./security/hitch, High performance SSL/TLS proxy

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.4.8, Package name: hitch-1.4.8, Maintainer: fhajny

Hitch is a libev-based high performance SSL/TLS proxy by Varnish

Required to run:

Required to build:
[textproc/py-docutils] [lang/python27] [pkgtools/cwrappers]

Master sites:

SHA1: 70833f7e9928c6e66f1c9d110c3aca1e1a999738
RMD160: 3e7425cbdb1242d5f4689ecf3ec9145e46024cfb
Filesize: 290.144 KB

Version history: (Expand)

CVS history: (Expand)

   2018-12-15 22:12:25 by Thomas Klausner | Files touched by this commit (67) | Package updated
Log message:
*: update email for fhajny
   2018-09-07 15:54:45 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
security/hitch: Update to 1.4.8.

hitch-1.4.8 (2018-04-19)

- Reworked the dynamic backend bits.
- Update docs to recommend running Hitch as a separate non-privileged

hitch-1.4.7 (2018-01-11)

- Massive test suite refactor and update.
- Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to
  OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in
  the test suite, switch from sockstat(1) to fstat(1)
- Add an OCSP refresh timeout parameter
- Autotools polish
- Random usage of config section if reduntant
- Support for separate key files
- Fix logging to syslog even when set to syslog = off
- Making log-filename, recv-bufsize and send-bufsize parameters
  available though command line and config file.
- Fix: global backaddr is assumed to be static
- Add support for session-cache in config file and as cmdline option
- Plug file descriptor leak: killing worker processes would leave the
  pipe's write end open, leaking one file descriptor per worker upon
   2017-07-03 15:03:02 by Joerg Sonnenberger | Files touched by this commit (2)
Log message:
Fix ctype use.
   2017-06-14 15:28:57 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
Update security/hitch to 1.4.6.

Update security/hitch to 1.4.6.

hitch-1.4.6 (2017-06-06)
- Fix a problem that broke mock-based builds for el6/el7

hitch-1.4.5 (2017-05-31)
- Set SSL_OP_SINGLE_ECDH_USE to force a fresh ECDH key pair per
- Fix a bug where we ended up leaking a zombie process on reload
- Fix a bug where the management process could not find its
  configuration files after a reload when chroot was configured
- Output the offending line on a configuration file parsing error
- Fix build for non-C99/C11 compilers
- Fix the shared cache code to make it work also with OpenSSL 1.1.0
- Fix an unchecked loop situation that could occur when running with
  shared cache enabled
- Various autotools configuration fixes
- A few minor doc fixes
   2017-01-09 14:02:21 by Filip Hajny | Files touched by this commit (6) | Package updated
Log message:
Update security/hitch to 1.4.4.

hitch-1.4.4 (2016-12-22)

- OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully
  supported with Hitch.
- Fix a bug in the OCSP refresh code that could make it loop with
  immediate refreshes flooding an OCSP responder.
- Force the SSL_OP_SINGLE_DH_USE setting. This protects against an
  OpenSSL vulnerability where a remote attacker could discover private
  DH exponents (CVE-2016-0701).

hitch-1.4.3 (2016-11-14)

- OCSP stapling is now enabled by default.
  Users should create ocsp-dir (default: /var/lib/hitch/) and make it
  writable for the hitch user.
- Build error due to man page generation on FreeBSD (most likely non-Linux)
  has been fixed.

hitch-1.4.2 (2016-11-08)

- Example configuration file hitch.conf.example has been shortened and
  defaults moved into Hitch itself. Default cipher string is now what we
  believe to be secure. Users are recommended to use the built-in default
  from now on, unless they have special requirements.
- hitch.conf(5) manual has been added.
- Hitch will now send a TLS Close notification during connection teardown.
  This fixes an incomplete read with a GnuTLS client when the backend
  (thttpd) used EOF to signal end of data, leaving some octets discarded
  by gnutls client-side. (Issue 127_)
- Autotools will now detect SO_REUSEPORT availability. (Issue 122_)
- Improved error handling on memory allocation failure.
   2016-10-02 11:19:36 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/hitch to 1.4.1.

- Add a new tls-protos configuration option for specifying the
  permitted TLS/SSL protocols. This new option supersedes settings
  ssl and tls which are now deprecated and will be kept for
  backwards compatibility.
   2016-09-19 11:33:57 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/hitch to 1.4.0.

hitch-1.4.0 (2016-09-12)

- Fix a bug in the OCSP request code where it broke if the OCSP
  responder required a Host header. (#113)
- Add support for ECC certificates (#116).

hitch-1.4.0-beta1 (2016-08-26)

- NPN/ALPN support for negotiating a protocol in the SSL handshake.
  This lets you use Hitch for terminating TLS in front of an HTTP/2
  capable backend. For ALPN, OpenSSL 1.0.2 is needed, while NPN
  requires OpenSSL 1.0.1.
- Expanded PROXY protocol support for communicating an ALPN/NPN
  negotiated protocol to the backend. Hitch will now include the
  ALPN/NPN protocol that was selected during the handshake as part
  of the PROXYv2 header.
   2016-08-22 11:34:40 by Filip Hajny | Files touched by this commit (5) | Package updated
Log message:
Update security/hitch to 1.3.1.

hitch-1.3.1 (2016-08-16)
- Fixes a bug in the autotools configuration which led to man
  pages not being built.

hitch-1.3.0 (2016-08-16)
- Fix a bug where we crashed in the OCSP handling if there was no
  default SSLCTX configured.
- Minor documentation fix.

hitch-1.3.0-beta3 (2016-07-26)
- Fully automated retrieval and refreshes of OCSP responses (see
  configuration.md for details).
- New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo.
- Cleanup of various log messages.
- Verification of OCSP staples. Enabled by setting
  ocsp-verify-staple = on.
- Make rst2man an optional requirement (#93). Thanks to Barry
- Avoid stapling expired OCSP responses
- A few fixes to the shared cache updating code. Thanks to Piyush

hitch-1.3.0-beta2 (2016-05-31)
- Options given on the command line now take presedence over
  configuration file settings. I.e. there is no longer a need to
  specify --config first to get this behavior.
- Config file regression: "yes" and "no" are now accepted by the
  config file parser as boolean values.
- Documentation improvements and spelling fixes.
- Various minor autotools build fixes.

hitch-1.3.0-beta1 (2016-05-11)
- Support for OCSP stapling (see configuration.md for details)
- Initialize OpenSSL locking callback if an engine is loaded. Some
  SSL accelerator cards have their custom SSL engine running in a
  multithreaded context. For these to work correctly, Hitch needs
  to initialize a set of mutexes utilized by the OpenSSL library.
- #82: A mistake in the SNI lookup code caused us to inspect the
  wrong list when looking for wildcard certificate matches.