Version 1.5.10
--------------
Improvement/Bugfix:
-   Adapt code for OpenSSL-1.1 API changes

Version 1.5.9
-------------
Bugfix:
-   Fix minor memleak introduced in 1.5.8
Improvements:
-   Log whether a proxy is a VOMS proxy

Version 1.5.8
-------------
Bugfix:
-   Only set EXFLAG_PROXY for actual proxy certificates to work around an
    OpenSSL bug which leads to a spurious "unable to get local issuer
    certificate" error when verifying end-entity certificates signed by a CA not
    containing Digital Signature.
Improvements:
-   Log signature algorithm and warn in case it is MD5 (or older).
-   Log key strength for proxy certificates on info instead of debug.
-   Log key strength (as info or warning) for all certs. EEC/CA min. 2048,
    proxies min. 1024.
-   verify-proxy-tool has extra option -t|--atnotbefore to verify the chain at
    the notBefore time (actually 5min afterwards)

Version 1.5.7
-------------
Bugfix:
-   Unknown policy language (=restricted) proxies where classified as limited.
-   Legacy proxies with empty subject were not properly recognized.
Improvements:
-   In case of verification failure, log the depth and DN of the failed cert.
-   Full support incl. pathlength constraint checks also for (deprecated) GT3
    proxies. Also includes failing on proxies with both RFC and GT3 extensions.
-   Also classify independent (1.3.6.1.5.5.7.21.2), any language
    (1.3.6.1.5.5.7.21.0) and restricted (i.e. unknown policy language OID)
    proxies. Log the OID for the restricted one as a warning.
-   Logging was suboptimal:
    * too many lines on LOG_INFO, replaced with less more-informative lines.
    * on older OpenSSL versions, the error stack would not be printed correctly.
    * some parts were printed incorrectly (double, or with extra newlines).
    * prevent going through full-chain checks more than once (it was done once
      for each error at level 0)
-   Numerous internal improvements, incl. memory leaks.
-   Build commandline tool, renamed in verify-proxy-tool, including simple
    man-page.

Version 1.5.6
-------------
Bugfix:
-   Fix memory bug introduced in the serial number printing code in 1.5.5.
Improvement:
-   Add better support for (default) CA certificate directory: can now also
    specify -capath (or --capath). When unset as commandline arg, look at
    $X509_CERT_DIR (e.g. from gLExec and/or LCMAPS) or ultimately at
    /etc/grid-security/certificates.
-   fix remaining compiler warnings

Version 1.5.5
-------------
-   Extensive internal reorganisation and cleanup
-   Split off the grid-proxy-verify util, it's effectively reproduced by the
    tool in verify-lib
-   Minor bugfixes:
    * TTL proxy lifetime checks did not fail on expired proxy (but should)
    * non-LCMAPS mode did not compile
    * TTL for proxy was logged in the wrong place (before it was determined)
    * don't link against libssl, only against libcrypto
-   Minor improvements:
    * handle and log errors correctly.
    * log reason for ignored errors such as missing CRL.
    * log info messages from verify lib to LOG_INFO instead of LOG_DEBUG.
    * warn if the keystrength is less than 1024

Version 1.5.4
-------------
-   Added the option --disallow-limited-proxy on request by Igor Sfiligoi to be
    able to disallow limited proxies. The man page is updated with this
    inclusion.
-   Added full support for RFC and GT3 proxies. Properly detecting the proxy
    types, including limited proxies is now fully supported. RESTRICTED and
    INDEPENDENT in (pre-)RFC proxies WILL be treated as an IMPERSONATION proxy
    type, which is the default.
-   Malformed certificate chains (CA -> EEC -> RFC -> GT3 -> RFC -> ...) were
    tolerated in previous versions because the detection was not fully
    complete. It is now tested to be fully compliant and we can safely enable
    strict certificate chain checking.


Version 1.5.3
-------------
-   Brain Bockelman reported a verification failure when a certificate chain
    contains at least two limited proxies. This version exclusively fixes this
    problem.
-   The add-on verification routines to semantically check the certificate
    chain was not launched when the X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error
    was set. Only OpenSSL versions older then 0.9.8 would have this #ifdef
    enable.
-   OpenSSL casts an X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED where it doesn't
    make sense as the test used a non-RFC3820 proxy. OpenSSL is not capable of
    extracting a path length constraint out of non-RFC proxy.  OpenSSL also
    tagged all  certificates in the chain to be showing the
    X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error. The add-on evaluator performs
    a proper check to compensate.
-   The add-on verification routines did not take limited proxies into account.
    This mistake was gracefully neglected, because proxy chains with only one
    Limited proxy at the end was perfectly tolerated. A double limited proxy or
    proxy certificate chain with at least two (or more) Limited proxy
    delegations of the RFC3820 and old-style proxy type would fail the
    verification with the previously mentioned anomalies.
-   The first delegation can now be a GT2/old-style Limited proxy.
-   See BUGS for the known bugs and caveats.


Version 1.5.2
-------------
-   An internally restructured verify-proxy plugin fixing several memory
    handling problem. It solved several memory leakages and quite a lot
    potential segmentation fault situation.
    There should be no noticable change, besides the lowered memory leakage
    proper checking.


Version 1.5.1
-------------
No report


Version 1.5.0
-------------
-   Changing the log messages to match the logging method used in LCMAPS
    version 1.5.0, which will be using the Syslog native log priority/levels.
-   The plugin will fail to initialize when the configured -cadir or -certdir
    directory does not exist. This was a run-time error.
-   Fixed the ability to use the plugin for life-time checking from a GT4 or
    GT5 service. The requirement for a private key MUST be explicitly disabled
    with either the configuration of "--only-enforce-lifetime-checks" or
    "--discard_private_key_absence". The internally used environment variable
    $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of
    "--discard_private_key_absence". The environment variable can be
    countered/muted by "--never_discard_private_key_absence".
-   New feature to be able to REQUIRE the final certificate in a chain to be a
    LIMITED proxy.  Enable the option "--require-limited-proxy" to enforce
    this.
    This version DOES NOT WORK with RFC3820 limited proxy. This will be added
    in an update.
-   Man page is now packaged with the source.




Version 1.4.12
--------------
The new certificate type detection function makes it possible to detect the
proxy certificate type more cleanly and now properly distinghuishes RFC 3820
and old-style certificates reliable. A wrongly constructed chain is a rare
occurance, but is now properly detected and will result in an
X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.

The certificate rejection is only triggered when the following #define is
enabled: USE_STRICT_PATH_VALIDATION. Without it, the condition will be treated
as a warning only seen on a verbose loglevel.

Also, the grid_verifyPathLenConstraints() function is now called when the
X509_verify() reaches the final certificate in the chain in its verification
cycle. This will dysect the certificate chain properly and trigger on the right
errors.

A bunch of useless debugging messages are no longer visable in the log file.
They can be revived when you upgrade the loglevel for more verbosity.


Version 1.4.11
--------------
Implemented my own Path Length Constraint check that is capable of checking
both the Path Length Constraint in CA certificates and RFC proxy certificates.
Fixing GGUS ticket 67040 - https://ggus.eu/ws/ticket_info.php?ticket=67040


Version: 1.4.10
---------------
Plugin lcmaps-plugins-verify-proxy:
- Fixing path length constraint problem for TERENA eScience Peronsal CA users.


Version: 1.4.9
--------------
Plugin lcmaps-plugins-verify-proxy:
- Fixed the Proxy Life Time Policy enforcement functionality.
- Fixed the VOMS Life Time Policy enforcement functionality.
- To cope with Subordinate CAs we have to extend the verification depth to be
  able to hold the certificate chain (could contain a lot of delegations) and
  all the CA certificate, which might not be added to the certificate chain
  itself but would still be lingering in the X509 CA directory lookup
  functions. OpenSSL uses a default depth of 9.

Resurrected an option with a different name:
--only-enforce-lifetime-checks

When this option is set the verification routines are skipped to enforce the
proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools
like GridFTPd and the Gatekeeper as they already perform full authentication on
the SSL layer. In gLExec this plug-in MUST run in full mode.


Generic to all components
-------------------------
- adjusted to be able to use EPEL, EMI and gLite packages and system native
  library installations
- cleanup of unused files and support for distribution tarball.
- provide pkg-config files
- All LCMAPS public header files are all in ${includeDir}/lcmaps/*.h