Changed with Apache-SSL 1.3.41/1.59
*) Bugfix in 1.58, which was not released.
[Ben Laurie]
Changed with Apache-SSL 1.3.37/1.58
*) Fixed client cert expansion so the client can't fake fields by
inserting slashes in the value parts of other fields.
[Ben Laurie, issue reported by Alexander Klink <a.klink@cynops.de>]
Changed with Apache-SSL 1.3.34/1.57
*) Make splashcache auto-restart on errors.
[Ben Laurie]
*) Compatibility with OpenSSL 0.9.8.
[Ben Laurie]
Changed with Apache-SSL 1.3.33/1.56
*) Updated splashcache to use the latest version of Splash!, and
also the FreeBSD port of spread (by default).
[Ben Laurie]
Changed with Apache-SSL 1.3.29/1.55
*) The CRL environment variables could get set even if the condition
they indicated was not true. Fixed.
[Ben Laurie]
Changed with Apache-SSL 1.3.29/1.54
*) Do SSLNoV2 by a different, more reliable, method.
[Ben Laurie]
Changes with Apache-SSL 1.3.29/1.53
*) Port to 1.3.29.
[Ben Laurie]
*) Fix vulnerability in FakeBasicAuth.
[Ben Laurie, reported by Wietse Venema]
*) Add SSLNoV2 directive to disable SSL version 2.
[Ben Laurie]
Changes with Apache-SSL 1.3.28/1.52
*) Add new options, SSLOnCRLExpirySetEnv and SSLOnNoCRLSetEnv.
[Ben Laurie]
Changes with Apache-SSL 1.3.28/1.51
*) Add AES ciphersuites to keysize table. (Someone gave me a patch for
this, but I lost it - let me know who you were).
[Ben Laurie]
Changes with Apache-SSL 1.3.28/1.50
*) Add CRL support. New directives SSLUseCRL, SSLCRLCheckAll and
SSLOnRevocationSetEnv are in the sample configuration file. Note
that an option to redirect to a URL on revocation would be
feasible but is not yet implemented.
[Ben Laurie]
Changes with Apache-SSL 1.3.28/1.49
*) Port to new version.
[Ben Laurie]
Changes with Apache-SSL 1.3.27/1.49
*) Add TLS1 ciphersuites for CGI env vars keysize stuff.
[Ben Laurie]
Changes with Apache-SSL 1.3.27/1.48
*) Port to new version.
[Ben Laurie]
Changes with Apache-SSL 1.3.26/1.48
*) Port to new version.
[Ben Laurie]
Changes with Apache-SSL 1.3.24/1.48
*) Port to new version.
[Ben Laurie]
Changes with Apache-SSL 1.3.22/1.48
*) src/Configuration mysteriously had an explicit path for SSL_LIB_DIR
instead of SSL_BASE. Fixed.
[Ben Laurie, reported by John Sellens <jsellens@generalconcepts.com>]
Changes with Apache-SSL 1.3.22/1.47
*) Make buffer overflow fix actually work.
[Ben Laurie]
Changes with Apache-SSL 1.3.22/1.46
*) Fix potential buffer overflow with rogue client certificates.
[Ben Laurie]
Changes with Apache-SSL 1.3.22/1.45
*) Improve ciphersuite diagnostics, so SGC renegotiation can be seen better.
[Ben Laurie]
*) The required ciphers were not correctly merged between contexts, resulting
in the workaround for IE SGC bugs failing under some circumstances. Fixed.
[Ben Laurie]
Changes with Apache-SSL 1.3.22/1.44
*) Port to new version.
[Ben Laurie]
Changes with Apache-SSL 1.3.19/1.44
*) Make things that should have used #if use that instead of #ifdef.
[Ben Laurie]
Changes with Apache-SSL 1.3.19/1.43
*) Add (untested) OpenSSL engine support.
[Geoff Thorpe]
*) Add SSLCheckClientDN directive - takes a filename and checks DNs against
the contents of the file - an alternative to SSLFakeBasicAuth.
[Ben Laurie]
Changes with Apache-SSL 1.3.14/1.42
*) Add splashcache as an alternative to gcache. This requires Splash!, of
course.
[Ben Laurie]
*) Make splashcache actually work.
[Jonathan Stanton <jonathan@cs.jhu.edu>]
*) Port to Apache 1.3.14.
[Ben Laurie]
*) Make the SSLCacheServerPath take two optional extra arguments, so
splashcache can get its spread server and db name.
[Ben Laurie]
Changes with Apache-SSL 1.3.12/1.41
*) Make httpsdctl say "httpsd" instead of "httpd" in messages.
[Ben Laurie]
*) Allow the use of EGD for randomness. See the example config for syntax.
[Ben Laurie]
*) Add /usr to the list of possible paths for OpenSSL.
[Marc G. Fournier <scrappy@hub.org>]
Changes with Apache-SSL 1.3.12/1.40
*) Make it possible to load Apache-SSL as a DSO.
(./configure --enable-shared=apache_ssl, for example). The appropriate
LoadModule is shown in the example config.
[Ben Laurie]
*) Make configure/APACI produce a compatible installation (i.e.
httpd.{conf,pid,lock} instead of httpsd.*) by default.
[Ben Laurie]
*) Seed the random number generator in "make certificate" with some
not-very-good, but portable, randomness.
[Ben Laurie]
*) Make untrusted client certificates work with OpenSSL 0.9.5.
[Ben Laurie]
Changes with Apache-SSL 1.3.12/1.39
*) Port to new version of Apache.
[Ben Laurie]
*) Make SSL_IS_OPTIONAL default to TRUE (so people don't have to know to set
it to make subrequests work).
[Ben Laurie and Petr Lampa <lampa@fee.vutbr.cz>]
*) Add extra certificate environment variables.
[Petr Lampa <lampa@fee.vutbr.cz>]
*) Session timeout wasn't set in local cache.
[Petr Lampa <lampa@fee.vutbr.cz>]
Changes with Apache-SSL 1.3.11/1.38
*) Port to new version of Apache.
[Ben Laurie]
Changes with Apache-SSL 1.3.6/1.37
*) LogLevelIsDebug() function needed to be moved so that DSO configurations
compile properly.
[? Contributors name lost]
Changes with Apache-SSL 1.3.6/1.36
*) Add experimental Keynote (http://www.cis.upenn.edu/~keynote) support. Not
only does this provide a very cool way to do stuff based on certificate
attributes (and more), but it also demonstrates that it is possible to
write independent add-on modules for Apache-SSL.
[Ben Laurie]
*) Remove spurious printf.
[Stefano Ravaioli <stefano.ravaioli@cineca.it>]
*) Add note about environment variables to 1.35 changes.
[Ben Laurie]
*) Add SSLDenySSL directive.
[Bruce Tenison <btenison@dibbs.net>, revised by Ben Laurie]
Changes with Apache-SSL 1.3.6/1.35
*) Use /dev/urandom in the example configuration instead of /dev/random.
[Ben Laurie, suggested by Adam Laurie]
*) make install didn't install gcache. Fixed.
[Ben Laurie]
*) Move version warning to buff.h, so it happens before the compiler dies.
[Ben Laurie]
*) Change how environment variables are added, for more flexibility. Note
that this means that if you want the variables to be set from within a
module, you must call ap_add_common_vars() and ap_add_cgi_vars().
[Ben Laurie]
*) Support new OpenSSL header layout.
[Ben Laurie]
*) Set the session ID context when renegotiating.
[Ben Laurie, pointed out by
Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
Changes with Apache-SSL 1.3.6/1.34
*) A facility I added to make logging of debugging info work was breaking
during startup. Fixed.
[Bryan Blackburn <blb@pobox.org>]
*) Add new directive SSLNoCAList. This prevents Apache-SSL from sending the
list of acceptable CAs to the client. Although I can't think why this
would be any use in a production environment, it is very handy to assure
yourself that CA checking is actually happening.
[Ben Laurie]
Changes with Apache-SSL 1.3.6/1.33
*) Try a slightly different approach for server renegotiation.
[Ben Laurie, after conversations with Ralf Engelschall and Bodo Moeller
<3moeller@informatik.uni-hamburg.de>]
*) Why can't people not bugger us up in ports and RPMs? FreeBSD took it upon
themselves to move the OpenSSL installation directory, so we work around
it in FixPatch.
[Adam Laurie]
*) Fix client renegotiation (which would cause a crash). In the process, get
rid of nasty globals and use OpenSSL ex_data stuff instead. Note that this
means that Global Server IDs should now work with Apache-SSL.
[Ben Laurie]
Changes with Apache-SSL 1.3.6/1.32
*) Upgraded to Apache 1.3.6.
[Ben Laurie]
Changes with Apache-SSL 1.3.4/1.32
*) Add support for new OpenSSL session ID context, so we can still reuse
sessions.
[Ben Laurie]
*) If the client certificate is optional, with no CA required, then don't
send a CA list.
[Ben Laurie]
*) Add support for new 56/1024 bit export ciphersuites.
[Ben Laurie]
*) Use new certificate stack functions in OpenSSL 0.9.2. Combine
SSLCACertificateFile and SSLCACertificateDir CA certs to send to the
client.
[Ben Laurie]
Changes with Apache-SSL 1.3.4/1.31
*) Make Apache-SSL work with "configure --enable-shared=max".
[Ben Laurie, reported by Don Sullivan <dsullivan@gaia.arc.nasa.gov>]
*) Make httpsd the default install target.
[Ben Laurie, reported by Don Sullivan <dsullivan@gaia.arc.nasa.gov>]
*) Add new SSLRandomFile and SSLRandomFilePerConnection directives.
[Ben Laurie, suggested by Bodo Moeller
<3moeller@informatik.uni-hamburg.de>]
Changes with Apache_SSL 1.3.4/1.30
*) Port to Apache 1.3.4. [Ben Laurie]
*) Timeout during SSL accept phase.
[Ben Laurie, suggested by Nigel Metheringham]
*) Make error message when gcache fails to open the socket more specific.
[Ben Laurie]
*) Make SSLVerifyClient and SSLVerifyDepth per directory. This involves
renegotiating the client connection and is rather a major change, so by
default it is disabled. Enable it by setting RENEG to TRUE in
apache_ssl.c. This is just the first in a series of
per-directorifications. N.B. This facility is not currently very reliable,
so only enable it for testing. [Ben Laurie]
Changes with Apache_SSL 1.3.3/1.29
*) Make SSL_SERVER_I_/SSL_CLIENT_I_ change optional - set USE_OLD_ENVIRONMENT
to true in apache_ssl.c to use the old names. [Ben Laurie]
*) Add some missing entries in the 1.28 changes. [Spotted by Ralf
Engelschall]
*) Don't log SSL_accept failure if the return value is zero - this should
eliminate the spurious warnings Netscape causes. [Ben Laurie]
*) Fix file descriptor leak. [Quinton Dolan <q@fan.net.au>]
*) Fix error in server certificate soft link. [Ben Laurie]
*) Send CA list to client when SSLCACertificatePath is used (this was only
done for SSLCACertificateFile up to now). [Ben Laurie]
Changes with Apache_SSL 1.3.3/1.28
*) Pad certificate exports with =s, as some implementations required them,
and they're significantly easier to remove than to add.
[Ben Laurie, reported by Adam Laurie]
*) Make cert issuer components actually start with SSL_SERVER_I_/
SSL_CLIENT_I_ as documented, instead of SSL_SERVER_I/SSL_CLIENT_I.
[Ben Laurie]
*) Check for a few more errors to avoid problems with cert chains and
certificate verification. [Ralf Engelschall]
Changes with Apache_SSL 1.3.2/1.27
*) Fix lingering problem where gcache died if left alone for a while. This
appears to be caused by spurious SIGPIPEs on some OSes. [Ben Laurie]
Changes with Apache_SSL 1.3.2/1.26 (never released)
*) Add test to FixPatch to check that patch is up-to-date. [Ben Laurie]
*) Don't export client cert chain with SSLeay before 0.9.0, since it can't
disable session ID caching. [Ben Laurie]
*) Make sure session caching is enabled if certificate export is (at least
until it is no longer needed).
[Ben Laurie, pointed out by Ralf Engelschall]
*) Add new SSLExportClientCertificates option. [Ben Laurie]
*) Default to not exporting client cert chains. [Ben Laurie]
*) Stop Ralf bleating about gcc warnings. [Ben Laurie]
Changes with Apache_SSL 1.3.2/1.25
*) Port to new Apache. [Ben Laurie]
*) Supply client certificate chain in environment as SSL_CLIENT_CERT and
SSL_CLIENT_CERT_CHAIN_1 and so on. Can be disabled if desired in buff.h.
[Ben Laurie]
*) Allow passphrase retries. [Ben Laurie, suggested by Holger Reif]
Changes with Apache_SSL 1.3.1/1.24
*) Cache private keys over restarts. This means you can use passphrases and
survive a restart. It also means that the ugliness with sleep is no longer
required (we can read the private keys on the first pass through the
config file). Of course, having a server autostart still requires you to
have no passphrase. [Ben Laurie]
Changes with Apache-SSL 1.3.1/1.23
*) Rerefix dependencies.
[Ben Laurie, Koga Youichirou <y-koga@jp.FreeBSD.org>]
*) Fix make install a bit more. [Koga Youichirou <y-koga@jp.FreeBSD.org>]
*) Stop irritating people with my EXTRA_CFLAGS. [Ben Laurie]
*) Don't launch gcache until runtime checks have been completed. [Ben Laurie,
reported by Bjoern A. Zeeb <bear@dinx.de>]
Changes with Apache-SSL 1.3.1/1.22
*) Refix dependencies. [Ben Laurie]
Changes with Apache-SSL 1.3.1/1.21
*) Fix dependencies. [Suggested by Ralf S. Engelschall]
*) Add missing copyright notices. [Ralf S. Engelschall]
*) Fix APACI install and apachectl fixup to do httpsd instead of httpd.
Install gcache.
[Koga Youichirou <y-koga@jp.FreeBSD.org>]
*) Eliminate SSLLogFile (all info logged to it now goes to the error log).
Make its use an error (with an explanation). [Ben Laurie]
*) Correct typo when Apache-SSL is shared (bFirst instead of bFirstTime).
[arobertson@phoenix.co.uk]
*) Switch some stuff that really should be on stderr back again. [Ben Laurie]
*) Finally make FREE_SESSION work. I'm still not convinced that there was any
real reason to do it, though. [Ben Laurie]
Changes with Apache-SSL 1.3.1/1.20
*) Log most errors instead of putting them on stderr. [Ben Laurie]
*) Do Apache-SSL on inetd connections.
[Philippe Vanhaesendonck <pvanhaes@be.oracle.com>]
*) Make Apache-SSL the last module again so FakeBasicAuth works. [Ben Laurie]
*) Do a cleanup before starting gcache. [Ben Laurie]
*) Make gcache die when httpsd dies. This failing in previous versions
appears to be a bug in Apache. [Ben Laurie]
*) Document the biz with passphrases and sleep. [Ben Laurie]
*) Include the FixPatch script to fix up paths in SSLpatch. [Andrew Ford
<andrew@icarus.demon.co.uk>]
*) Make a few functions static that weren't but should have been.
[Ben Laurie]
*) Don't use the new version string stuff (but explain why). [Ben Laurie]
*) Don't patch configure (that was a mistake - I'd use --compat if I were you
if you do use configure). [Ben Laurie]
*) Make apachectl control httpsd instead of httpd.
[Koga Youichirou <y-koga@jp.FreeBSD.org>]
*) Get rid of {srm,access}.conf, make a few things in README.SSL clearer.
[Jean Meloche <jean@stat.ubc.ca>]
Changes with Apache-SSL 1.3.0/1.19
*) Close the private key file. [Jean-Hugues ROYER <jhroyer@joher.com>]
*) Mess about with file descriptors to make passphrases work again. They
don't work quite as they used to, however, since they are prompted for
after the server has detached. This means you'll need to follow the server
launch with a long sleep so you don't fight with the shell to enter the
passphrase. [Ben Laurie]
Changes with Apache-SSL 1.3.0/1.18
*) Make numeric SSLCacheServerPort work again. [Ben Laurie]
*) Move gcache launch into the module init function. [Ben Laurie]
*) Remove nasty bFirst kludge - so now modules are initialised twice, just
like in a standard Apache. [Ben Laurie]
*) Failing to provide a CA cert file (SSLCACertificateFile) should no longer
cause a crash. [Ben Laurie]
*) New SSLRequireSSL directive, to forbid non-SSL access to sensitive
directories in case of configuration error. [Ben Laurie, suggested by Rob
Heittman]
*) SSLEnable didn't work. Nor did anything that required inheritance from the
main server. Directives now inherit. WARNING: this may change the
behaviour of your server when upgrading. [Ben Laurie, reported by Adam
Laurie]
Changes with Apache-SSL 1.2.6/1.17
*) Change CHANGES.SSL format to match src/CHANGES. [Ben Laurie]
*) Make gcache only accept connections from localhost, and become the same
user as Apache. [Ben Laurie, suggested by Rick Perry <perry@ece.vill.edu>]
*) Move gcache launch point so it is after logs have been opened, and
arrange for error/diagnostic output to be logged. [Ben Laurie]
*) Add stuff to expand client and server certs field by field for CGI
scripts. [Quinton Dolan <q@fan.net.au>]
*) Stop suexec from filtering HTTPS/SSL environment vars. [Ben Laurie,
suggested by Kristofer Peterson <bepeterson@taconic.net>]
*) Document environment vars in README.SSL. [Ben Laurie]
*) Resolve conflict between SSLeay and crypt.h in mod_auth_msql.c.
[Sean Purdy <sean@cix.co.uk>]
*) Make fixup return DECLINED instead of OK (thus allowing other fixups to
be called). [Jaromir Dolecek <dolecek@ics.muni.cz>]
*) Fix htdigest. [Ben Laurie]
*) Remove unsigned short typedef to keep SGI happy. [Brian S. Wallace
<wallace@wbs.issi.net>]
*) Make Configuration.tmpl more consistent with Configuration. [Ben Laurie]
*) Make SSL optionally optional, which is useful for subrequests.
[Ben Laurie, suggested by Jaromir Dolecek <dolecek@ics.muni.cz>]
*) Make SSLLogFile server root relative. [Ben Laurie, suggested by Matthias
Suencksen <msuencks@marcant.de>]
*) Optionally use Unix domain sockets for the cache server.
[Ben Laurie, Stefano Ravaioli <Stefano.Ravaioli@cineca.it>]
*) Actually use the configured cache expiry time. [Ben Laurie]
*) Don't try to handle a connection to gcache if accept() gets an error.
[Stefano Ravaioli <Stefano.Ravaioli@cineca.it>].
*) Correctly report the SSL version number (format changed, no longer "2" or
"3", now "TLS1", "SSL2" or "SSL3").
[Ben Laurie]
*) Use our own SSLeay configuration file, to ask the right question for CN.
[Holger Reif <Holger.Reif@Prakinf.tu-ilmenau.de>]
1.2.6+1.16 Make it possible to disable session caching.
Support SSLeay 0.9.0.
Make client auth work with session caching (contributed by
Stefano Ravaioli <Stefano.Ravaioli@cineca.it>).
Possibly make gcache more reliable.
Make SSLVerifyClient 3 work. At least with SSLeay 0.9.0.
Give up on support for SSLeay 0.6.x (at least until someone
persuades me otherwise).
1.2.6+1.15 Fix minor security holes (/tmp symlink attacks) (found by
Ondrej Suchy <ondrej@eurexa.cz>).
Port to Apache 1.2.6.
Fix mistake in check_fulluri (contributed by Frank Bernard
<fbernard@apriori.de>).
1.2.5+1.14 mod_imap.c was not correctly translated. Fixed.
Pass on SSL_* to module make.
Add SSL_APP_DIR to make life easier for people who want to use
installed SSLeay.
Add experimental session ID caching.
Add vague explanation of SSLRequiredCiphers and friends.
Add SSLEnable (contributed by Ray Bellis <rpb@community.net.uk>).
1.2.5+1.13 This version was sponsored by Virgin Music Group.
Brought up to date.
Send client the server's CA for client certs [Wojceich Tryc].
Note that this could be made more sophisticated!
1.2.4+1.12 ? [this is the only version that works correctly with 1.2.4]
1.2.4+1.11 Fix bug related to double load of config.
Fix bug in check_fulluri (pointed out by Laurentiu Badea). This
could have caused some strangeness in virtual hosts, I
suppose.
1.2.4+1.10 Fix bug in buff.c causing corruption in large files.
1.2.4+1.9 Brought up to date.
1.?+1.4-8 ?
1.1.1+1.3 Configurable logging was lost in 1.2. Fixed.
':' missing. Fixed.
Now that HTTP and HTTPS are both supported many assumption
about default ports are wrong. Mostly fixed.
1.1.1+1.2 Ported to Apache 1.1.1 (thanks to Nigel Metheringham for an
initial version of this).
Changed version numbering scheme again to conform to HTTP
standards.
Ported to SSLeay 0.6.1. Support still present for 0.5.x.
Added "no CA" client verification mode. This didn't work with
SSLeay 0.5.x and is untested with 0.6.1.
Added new directives SSLRequiredCiphers, SSLRequireCipher,
SSLBanCipher, SSLDisable.
Allowed a single server to serve both HTTP and HTTPS.
Set HTTPS, HTTPS_CIPHER, HTTPS_KEYSIZE, HTTPS_SECRETKEYSIZE and
SSL_CLIENT_DN for CGIs.
1.0.5+1.1 Allow SSLCertificateKeyFile to use an absolute path.
1.0.5+1.0 Ported to Apache 1.0.5 and SSLeay 0.5.2a.
Fixed mod_dir.c stack overrun bug.
Fixed client authentication.
Changed version numbering scheme to de facto standard Apache
derivative numbering (that is <derivative name>/<Apache
version>+<derivative version>).
1.0.3a Ported to Apache 1.0.3 and SSLeay 0.5.1b.
Removed SSL logging from mod_log_common.c. It is now available
only in configurable logs.
Removed duplicate typedef for pool in apache_ssl1.h.
Added "make certificate" to generate a test certificate.
Added per-host control of CA verification path/file.
Inverted this list!
1.0.1a Ported to Apache 1.0.1. This was considerably more troublesome
than expected, so apologies to those who have tried and
failed to apply the 0.8.14 patches to 1.0.x.
A small amount of extra documentation was added to httpd.conf.
Worked around a bug in timeouts in 1.0.1 (pool close functions
weren't used).
Copyright notices updated.
0.8.14h Corrected mod_imap - http: and https: were reversed.
Corrected another reference to http: in util.c, and default
port numbers in util.c, mod_imap.c and httpd.h.
0.8.14g Added configurable logging to mod_log_config.c (another
sameer@c2.org idea).
Removed extra logging from mod_log_common.c (code left behind
in case anyone relies on it, but will be removed
later).
Made mod_imap use https: by default, and recognise https: and
ftp: as valid methods (again, sameer@c2.org).
(Not tested).
0.8.14f szClientX509 was not cleared for a new connection. Fixed.
Put my PGP key in the distribution instead of anyone else who
happens to have "ben" in their name. Ooops!
0.8.14e Removed os_conn_printf(), which was ugly, unused and
unintelligible.
Added "#include <stdarg.h>" to apache_ssl2.h.
Removed os_one_time_init(), also ugly and unused.
Added SSLLogError (suggested by sameer@c2.org), to log errors
to the main error log. Note that many are also logged
in SSLLogFile.
Added remark about patch usage in README.SSL.
0.8.14d Fixed mod_imap.c.
Added SSLLogFile for miscellaneous rubbish produced by SSL.
Added this file, and EXPORT.SSL.
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
d265f71d7fce441fd72dd0a77d0f8893
>
files
>
60
