Pkgsrc changes:
* The hosting of radsecproxy has changed to github.com.
* Add dependency on nettle.
* Update LICENSE, now only modified-bsd.
* Use gmake to build to avoid a couple of warnings.
* Relinquish exclusive maintainership.
Upstream changes:
20190704 1.8.0
New features:
- Rewrite: supplement attribute (add attribute if not present) (#19)
- Rewrite: modify vendor attribute
- Rewrite whitelist mode
- Autodetect status-server capability of servers
- Minimalistic status-server
- Explicit SubjectAltName:DNS and :IP match on certificates
Misc:
- No longer require docbook2x tools, but include plain manpages
- Fail on startup if overlapping clients with different tls blocks
Compile fixes:
- Fix compile issues on bsd
Bug fixes:
- Handle %00 in config correctly (#31)
- Fix server selection when udp were unreachable for long periods
2018-09-03 1.7.2
Misc:
- Always copy proxy-state attributes in own responses
- Authenticate own access-reject responses
- Retry outstanding requests after connection reset
Compile fixes:
- Fix compile issues on some platforms (#14)
- Fix compile issue when dtls disabled (#16)
- Fix compile issue on Cygwin (#18)
- Fix radsecproxy.conf manpage not installed when docbook2x
not available
Bug fixes:
- Fix request might be dropped if udp client uses multiple source ports
- Fix tls output might drop requests under high load
- Check for IP literals in Certificate SubjectAltName:DNS records
- Fix tls connection might hang during SSL_connect and SSL_accept
2018-07-05 1.7.1
License and copyright changes:
- Copyright SWITCH
- 3-clause BSD license only, no GPL.
Enhancements:
- Support the use of OpenSSL version 1.1 and 1.0 series
(RADSECPROXY-66, RADSECPROXY-74).
- Reload TLS certificate CRLs on SIGHUP (RADSECPROXY-78).
- Make use of SO_KEEPALIVE for tcp sockets (RADSECPROXY-12).
- Optionally include the thread-id in log messages
- Allow hashing MAC addresses in the log (same as for F-Ticks)
- Log certificate subject if rejected
- Log own responses (RADSECPROXY-61)
- Allow f-ticks prefix to be configured
- radsecproxy-hash: allow MAC addresses to be passed on command line
Misc:
- libnettle is now an unconditional dependency.
- FTicks support is now on by default and not optional.
- Experimental code for dynamic discovery has been removed.
- Replace several server status bits with a single state enum.
(RADSECPROXY-71)
- Use poll instead of select to allow > 1000 concurrent connections.
- Implement locking for all SSL objects (openssl states it
is not thread-safe)
- Rework DTLS code.
Bug fixes:
- Detect the presence of docbook2x-man correctly.
- Make clang less unhappy.
- Don't use a smaller pthread stack size than what's allowed.
- Avoid a deadlock situation with dynamic servers (RADSECPROXY-73).
- Don't forget about good dynamically discovered (TLS) connections
(RADSECPROXY-69).
- Fix refcounting in error cases when loading configuration
(RADSECPROXY-42)
- Fix potential crash when rewriting malformed vendor attributes.
- Properly cleanup expired requests from server output-queue.
- Fix crash when dynamic discovered server doesn't resolve.
Pkgsrc changes:
* The hosting of radsecproxy has changed to nordu.net.
Upstream changes:
2017-08-02 1.6.9
Misc:
- Use a listen(2) backlog of 128 (RADSECPROXY-72).
Bug fixes:
- Don't follow NULL the pointer at debug level 5 (RADSECPROXY-68).
- Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50).
- Tie Access-Request log lines to response log lines (RADSECPROXY-60).
- Fix a couple of memory leaks and NULL ptr derefs in error cases.
- Take lock on realm refcount before updating it (RADSECPROXY-77).
2016-09-21 1.6.8
Bug fixes:
- Stop waiting on writable when reading a TCP socket.
- Stomp less on the memory of other threads (RADSECPROXY-64).
2016-03-14 1.6.7
Enhancements (security):
- Negotiate TLS1.1, TLS1.2 and DTLS1.2 when possible, client and
server side. Fixes RADSECPROXY-62.
Enhancements:
- Build HTML documentation properly.
