-
Notifications
You must be signed in to change notification settings - Fork 41
0.27.4
Pen 0.27.4 rounds off the SSL support with several TLS extensions and security related enhancements.
TLS 1.1 and TLS 1.2 can now be individually disabled.
Client-initiated secure renegotiation can now be rate-limited. The default "limit" is once per hour, which effectively disables this potential vector for denial of service.
OCSP stapling is now supported.
Server Name Indication is supported.
See penctl manpage for configuration help.
Full list of changes from 0.27.3:
150408 Updated ocsp stapling to be compatible with server name indication. Added pen-ocsp.sh script. Released 0.27.4.
150407 SSL code broken out into ssl.[ch]. SSL context creation broken out from ssl_init to ssl_create_context. Server Name Indication support. New command to enable: ssl_sni_path PATH where PATH is the name of a directory containing domain.key, domain.crt and domain.ca files for each domain.
150406 OCSP stapling. New command ssl_ocsp_response filename specifies the location of the ocsp response to be stapled. The response must be pre-fetched. The idea was borrowed from Rob Stradling.
150403 New command ssl_client_renegotiation_interval specifies the minimum number of seconds the client must wait between renegotiation requests. Default 3600.
150402 Enabled SSL session resumption. In do_cmd: don't print "ignoring command" for comments starting with '#'.
150330 Added ssl_option no_tlsv1.1 and ssl_option no_tlsv1.2 to disable SSL 1.1 and 1.2 respectively.