- Request URIs with either a user-information or fragment component are rejected.
2021-05-15
- The server configuration may now be supplied in a YAML file as an alternative to Java properties. Whole values may be specified by environment variables.
- When a keystore is not configured, the server generates a temporary server certificate that expires in one day. This is useful for quick trial runs and ad hoc testing.
- A Dockerfile and associated files are defined so that the server can be packaged in and run from a Docker image.
- The control socket is now properly closed on server shutdown.
- A TLS user_canceled alert is no longer sent before a connection is closed. This keeps some Gemini clients from reporting errors, even for otherwise successful connections.
- Requests that exceed the maximum length dictated by the Gemini protocol are now rejected instead of truncated.
2021-04-24
- The server now listens on an optional local TCP "control" port for shutdown messages, which enables graceful shutdown.
- A site favicon may be set through a server configuration property.
- The principal name in the certificate of a request authenticated by the server is now logged in the access log.
- Atom feeds may be automatically generated for gemlog-style index pages.
- The access log now delimits timestamps with square brackets, as called for in the Apache Common Log Format, instead of parentheses.
- The access log now logs a zero-length response body with a hyphen instead of a zero.
2021-01-16
- The following CGI meta-variables are now set: GEMINI_URL, GEMINI_URL_PATH, REQUEST_METHOD (to an empty string), SSL_CLIENT_V_REMAIN (when configured), TLS_CIPHER, TLS_CLIENT_HASH, TLS_CLIENT_ISSUER, TLS_CLIENT_NOT_AFTER, TLS_CLIENT_NOT_BEFORE, TLS_CLIENT_REMAIN, TLS_CLIENT_SERIAL, TLS_CLIENT_SUBJECT, TLS_CLIENT_VERSION, TLS_SESSION_ID, TLS_VERSION.
- Optional charset detection for static text resources is available.
- The secure directory feature is replaced by secure domains, which can assign different truststores (or not at all) to different directories. There is no longer a need to set a server-wide truststore.
- SSL_* (mod_ssl) CGI meta-variables are only set when the server is configured to set them.
- The list of suffixes for resources with content type text/gemini is now configurable as a server configuration property.
- The default content type for resources, used when one cannot be detected, is now configurable as a server configuration property.
2021-01-02
- Text response line endings can be forcibly converted to canonical form ("\r\n") through a server configuration property.
- The following CGI variables are now set: SSL_CIPHER, SSL_PROTOCOL, SSL_SESSION_ID, SSL_CLIENT_M_SERIAL, SSL_CLIENT_M_VERSION, SSL_CLIENT_V_START, SSL_CLIENT_V_END.
- Logback logging is explicitly configured (through a logback.xml file in the server JAR). The default logging level is now INFO.
- Requests that cannot be decoded as UTF-8 strings are rejected, instead of handled using replacement strings.
- Failing to read a request due to socket closure is now handled nicely.
- The server truststore is now optional (for when there are no secure resources).
- Requests for the wrong port are rejected.
2020-12-25
- CGI local redirects now work, up to a configurable limit. These redirects are handled internally to the server, and do not produce responses to clients.
- The CGI variables PATH_INFO and PATH_TRANSLATED are now set.
- The server keystore and keystore password are now set in the server properties file, instead of through Java system properties.
- The server truststore and truststore password are also now set in the server properties file, instead of through Java system properties.
- The CGI variable SERVER_SOFTWARE includes the server version.
- In accordance with Gemini protocol v0.14.3, the "gemini" scheme is now required on URIs.
- Some missing license headers in the source code are in place.
- Most issues found by PMD are addressed.
- The length of a request is limited to 1026 bytes (1024 bytes for the request string itself, plus 2 more for CRLF). This protects against the use of extremely long request lines.
- All request URIs (i.e., those passed in from clients and those generated by CGI local redirects) are normalized before processing. This protects against the use of ".." path segments to escape the server root.
2020-12-18
- Initial release, so, everything!