-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathChangeLog
186 lines (177 loc) · 11.1 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
v0.14.0
----------------------------------------------------------------------------------------------------
* Updated to rustls-ffi 0.14.0 by @cpu.
v0.13.0
----------------------------------------------------------------------------------------------------
* align version somewhat with rustls-ffi version supported
* move module from Apache httpd to its own github repository
* fix tests to run on locally build mod_tls, no install necessary
* adapted to rustls-ffi thanks for @cpu.
v0.8.2
----------------------------------------------------------------------------------------------------
* Adapted to the new API in rustls-ffi v0.8.2
* Brought in Apache's pyhttpd test framework and adjusted test cases to its use.
v0.8.1
----------------------------------------------------------------------------------------------------
* Support for machine certificates in proxy conections. Use `TLSProxyMachineCertificate`
similar to `TLSCertificate` to configure a certificate to use for authentication
against a proxied backend server.
As with `TLSCertificate` more than one certificate may be configured and the
first compatible is chosen by the `rustls` library for the connection.
v0.8.0
----------------------------------------------------------------------------------------------------
* Fixed the case where client authentication (currently disabled) on a server
would prevent ACME challenges from working.
* Fixed test configuration to accommodate for installations on debian with static modules
and directories used.
* Updated docker image "debian-test" to use the apache2 package instead of a local
compiled httpd.
* Fixed a missing flush at the end of a connection that makes sure the connection close
is clean and immediate and that short linger times apply.
* Added `TLSProxyCiphersPrefer` and `TLSProxyCiphersSuppress` for proxy connections.
* Added `TLSProxyProtocl` to set the minimum TLS version to use in proxy connections.
* Renamed `TLSProtocls` to `TLSProtocol` to less confusing when migrating from mod_ssl.
* All TLS filters trigger initialization and handshake processing on demand
when invoked, in both input and output handling.
* The whole setup of the rustls connection handling is delayed until I/O
filters are called. This allows for last minute changes in connection notes.
This way, ALPN signalling to the backend can be done for mod_proxy_http2.
* Added test for TLSProxy connections without any special flavour
except providing a CA PEM file for trusted root.
* loading of native trust anchors disabled since rustls crashes on MacOS for this.
Issue opened at <https://github.com/kornelski/rust-security-framework/issues/136>.
* Adding support for new ssl/proxy interworking PR in apache trunk.
v0.7.1
----------------------------------------------------------------------------------------------------
* Renamed `TLSListen` configuration directive to `TLSEngine` after feedback
from early tester (thanks @djc!).
v0.7.0
----------------------------------------------------------------------------------------------------
* Disabled all client certificate related configurations and test. Client certificates
are unsupported in mod_tls for the time being, as there is no Rust revocation
mechanism currently available. See also README.md.
v0.6.1
----------------------------------------------------------------------------------------------------
* Added `TLSOptions ExportCertData` to export the certificates PEM data to the request env.
* Added `TLSOptions Defaults` to reset options settings in a location.
* Adding test cases for http and https proxy setups
* Intercepting mod_ssl/mod_proxy calling to avoid enabling mod_tls on proxy connections.
v0.6.0
----------------------------------------------------------------------------------------------------
* Adapted to the new read/write callbacks in crustls
v0.5.0
----------------------------------------------------------------------------------------------------
* Supporting more variables as defined in mod_ssl. Adding test cases for those.
* Adapted the the recent additions in crustls for client verifiers.
Keeping central registry of cert stores and verifiers, released when
configuration of servers is done.
* Client CA is loaded as new rustls_root_cert_store (PR tbd) and is used
in building session configs.
* Presence of a client certificate is checked when client auth is required.
* variable SSL_CLIENT_S_DN_CN added with fake data since we are not able to dissect
the client certificate DER data yet.
* Implemented support for OCSP stapling using the new ap_ssl_ocsp* functions
in the patched Apache httpd and a development branch of crustls.
* Transferred repository to abetterinternet org.
* Added Docker support for setting up an images based on debian sid,
build current apache 2.4.x patch, current crustls PR branch and the
local mod_tls sources and have the test suite run in the image.
* Updated documentation on protocol version/cipher configuring.
* Changed numerical names to include `0x`, for example `TLS_CIPHER_0xc024`,
to avoid ambiguities.
* Added OpenSSL names for ciphers as well-known alternative to the IANA
assigned names for TLSv1.2+ ciphers.
* Implemented checks on minimum TLS version and suppressed ciphers when
serving requests to server A on a connection opened on server B.
* A warning will be logged when TLS ciphers are configured for preference, but
not supported by rustls. Test cases added.
* Successful run with the `mod_md` extended test suite that allows specification
of the ssl module to test with.
* Fixed various edge cases about vhost selection, fallback and challenge certificates
and added a new directive `TLSStrictSNI` to allow relaxed checks of client
host names for people who run "catch all" servers.
* First tests with the latest mod_md to enable supplying static certificates
to mod_tls.
* TLSProtocols now takes only one argument and that is the minimum TLS protocol
to use: `TLSv1.2+`, `TLSv1.3+` or `TLSvXXXX+` where XXXX is the hexadecimal
protocol version. Specifying 'default' will use all protocols supported by
rustls and that is also the default.
* Added test case for session storage in TLSv1.2 using openssl. TLSv1.3
test is incomplete and disabled for now.
* Added support for new session store feature in my crustls branch.
* Added test case for timeout handling during TLS handshake.
* new config Directive `TLSOptions` similar for mod_ssl's `SSLOptions`.
Only open so far is 'StdEnvVars' which adds a (currently limited) list
of TLS related environment variables to CGI handlers.
* `TLSCertificate` can also be used with a single argument, given one file
that contains all PEM data.
* Configuration directives 'TLSProtocols' and 'TLSCiphers' implemented. Test
cases added.
* Added support for setting challenge certificates using the new (apache trunk)
hooks and functions. ACME tls-alpn-01 support incoming.
* The module now also allows certificate configuration via the new central
hooks. A future mod_md will provide ACME certificate this way.
* Updated patch file for the Apache httpd 2.4.x release line with the latest
necessary changes to run the module.
* Fixes in output handling to pass meta buckets in their proper location down
to the network.
* Test can be run with another mpm by setting the environment variable MPM:
> MPM=worker pytest
* All buffers passed to rustls for writing to are now initialized via 'calloc()',
as Rust requires. There is no concept of a write-only array, unfortunately.
* Added a patch file for the Apache httpd 2.4.x release line with the - so far -
necessary changes to the server. Make mod_tls compile against httpd trunk and
a patched branches/2.4.x.
* More load test scenarios.
* Adding the first load test scenario for comparing transfer speeds between mod_tls
and mod_ssl on a single connection for various resource sizes. Use `make loadtest`
to run.
* Fixed a bug that caused the connection to close after the first request had been
handled.
* Improved the passing of encrypted data to the network to involve a bit less buffering.
* Started load test scenarios to measure performance and resource usage.
* ALPN negotiation implemented. Curl in test cases now speaks HTTP/2 with mod_tls
when configured.
* Use of the new Apache httpd API for SSL related queries (available only in trunk
for now). Other modules can query if the connection is protected by SSL encryption
as if mod_ssl were loaded. Also, some first SSL related variables are exposed for
querying.
* rustls_cipher_certified_keys are used when configuring sessions, so that more
than one certificate can be configured for a server. The rustls session will
select the first certificate that is compatible with the clients hello
settings.
* Experimental client hello C callback implemented in local crustls version.
* SNI host selection implemented. Foundation in place for vhost specific TLS settings.
Missing: ALPN handling, selection from several certificates for a vhost, adding
of dynamic certificates.
* Extending our Test CA to create also Elliptic Curve keys for ECDSA certificates.
* Mixing old-skool OpenSSL PEM format for RSA and newer PKCS8 PEM for EC keys
to have variety on what rustls is able to parse.
* Using python module "trustme" to generate certificates from a local CA. Using
the CA to verify TLS connections in curl and get rid of the "--insecure" setting
that disables several other checks as well.
* New directive `TLSProtocol` to set the minimum version of the TLS protocol to
use on a host/the server. Does not have an effect as the support in crustls
is not there yet.
* Adjusting filter buffer sizes for TLS and plain data to allow generation of
max-length TLS messages without for security and efficiency reasons.
* Testing SNI invalid name. Proper shutdown of the connection on failures
during handshake implemented.
* First checks on connection sharing.
- requests against a virtual hosts server are only allowed if the client uses SNI.
- requests to domain B on a connection to domain A are only allowed if there
are no relevant differences between the TLS configurations. This does exclude
the certificates configured, since it is the client's responsibility to check
if B falls under the certificate from A.
* New directive `TLSHonorClientOrder on|off` with default off, to make the
server session honor client cipher ordering.
* Checks on SNI selected host against request selected host started.
* vhost is detected based on client supplied SNI hostname. Unknown SNI hostnames
are not prevented from connecting as it is the clients obligation if it trust
the supplied server certificate.
* base filter handling performs retrieval of JSON resource file. test_03_get succeeds.
* mod_tls does first successful handshake with a MacOS curl (libressl) using
TLS v1.2 and an RSA 2048 certificate, self signed.
* mod_tls loads single certificate (first configured) into rustls
* test case creates self-signed certificate, configures it for mod_tls
* created skeleton module and autoconf/make files.