diff options
| author | Stefan Eissing <icing@apache.org> | 2018-04-09 16:05:42 +0200 |
|---|---|---|
| committer | Stefan Eissing <icing@apache.org> | 2018-04-09 16:05:42 +0200 |
| commit | 56e6ddba16104a8897f8a59e8c3242af5e319451 (patch) | |
| tree | e9de0009c53187ac628975b3cb3dfd61fec85254 /CHANGES | |
| parent | Rebuild. (diff) | |
| download | apache2-56e6ddba16104a8897f8a59e8c3242af5e319451.tar.xz apache2-56e6ddba16104a8897f8a59e8c3242af5e319451.zip | |
On the trunk:
SSLVerifyClient support for TLSv1.3 protocol now fails similarly to TLSv1.2 in my setups. (Read: I cannot get client certs to work, but I think this change is an improvement)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828720 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'CHANGES')
| -rw-r--r-- | CHANGES | 20 |
1 files changed, 15 insertions, 5 deletions
@@ -1,6 +1,21 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre4, other libs may + need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the + protocol the ciphers are for. + Directive "SSLVerifyClient" now triggers certificate retrieval from the client (this + is not fully tested - but fails in similar fashion as in TLSv1.2 in my setups). + Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols, + as this would need to trigger the master connection thread - which we do not support + right now. + Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite" + does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and + TLSv1.2 or lower ciphers are not relevant, as cipher suites are completely separate. + This means there is a bit if a world split when simultaneously having TLSv1.2 and TLSv1.3 + connections to the same server. + [Stefan Eissing] + *) mod_http2: accurate reporting of h2 data input/output per request via mod_logio. Fixes an issue where output sizes where counted n-times on reused slave connections. See gituhub issue: https://github.com/icing/mod_h2/issues/158 @@ -24,11 +39,6 @@ Changes with Apache 2.5.1 independent of the core Timeout directive. PR 62229. [Hank Ibell <hwibell gmail.com>] - *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may - need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the - protocol the ciphers are for. - [Stefan Eissing] - *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard). [Eric Covener] |