This file contains the running log of changes applied to each released hitch version.
- Fix an issue in our PROXYv2 handling that caused us to sometimes transmit a wrong 'verify' status code for client certificate validation.
- Fix build for OpenSSL without NPN/APLN support. Thanks to Wataru Ashihara.
- Added support for client certificate validation. This is specified
via the new
client-verify
andclient-verify-ca
configuration settings. See hitch.conf(5) for more details. - Added support for a few PROXY properties for client certificate validation. When Hitch is used alongside Varnish, one may make use of vmod-proxy's proxy.client_has_cert_sess(), proxy.ssl_verify_result() and proxy.client_has_cert_conn().
- TLSv1.3 cipher suites can now be configured via the
ciphersuites
configuration file setting. - Added
ecdh-curve
configuration file setting for specifying the list of supported TLS curves. - Default
log-level
is now set to 1, making Hitch slightly more chatty by default. - Fixed a bug related to session resumption with client certificate verification enabled, where some clients would fail resumption with a "session id context uninitialized" error message.
- Fixed a very minor memory leak, and a few other minor code cleanups.
- Various minor documentation fixes
- Fix a bug related to session resumption with client certificate verification enabled, where some clients would fail resumption with a "session id context uninitialized" error message.
- Added support for a few PROXY properties for client certificate validation. When Hitch is used alongside Varnish, one may make use of vmod-proxy's proxy.client_has_cert_sess(), proxy.ssl_verify_result() and proxy.client_has_cert_conn().
- TLSv1.3 cipher suites can now be configured via the
ciphersuites
configuration file setting. - Added
ecdh-curve
configuration file setting for specifying the list of supported TLS curves. - Default
log-level
is now set to 1, making Hitch slightly more chatty by default. - Added support for client certificate validation. This is specified
via the new
client-verify
andclient-verify-ca
configuration settings. See hitch.conf(5) for more details. - Fixed a very minor memory leak, and a few other minor code cleanups.
- Fix a problem introduced in the previous release that prevented us from running as a non-privileged user (Issue: 322).
- Support for TCP Fast Open. Is is disabled by default (Issue: 185)
- Various code cleanups and minor bug fixes.
- Support for UNIX domain socket connections. A backend endpoint can
now be specified as a UNIX domain socket, via
backend = "/path/to/socket"
. - New configuration file settings
pem-dir
andpem-dir-glob
.pem-dir
can be used to specify a directory for loading certificates, without specifying each file individually. - Support for TLS 1.3. Thanks to Lasse Karstensen.
- Fixed a bug that would cause a crash on reload if
ocsp-dir
was changed. - Add
log-level
. This supersedes the previousquiet
setting, which is now deprecated. - Add
proxy-tlv
. This enables extra reporting of cipher and protocol as part of the PROXYv2 protocol. - Drop TLSv1.1 from the default TLS protocols list.
- Reworked the dynamic backend bits.
- Update docs to recommend running Hitch as a separate non-privileged user.
- Massive test suite refactor and update.
- Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in the test suite, switch from sockstat(1) to fstat(1) (Issue: 234)
- Add an OCSP refresh timeout parameter (Issue: 229)
- Autotools polish (Issue: 231)
- Random usage of config section if reduntant (Issue: 192)
- Support for separate key files (Issue: 65)
- Fix logging to syslog even when set to syslog = off (Issue: 187)
- Making log-filename, recv-bufsize and send-bufsize parameters available though command line and config file.
- Fix: global backaddr is assumed to be static (Issue: 84)
- Add support for session-cache in config file and as cmdline option (Issue: 166)
- Plug file descriptor leak: killing worker processes would leave the pipe's write end open, leaking one file descriptor per worker upon reload (Issue: 193)
- Fix a problem that broke mock-based builds for el6/el7 (Issue 181)
- Set SSL_OP_SINGLE_ECDH_USE to force a fresh ECDH key pair per handshake (Issue 155)
- Fix a bug where we ended up leaking a zombie process on reload (Issue 167). Thank you to @dward
- Fix a bug where the management process could not find its configuration files after a reload when chroot was configured (Issue 176)
- Output the offending line on a configuration file parsing error
- Fix build for non-C99/C11 compilers (Issue 173)
- Fix the shared cache code to make it work also with OpenSSL 1.1.0
- Fix an unchecked loop situation that could occur when running with shared cache enabled (Issue 152)
- Various autotools configuration fixes
- A few minor doc fixes
- OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch.
- Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder.
- Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701).
- OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user.
- Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed.
- Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements.
- hitch.conf(5) manual has been added.
- Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127)
- Autotools will now detect SO_REUSEPORT availability. (Issue 122)
- Improved error handling on memory allocation failure.
- Add a new
tls-protos
configuration option for specifying the permitted TLS/SSL protocols. This new option supersedes settingsssl
andtls
which are now deprecated and will be kept for backwards compatibility.
- Fix a bug in the OCSP request code where it broke if the OCSP responder required a Host header. (Issue 113)
- Add support for ECC certificates. (Issue 116)
- NPN/ALPN support for negotiating a protocol in the SSL handshake. This lets you use Hitch for terminating TLS in front of an HTTP/2 capable backend. For ALPN, OpenSSL 1.0.2 is needed, while NPN requires OpenSSL 1.0.1.
- Expanded PROXY protocol support for communicating an ALPN/NPN negotiated protocol to the backend. Hitch will now include the ALPN/NPN protocol that was selected during the handshake as part of the PROXYv2 header.
- Fixes a bug in the autotools configuration which led to man pages not being built.
- Fix a bug where we crashed in the OCSP handling if there was no default SSLCTX configured.
- Minor documentation fix.
- Fully automated retrieval and refreshes of OCSP responses (see configuration.md for details).
- New parameters
ocsp-dir
,ocsp-resp-tmo
andocsp-connect-tmo
. - Cleanup of various log messages.
- Verification of OCSP staples. Enabled by setting
ocsp-verify-staple = on
. - Make rst2man an optional requirement (Issue 93). Thanks to Barry Allard.
- Avoid stapling expired OCSP responses.
- A few fixes to the shared cache updating code. Thanks to Piyush Dewnani.
- Options given on the command line now take presedence over
configuration file settings. I.e. there is no longer a need to
specify
--config
first to get this behavior. - Config file regression: "yes" and "no" are now accepted by the config file parser as boolean values.
- Documentation improvements and spelling fixes.
- Various minor autotools build fixes.
- Support for OCSP stapling (see configuration.md for details)
- Initialize OpenSSL locking callback if an engine is loaded. Some SSL accelerator cards have their custom SSL engine running in a multithreaded context. For these to work correctly, Hitch needs to initialize a set of mutexes utilized by the OpenSSL library.
- Issue 82: A mistake in the SNI lookup code caused us to inspect the wrong list when looking for wildcard certificate matches.
- Fixes two minor leaks discovered by Coverity
- Issue 72: Fix a error handling for command line --frontend option.
- Various autotools improvements
- Parallel make check
- Expanded configuration file format to permit settings various options at a more granular level.
- The following options can now be set on a per-frontend basis:
pem-file
,ssl
,tls
,ciphers
,prefer-server-ciphers
,sni-nomatch-abort
- Added options
host
andport
for specifying the listening endpoint in afrontend
block. - Added option
match-global-certs
(available in afrontend
declaration)
- Remove compiler warning on FreeBSD.
- Fix fatal build error for manpage on FreeBSD.
- Issue 55: Fix a bug which caused the Hitch worker threads to sometimes hit an assert after a configuration reload.
- Issue 57: Slightly reorganize assertion handling.
- Issue 52: Fix a bug where we would crash on --help.
- Various minor documentation changes.
- Avoid leaking memory if failing to create an SSL context. (Coverity)
- Fix possible memory leak in create_listen_sock(). (Coverity)
- [dist] init.hitch file has been removed, CHANGES.rst is now distributed.
- [configure] session cache support can now be enabled. (default off)
- Fixes an off-by-one bug that broke wildcard certificate matching.
- Set the IPV6_V6ONLY socket option for IPv6 listen sockets in order to avoid conflicts between INADDR_ANY and IN6ADDR_ANY.
- Uninterrupted configuration reload of PEM files and frontend listen endpoints.
- Priv-sep: To permit configuration reloads, privileges are now dropped in the child processes, and elevated privileges are retained in the management process.
- Various error messages are now rewritten to be more specific about what went wrong.
- A warning is issued if multiple certificates contain identical server name entries.
- Initialize ECDH also for certificates without DH parameters (patch from Fedor Indutny).
- Fix configuration parsing bug skipping short values, typically "workers = 1".
- Tarball now contains an example configuration file.
- A hash table is now used for faster SNI lookups.
- Hitch binary has been renamed back to hitch, previously hitch-openssl.
- Man page is updated.
- Issue 37: Fixes a bug related to a varargs buffer that was consumed twice with syslog logging enabled.
- --default-config retired and replaced by shipping a sample configuration file.
- Use accept4() where supported.
- --write-proxy now defaults to PROXY v2. This is a BREAKING CHANGE if PROXY1 is used. For PROXY v1, use --write-proxy-v1 explicitly.
- Various minor error handling fixes.
In general beta4 contains fixes to problems found with Coverity. These were all of minor character, but were fixed for completeness.
Source code has been reindented from 3-4 different formatting styles to FreeBSD style.
- Drop supplementary groups when doing setgid(). (Issue 31)
- Add --sni-nomatch-abort which abort connections on unknown SNI server name. (useful for avoiding certificate warnings in clients attempting probabilistic TLS upgrades)
- Remove cosmetic NULL-check before free(). (Issue 26)
- Avoid segfault when testing configuration with -t. (Issue 22)
- Minor helptext changes.
- New --pidfile argument.
- Fixed bug in certificate ordering, avoiding wrong cert being provided when running on dualstack servers. (found by test framework!)
- Rudimentary test framework implemented.
- Init script updates provided by Denis Brækhus.
- FreeBSD installation instructions added. (contributed by Ryan Steinmetz)
- autoconf configuration updated to work on EL6.
- Some forgotten references to stud were updated.
Hitch 1.0.0-beta1 is based on stud 0.3.2. A selected set of public patches from github forks were applied.
Notable changes:
- TLS v1.0, TLS v1.1 and TLS v1.2 support.
- Support for SNI added.
- Support PROXYv1 and PROXYv2 protocol to origin.
- Multiple listening sockets with possibly different default key/certificate.
- Wildcard certificates are supported. (with and without SNI.)
- SSL3.0 must now be enabled explicitly.
Various minor and stylistic fixed issues:
- Properly clean SSL error queue.
- Do not segfault if backend is not ready.
- Logging now knows about IPv6.
- IPv6 adresses should now use bracketed notation.
- Additional timeouts for backend connect and SSL handshake added.
- autoconf/automake is now used for building hitch.