1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304
|
List of changes
===============
This file contains the running log of changes applied to each released hitch
version.
hitch-1.4.4 (2016-12-22)
------------------------
* OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully
supported with Hitch.
* Fix a bug in the OCSP refresh code that could make it loop with
immediate refreshes flooding an OCSP responder.
* Force the SSL_OP_SINGLE_DH_USE setting. This protects against an
OpenSSL vulnerability where a remote attacker could discover private
DH exponents (CVE-2016-0701).
hitch-1.4.3 (2016-11-14)
------------------------
* OCSP stapling is now enabled by default.
Users should create ocsp-dir (default: /var/lib/hitch/) and make it
writable for the hitch user.
* Build error due to man page generation on FreeBSD (most likely non-Linux)
has been fixed.
hitch-1.4.2 (2016-11-08)
------------------------
* Example configuration file hitch.conf.example has been shortened and
defaults moved into Hitch itself. Default cipher string is now what we
believe to be secure. Users are recommended to use the built-in default
from now on, unless they have special requirements.
* hitch.conf(5) manual has been added.
* Hitch will now send a TLS Close notification during connection teardown.
This fixes an incomplete read with a GnuTLS client when the backend
(thttpd) used EOF to signal end of data, leaving some octets discarded
by gnutls client-side. (Issue 127_)
* Autotools will now detect SO_REUSEPORT availability. (Issue 122_)
* Improved error handling on memory allocation failure.
.. _122: https://github.com/varnish/hitch/issues/122
.. _127: https://github.com/varnish/hitch/issues/127
hitch-1.4.1 (2016-09-23)
------------------------
* Add a new ``tls-protos`` configuration option for specifying the
permitted TLS/SSL protocols. This new option supersedes settings
``ssl`` and ``tls`` which are now deprecated and will be kept for
backwards compatibility.
hitch-1.4.0 (2016-09-12)
------------------------
* Fix a bug in the OCSP request code where it broke if the OCSP
responder required a Host header. (Issue 113_)
* Add support for ECC certificates. (Issue 116_)
.. _113: https://github.com/varnish/hitch/issues/113
.. _116: https://github.com/varnish/hitch/issues/116
hitch-1.4.0-beta1 (2016-08-26)
------------------------------
* NPN/ALPN support for negotiating a protocol in the SSL
handshake. This lets you use Hitch for terminating TLS in front of
an HTTP/2 capable backend. For ALPN, OpenSSL 1.0.2 is needed, while
NPN requires OpenSSL 1.0.1.
* Expanded PROXY protocol support for communicating an ALPN/NPN
negotiated protocol to the backend. Hitch will now include the
ALPN/NPN protocol that was selected during the handshake as part of
the PROXYv2 header.
hitch-1.3.1 (2016-08-16)
------------------------
* Fixes a bug in the autotools configuration which led to man pages not being built.
hitch-1.3.0 (2016-08-16)
------------------------
* Fix a bug where we crashed in the OCSP handling if there was no
default SSLCTX configured.
* Minor documentation fix.
hitch-1.3.0-beta3 (2016-07-26)
------------------------------
* Fully automated retrieval and refreshes of OCSP responses (see
configuration.md for details).
* New parameters ``ocsp-dir``, ``ocsp-resp-tmo`` and ``ocsp-connect-tmo``.
* Cleanup of various log messages.
* Verification of OCSP staples. Enabled by setting
``ocsp-verify-staple = on``.
* Make rst2man an optional requirement (Issue 93_). Thanks to Barry Allard.
* Avoid stapling expired OCSP responses.
* A few fixes to the shared cache updating code. Thanks to Piyush Dewnani.
.. _93: https://github.com/varnish/hitch/issues/93
hitch-1.3.0-beta2 (2016-05-31)
------------------------------
* Options given on the command line now take presedence over
configuration file settings. I.e. there is no longer a need to
specify ``--config`` first to get this behavior.
* Config file regression: "yes" and "no" are now accepted by the
config file parser as boolean values.
* Documentation improvements and spelling fixes.
* Various minor autotools build fixes.
hitch-1.3.0-beta1 (2016-05-11)
------------------------------
* Support for OCSP stapling (see configuration.md for details)
* Initialize OpenSSL locking callback if an engine is loaded. Some SSL
accelerator cards have their custom SSL engine running in a
multithreaded context. For these to work correctly, Hitch needs to
initialize a set of mutexes utilized by the OpenSSL library.
* Issue 82_: A mistake in the SNI lookup code caused us to inspect the wrong
list when looking for wildcard certificate matches.
.. _82: https://github.com/varnish/hitch/issues/82
hitch-1.2.0 (2016-04-19)
------------------------
* Fixes two minor leaks discovered by Coverity
* Issue 72_: Fix a error handling for command line --frontend option.
* Various autotools improvements
* Parallel make check
.. _72: https://github.com/varnish/hitch/issues/72
hitch-1.2.0-beta1 (2016-02-25)
------------------------------
* Expanded configuration file format to permit settings various
options at a more granular level.
* The following options can now be set on a per-frontend basis:
``pem-file``, ``ssl``, ``tls``, ``ciphers``,
``prefer-server-ciphers``, ``sni-nomatch-abort``
* Added options ``host`` and ``port`` for specifying the listening
endpoint in a ``frontend`` block.
* Added option ``match-global-certs`` (available in a ``frontend``
declaration)
hitch-1.1.1 (2016-01-26)
------------------------
* Remove compiler warning on FreeBSD.
* Fix fatal build error for manpage on FreeBSD.
* Issue 55_: Fix a bug which caused the Hitch worker threads to sometimes
hit an assert after a configuration reload.
* Issue 57_: Slightly reorganize assertion handling.
* Issue 52_: Fix a bug where we would crash on --help.
* Various minor documentation changes.
.. _57: https://github.com/varnish/hitch/issues/57
.. _55: https://github.com/varnish/hitch/issues/55
.. _52: https://github.com/varnish/hitch/issues/52
hitch-1.1.0 (2015-11-20)
------------------------
* Avoid leaking memory if failing to create an SSL context. (Coverity)
* Fix possible memory leak in create_listen_sock(). (Coverity)
hitch-1.1.0-beta1 (2015-11-06)
------------------------------
* [dist] init.hitch file has been removed, CHANGES.rst is now distributed.
* [configure] session cache support can now be enabled. (default off)
* Fixes an off-by-one bug that broke wildcard certificate matching.
* Set the IPV6_V6ONLY socket option for IPv6 listen sockets in order
to avoid conflicts between INADDR_ANY and IN6ADDR_ANY.
* Uninterrupted configuration reload of PEM files and frontend listen
endpoints.
* Priv-sep: To permit configuration reloads, privileges are now
dropped in the child processes, and elevated privileges are retained
in the management process.
* Various error messages are now rewritten to be more specific about
what went wrong.
* A warning is issued if multiple certificates contain identical
server name entries.
* Initialize ECDH also for certificates without DH parameters (patch
from Fedor Indutny).
hitch-1.0.1 (2015-10-15)
------------------------
* Fix configuration parsing bug skipping short values, typically "workers = 1".
* Tarball now contains an example configuration file.
hitch-1.0.0 (2015-10-07)
------------------------
* A hash table is now used for faster SNI lookups.
* Hitch binary has been renamed back to `hitch`, previously `hitch-openssl`.
* Man page is updated.
hitch-1.0.0-beta5 (2015-08-17)
------------------------------
* Issue 37_: Fixes a bug related to a varargs buffer that was consumed twice
with syslog logging enabled.
* --default-config retired and replaced by shipping a sample configuration file.
* Use accept4() where supported.
* --write-proxy now defaults to PROXY v2. This is a BREAKING CHANGE if PROXY1
is used. For PROXY v1, use --write-proxy-v1 explicitly.
* Various minor error handling fixes.
.. _37: https://github.com/varnish/hitch/issues/37
hitch 1.0.0-beta4 (2015-07-08)
------------------------------
In general beta4 contains fixes to problems found with Coverity. These
were all of minor character, but were fixed for completeness.
Source code has been reindented from 3-4 different formatting
styles to FreeBSD style.
hitch 1.0.0-beta3 (2015-06-18)
------------------------------
* Drop supplementary groups when doing setgid(). (Issue 31_)
* Add --sni-nomatch-abort which abort connections on unknown SNI server
name. (useful for avoiding certificate warnings in clients attempting
probabilistic TLS upgrades)
* Remove cosmetic NULL-check before free(). (Issue 26_)
* Avoid segfault when testing configuration with -t. (Issue 22_)
* Minor helptext changes.
.. _31: https://github.com/varnish/hitch/issues/31
.. _26: https://github.com/varnish/hitch/issues/26
.. _22: https://github.com/varnish/hitch/issues/22
hitch 1.0.0-beta2 (2015-05-22)
------------------------------
* New --pidfile argument.
* Fixed bug in certificate ordering, avoiding wrong cert being provided when
running on dualstack servers. (found by test framework!)
* Rudimentary test framework implemented.
* Init script updates provided by Denis Brækhus.
* FreeBSD installation instructions added. (contributed by Ryan Steinmetz)
* autoconf configuration updated to work on EL6.
* Some forgotten references to stud were updated.
hitch 1.0.0-beta1 (2015-05-13)
------------------------------
Hitch 1.0.0-beta1 is based on stud 0.3.2. A selected set of public patches from
github forks were applied.
Notable changes:
* TLS v1.0, TLS v1.1 and TLS v1.2 support.
* Support for SNI added.
* Support PROXYv1 and PROXYv2 protocol to origin.
* Multiple listening sockets with possibly different default key/certificate.
* Wildcard certificates are supported. (with and without SNI.)
* SSL3.0 must now be enabled explicitly.
Various minor and stylistic fixed issues:
* Properly clean SSL error queue.
* Do not segfault if backend is not ready.
* Logging now knows about IPv6.
* IPv6 adresses should now use bracketed notation.
* Additional timeouts for backend connect and SSL handshake added.
* autoconf/automake is now used for building hitch.
|