Update security/hitch to 1.4.6.
hitch-1.4.6 (2017-06-06)
- Fix a problem that broke mock-based builds for el6/el7
hitch-1.4.5 (2017-05-31)
- Set SSL_OP_SINGLE_ECDH_USE to force a fresh ECDH key pair per
handshake
- Fix a bug where we ended up leaking a zombie process on reload
- Fix a bug where the management process could not find its
configuration files after a reload when chroot was configured
- Output the offending line on a configuration file parsing error
- Fix build for non-C99/C11 compilers
- Fix the shared cache code to make it work also with OpenSSL 1.1.0
- Fix an unchecked loop situation that could occur when running with
shared cache enabled
- Various autotools configuration fixes
- A few minor doc fixes
hitch-1.4.4 (2016-12-22)
------------------------
- OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully
supported with Hitch.
- Fix a bug in the OCSP refresh code that could make it loop with
immediate refreshes flooding an OCSP responder.
- Force the SSL_OP_SINGLE_DH_USE setting. This protects against an
OpenSSL vulnerability where a remote attacker could discover private
DH exponents (CVE-2016-0701).
hitch-1.4.3 (2016-11-14)
------------------------
- OCSP stapling is now enabled by default.
Users should create ocsp-dir (default: /var/lib/hitch/) and make it
writable for the hitch user.
- Build error due to man page generation on FreeBSD (most likely non-Linux)
has been fixed.
hitch-1.4.2 (2016-11-08)
------------------------
- Example configuration file hitch.conf.example has been shortened and
defaults moved into Hitch itself. Default cipher string is now what we
believe to be secure. Users are recommended to use the built-in default
from now on, unless they have special requirements.
- hitch.conf(5) manual has been added.
- Hitch will now send a TLS Close notification during connection teardown.
This fixes an incomplete read with a GnuTLS client when the backend
(thttpd) used EOF to signal end of data, leaving some octets discarded
by gnutls client-side. (Issue 127_)
- Autotools will now detect SO_REUSEPORT availability. (Issue 122_)
- Improved error handling on memory allocation failure.
- Add a new tls-protos configuration option for specifying the
permitted TLS/SSL protocols. This new option supersedes settings
ssl and tls which are now deprecated and will be kept for
backwards compatibility.
hitch-1.4.0 (2016-09-12)
- Fix a bug in the OCSP request code where it broke if the OCSP
responder required a Host header. (#113)
- Add support for ECC certificates (#116).
hitch-1.4.0-beta1 (2016-08-26)
- NPN/ALPN support for negotiating a protocol in the SSL handshake.
This lets you use Hitch for terminating TLS in front of an HTTP/2
capable backend. For ALPN, OpenSSL 1.0.2 is needed, while NPN
requires OpenSSL 1.0.1.
- Expanded PROXY protocol support for communicating an ALPN/NPN
negotiated protocol to the backend. Hitch will now include the
ALPN/NPN protocol that was selected during the handshake as part
of the PROXYv2 header.
hitch-1.3.1 (2016-08-16)
- Fixes a bug in the autotools configuration which led to man
pages not being built.
hitch-1.3.0 (2016-08-16)
- Fix a bug where we crashed in the OCSP handling if there was no
default SSLCTX configured.
- Minor documentation fix.
hitch-1.3.0-beta3 (2016-07-26)
- Fully automated retrieval and refreshes of OCSP responses (see
configuration.md for details).
- New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo.
- Cleanup of various log messages.
- Verification of OCSP staples. Enabled by setting
ocsp-verify-staple = on.
- Make rst2man an optional requirement (#93). Thanks to Barry
Allard.
- Avoid stapling expired OCSP responses
- A few fixes to the shared cache updating code. Thanks to Piyush
Dewnani
hitch-1.3.0-beta2 (2016-05-31)
- Options given on the command line now take presedence over
configuration file settings. I.e. there is no longer a need to
specify --config first to get this behavior.
- Config file regression: "yes" and "no" are now accepted by the
config file parser as boolean values.
- Documentation improvements and spelling fixes.
- Various minor autotools build fixes.
hitch-1.3.0-beta1 (2016-05-11)
- Support for OCSP stapling (see configuration.md for details)
- Initialize OpenSSL locking callback if an engine is loaded. Some
SSL accelerator cards have their custom SSL engine running in a
multithreaded context. For these to work correctly, Hitch needs
to initialize a set of mutexes utilized by the OpenSSL library.
- #82: A mistake in the SNI lookup code caused us to inspect the
wrong list when looking for wildcard certificate matches.
