./security/hitch, High performance SSL/TLS proxy

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.4.6, Package name: hitch-1.4.6, Maintainer: filip

Hitch is a libev-based high performance SSL/TLS proxy by Varnish
Software.


Required to run:
[devel/libev]

Required to build:
[textproc/py-docutils] [lang/python27] [pkgtools/cwrappers]

Master sites:

SHA1: 4dbf533706129bfd7a45f6dff020e2ba281a4abc
RMD160: eb576b1b878d7184c3dc143c8b4d954e52ec03c3
Filesize: 300.986 KB

Version history: (Expand)


CVS history: (Expand)


   2017-07-03 15:03:02 by Joerg Sonnenberger | Files touched by this commit (2)
Log message:
Fix ctype use.
   2017-06-14 15:28:57 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
Update security/hitch to 1.4.6.

Update security/hitch to 1.4.6.

hitch-1.4.6 (2017-06-06)
- Fix a problem that broke mock-based builds for el6/el7

hitch-1.4.5 (2017-05-31)
- Set SSL_OP_SINGLE_ECDH_USE to force a fresh ECDH key pair per
  handshake
- Fix a bug where we ended up leaking a zombie process on reload
- Fix a bug where the management process could not find its
  configuration files after a reload when chroot was configured
- Output the offending line on a configuration file parsing error
- Fix build for non-C99/C11 compilers
- Fix the shared cache code to make it work also with OpenSSL 1.1.0
- Fix an unchecked loop situation that could occur when running with
  shared cache enabled
- Various autotools configuration fixes
- A few minor doc fixes
   2017-01-09 14:02:21 by Filip Hajny | Files touched by this commit (6) | Package updated
Log message:
Update security/hitch to 1.4.4.

hitch-1.4.4 (2016-12-22)
------------------------

- OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully
  supported with Hitch.
- Fix a bug in the OCSP refresh code that could make it loop with
  immediate refreshes flooding an OCSP responder.
- Force the SSL_OP_SINGLE_DH_USE setting. This protects against an
  OpenSSL vulnerability where a remote attacker could discover private
  DH exponents (CVE-2016-0701).

hitch-1.4.3 (2016-11-14)
------------------------

- OCSP stapling is now enabled by default.
  Users should create ocsp-dir (default: /var/lib/hitch/) and make it
  writable for the hitch user.
- Build error due to man page generation on FreeBSD (most likely non-Linux)
  has been fixed.

hitch-1.4.2 (2016-11-08)
------------------------

- Example configuration file hitch.conf.example has been shortened and
  defaults moved into Hitch itself. Default cipher string is now what we
  believe to be secure. Users are recommended to use the built-in default
  from now on, unless they have special requirements.
- hitch.conf(5) manual has been added.
- Hitch will now send a TLS Close notification during connection teardown.
  This fixes an incomplete read with a GnuTLS client when the backend
  (thttpd) used EOF to signal end of data, leaving some octets discarded
  by gnutls client-side. (Issue 127_)
- Autotools will now detect SO_REUSEPORT availability. (Issue 122_)
- Improved error handling on memory allocation failure.
   2016-10-02 11:19:36 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/hitch to 1.4.1.

- Add a new tls-protos configuration option for specifying the
  permitted TLS/SSL protocols. This new option supersedes settings
  ssl and tls which are now deprecated and will be kept for
  backwards compatibility.
   2016-09-19 11:33:57 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/hitch to 1.4.0.

hitch-1.4.0 (2016-09-12)

- Fix a bug in the OCSP request code where it broke if the OCSP
  responder required a Host header. (#113)
- Add support for ECC certificates (#116).

hitch-1.4.0-beta1 (2016-08-26)

- NPN/ALPN support for negotiating a protocol in the SSL handshake.
  This lets you use Hitch for terminating TLS in front of an HTTP/2
  capable backend. For ALPN, OpenSSL 1.0.2 is needed, while NPN
  requires OpenSSL 1.0.1.
- Expanded PROXY protocol support for communicating an ALPN/NPN
  negotiated protocol to the backend. Hitch will now include the
  ALPN/NPN protocol that was selected during the handshake as part
  of the PROXYv2 header.
   2016-08-22 11:34:40 by Filip Hajny | Files touched by this commit (5) | Package updated
Log message:
Update security/hitch to 1.3.1.

hitch-1.3.1 (2016-08-16)
- Fixes a bug in the autotools configuration which led to man
  pages not being built.

hitch-1.3.0 (2016-08-16)
- Fix a bug where we crashed in the OCSP handling if there was no
  default SSLCTX configured.
- Minor documentation fix.

hitch-1.3.0-beta3 (2016-07-26)
- Fully automated retrieval and refreshes of OCSP responses (see
  configuration.md for details).
- New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo.
- Cleanup of various log messages.
- Verification of OCSP staples. Enabled by setting
  ocsp-verify-staple = on.
- Make rst2man an optional requirement (#93). Thanks to Barry
  Allard.
- Avoid stapling expired OCSP responses
- A few fixes to the shared cache updating code. Thanks to Piyush
  Dewnani

hitch-1.3.0-beta2 (2016-05-31)
- Options given on the command line now take presedence over
  configuration file settings. I.e. there is no longer a need to
  specify --config first to get this behavior.
- Config file regression: "yes" and "no" are now accepted by the
  config file parser as boolean values.
- Documentation improvements and spelling fixes.
- Various minor autotools build fixes.

hitch-1.3.0-beta1 (2016-05-11)
- Support for OCSP stapling (see configuration.md for details)
- Initialize OpenSSL locking callback if an engine is loaded. Some
  SSL accelerator cards have their custom SSL engine running in a
  multithreaded context. For these to work correctly, Hitch needs
  to initialize a set of mutexes utilized by the OpenSSL library.
- #82: A mistake in the SNI lookup code caused us to inspect the
  wrong list when looking for wildcard certificate matches.
   2016-06-08 12:16:57 by Jonathan Perkin | Files touched by this commit (89)
Log message:
Remove the stability entity, it has no meaning outside of an official context.
   2016-06-08 12:02:27 by Jonathan Perkin | Files touched by this commit (44)
Log message:
Change the service_bundle name to "export" to reduce diffs between the
original manifest.xml file and the output from "svccfg export".