Skip to content

0.12.0
Compare
Choose a tag to compare
@airtower-luna airtower-luna released this 14 Aug 12:05
· 58 commits to main since this release
mod_gnutls/0.12.0
This tag was signed with the committer’s verified signature.
airtower-luna Airtower
GPG key ID: EEA726CE21235A58
Learn about vigilant mode.
b6ce8ad
This commit was signed with the committer’s verified signature.
airtower-luna Airtower
GPG key ID: EEA726CE21235A58
Learn about vigilant mode.

Changelog since version 0.11.0:

  • Three fixes that make mod_gnutls compatible with the Let's Encrypt OCSP responder for OCSP stapling (see #4):

    1. Support OCSP responses that are signed directly with the private key of the CA and do not embed a signer certificate.

    2. If the path part of OCSP URI provided in the certificate is empty, use "/".

    3. Use SHA1 for issuer name hash and issuer key hash in OCSP requests. Support for that is required by RFC 5019 and referenced in CAB Forum Baseline Requirements, too. This particular hash doesn't need to be cryptographically secure.

  • Remove insecure algorithms that are still included in the GnuTLS priority set "NORMAL" from the default priorities: plain RSA key exchange, TLS 1.0, TLS 1.1

  • Fix virtual host references when retrieving OCSP responses for stapling (see #5).

  • Share server instances for tests where reasonably possible with the same server configuration. Starting/stopping server instances is the slowest part of the tests, so this is a nice performance improvement. The Automake test harness now reports fewer tests, but some include a lot more client connections and requests to keep coverage at least as good as before.

  • Various improvements to tests and logging infrastructure.

Assets 2
Loading