Let's Encrypt OCSP responder for OCSP stapling (see #4):

    1. Support OCSP responses that are signed directly with the private key of the CA and do not embed a signer certificate.

    2. If the path part of OCSP URI provided in the certificate is empty, use "/".

    3. Use SHA1 for issuer name hash and issuer key hash in OCSP requests. Support for that is required by RFC 5019 and referenced in CAB Forum Baseline Requirements, too. This particular hash doesn't need to be cryptographically secure.

  • Remove insecure algorithms that are still included in the GnuTLS priority set "NORMAL" from the default priorities: plain RSA key exchange, TLS 1.0, TLS 1.1

  • Fix virtual host references when retrieving OCSP responses for stapling (see #5).

  • Share server instances for tests where reasonably possible with the same server configuration. Starting/stopping server instances is the slowest part of the tests, so this is a nice performance improvement. The Automake test harness now reports fewer tests, but some include a lot more client connections and requests to keep coverage at least as good as before.

  • Various improvements to tests and logging infrastructure.