"Fossies" - the Fresh Open Source Software Archive

Member "tlswrap-1.04/ChangeLog" (16 Dec 2006, 11319 Bytes) of package /linux/privat/old/tlswrap-1.04.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 1.04
    3 - The fixing of the silly memleak introduced a bug that could cause
    4   crashes on some systems, fixed. Thanks to Jukka Anttonen for reporting
    5   it.
    7 1.03
    9 - At least one ftpd can't handle PROT before USER, this is (unfortunately)
   10   allowed by the TLS FTP spec so handle it properly.
   12 - The debug mode crashed on Linux and probably some other OSes.
   14 - It now is possible to build a version for Windows 9x/ME (which does not
   15   have the possibility to run as a service). This is the first version
   16   ever to work properly on this platform, as the old Cygwin version
   17   didn't work on 9x.
   19 - Improved the error handling for connection resets in the TLS handshake.
   21 - Improved the error handling for connection attempts blocked by software
   22   firewalls in Windows.
   24 - Fixed a silly memleak.
   26 1.02
   28 - Minor HP-UX fixes (UNIX95 vs UNIX98 vs current).
   30 - Fixed detection of recent versions of the Intel compiler on Linux, to
   31   prevent a strange compilation error on Itanium systems.
   33 - A small fix to work with the recently released OpenSSL 0.9.8.
   35 - Since OpenSSL 0.9.8 supports 64-bit Windows (x64 and IA64), TLSWrap also
   36   does:
   38   I have provided an installer for Windows x64, just like for the normal x86
   39   version. The installer is unfortunately 32-bit for now, but everything
   40   else is 64-bit. The included OpenSSL DLLs are compiled with the Intel C++
   41   Compiler 9.0 for EM64T and should in many cases have superior performance
   42   compared to the 32-bit versions (I get twice the speed with AES on my EM64T
   43   CPU, but the performance will vary with algorithm and CPU type).
   45   I found a bug in OpenSSL 0.9.8 that broke DES encryption when using the
   46   latest Intel compiler. The included DLL's have this fix applied and the
   47   next official version of OpenSSL 0.9.8 will also have this fix.
   49 1.01
   51 - Fixed a bug in the startup code that could randomly prevent it from loading
   52   on Windows XP Pro x64 edition (and theoretically on other Windows versions).
   54 - The Configuration Manager should not start if the TLSWrap service is not
   55   installed, fixed. Improved some error messages.
   57 1.00
   59 - Added support for active FTP (i.e. PORT and EPRT modes).
   61 - Added support for user certificates/certificate chains. To use this
   62   feature, start TLSWrap with -P <path_of_user_certificate_directory> (or if
   63   using the Windows service, with the configuration manager). After this,
   64   TLSWrap will try to use <server-IP>.pem from the user certificate
   65   directory.
   67   The certificates must be in PEM format and must be sorted starting with the
   68   subject's certificate (actual client certificate), followed by intermediate
   69   CA certificates if applicable, and ending at the highest level (root) CA. 
   71 - The TLSWrap Configuration Manager for the Windows service now supports
   72   managing user certificates in addition to server certificates.
   74 - It is now possible to add and delete certificates using the buttons in the
   75   TLSWrap Configuration Manager. It is also possible to rename a certificate
   76   by clicking on its file name in the list. Also misc. improvements to the
   77   certificate handling.
   79 0.9
   81 - Added a GUI configuration tool and a tray monitor for the Windows version.
   83 - Fixed the error handling for DNS errors. TLSWrap now gives a "530 Could not
   84   resolve hostname." error and it is possible to start over with a new USER
   85   string without reconnecting.
   87 - Fixed a bug and a portability issue in the connection routines handling
   88   refused connections.
   90 - Passive TCP ports below 256 were not handled correcly, reported with patch
   91   by Christoph Hackman. It is unlikely that anyone was affected unless they
   92   patched their ftpd to use privileged ports to get around their ISPs
   93   throttling of higher ports.
   95 - It was not possible to change the token defaults anymore, fixed.
   97 - Added PKI support and a number of "security modes" to control it:
   98   ---------------------------------------------------------------------------
   99   0 - No certificate verification is done. (Default for now.)
  101   1 - Relaxed whitelisting
  102       --------------------
  103       On the first connection to a server, its certificates (control and
  104       data connections are treated separately, for quite obvious reasons), will
  105       will be saved in the certs dir (see below) as <server-IP>-<data/ctrl>.pem.
  107       On subsequent connections, TLSWrap will verify the stored certificates
  108       against those presented by the server. If the control connection
  109       certificate doesn't match, tlswrap will say "530 TLSWrap certificate
  110       verification failed, disconnecting." and disconnect. If the data
  111       certificate doesn't match, it will print "425 TLSWrap data certificate
  112       verification failed.", the data transfer will be aborted but TLSWrap will
  113       stay connected with the server.
  115       No other checks (such as expiration dates, CRLs, CAs) will be made on
  116       the certificates.
  118   2 - Strict whitelisting
  119       -------------------
  120       Identical to mode 1 above, but with the difference that no new
  121       certificates will be added. If TLSWrap can't find certificate file(s)
  122       for a server, it will just disconnect.
  124   3 - Relaxed PKI path validation
  125       ---------------------------
  126       This mode requires one or more X.509 CA certificates (or certificate chains)
  127       in the form of a PEM file. All certificates must be valid. To specify CA
  128       certificates, use -a <name_of_ca_PEM_file>.
  130       Upon connection with a server, an encrypted TLS session is first eshtablished.
  131       This yields the server's X.509 certificate which is validated using the
  132       previously specified CA certificates. No certificate fields are used.
  134   4 - Strict PKI path validation
  135       --------------------------
  136       This works like above mode, but the certificate information is verified as
  137       follows:
  139       If the X.509v3 subject alternative name extension is present, then
  140       the DNS name and IP address fields will be matched against the server's.
  141       If there is no subjectAltName extension the commonName (CN) will be
  142       compared against the DNS name. If either check fail then the connection
  143       will be terminated.
  145       ## This is the proper way to use X.509 certificates ##
  147   ---------------------------------------------------------------------------
  149   Set the default security mode with -s <mode> or dynamically with
  150   the connection string +<mode>user@host:port
  152 - All server certificates will be stored and loaded from a certs/ subdirectory
  153   from where tlswrap is started. This directory is automatically created the
  154   first time tlswrap is started. An alternative directory may be specified with -p
  155   <other_certs_dir>, but this directory must already exist. If you make the
  156   directory manually, remember to set proper access rights (probably chmod 700).
  158 - Added support for building a native Windows NT/2000/XP version, which resulted
  159   in a major speed improvement compared to the previous Cygwin versions. The same
  160   source now builds the UNIX versions, the Cygwin version and a native Windows
  161   version using either "Intel(R) C++ Compiler for 32-bit applications,
  162   Version 8.1" or "Microsoft (R) 32-bit C/C++ Optimizing Compiler Version
  163   12.00.8804 for 80x86". It is still possible to build a Cygwin version, but as
  164   before, the performance is abysmal.
  166 - The native Windows version now supports installing itself as a system service,
  167   and thus it can be started automatically at system boot and run in the background.
  169   The official TLSWrap Windows installer allows for easy installation and
  170   removal of the TLSWrap service, but see below how to do it manually:
  172   Use 'tlswrap -I <options>' to install TLSWrap as a service, to be
  173   started with <options> on system boot. If the options contain spaces, enclose them
  174   with ", e.g. 'tlswrap -I "-l 6000"'. To install with the default options, use the
  175   command 'tlswrap -I ""'. The service is automatically started after installation.
  177   Use "tlswrap -R" to stop (if it is running) and remove the TLSWrap service.
  179 - Misc TLS changes, including cached SSL sessions for data connections.
  181 - Decreased the data buffer size from 8192 bytes to 4096 bytes on the native
  182   MS Windows version.
  184 - Fixed a nasty bug concering aborted connections versus TLS nonblocking
  185   stuff.
  187 - Fixed an old but very simple bug that could case the program to loop if
  188   the server dropped the connection.
  190 - Fixed a bug reported by Markus Jevring that caused TLSWrap to stall in
  191   certain cases.
  193 - Fixed so that it is possible to combine user string tokens, for example
  194   use #% to get "implicit SSL without data encryption" (yes, it's still a
  195   horrible non-standard).
  197 0.8 test 2
  199 - Added a Windows installer.
  201 - AES 256-bit is the default cipher now (requires OpenSSL 0.9.7), RC4 is the
  202   alternative choice.
  204 0.8 test 1
  206 - %user@host:port can now be used to connect with servers using
  207   "implicit SSL", a non-standard that immediately expects a SSL/TLS
  208   handshake on the control connection, for example "Serv-U FTP server" with
  209   "Allow only SSL/TLS sessions". Originated as a patch from Serg Kastelli
  210   <sk(at)online-web.net> (thanks) but was bugfixed and changed from beeing
  211   a commandline option.
  213 - Set TOS types in IP headers, originally from Thomas Habets
  214   <thomas(at)habets.pp.se> (thanks) but was changed to work with
  215   more than Linux...
  217 - misc source cleanups
  219 - EPSV wasn't 100% working, fixed.
  221 0.7 final
  223 - fixed a possibly unitialized variable. if you got the error:
  224   "bind: Permission denied" while using multiple sessions, 
  225   this is now fixed.
  226 - only had RSA ciphers on the default cipherlist, added a few DHE algos.
  227 - removed too much from the documentation last spring cleaning,
  228   put them back now:
  230         -c max 
  231                 Maximum number of client connections to handle. Defaults
  232                 to 5.        
  234         -C list
  235                 Select permitted SSL ciphers each separated by a colon.
  237 0.7 beta4
  239 - reject possible AUTH commands sent before USER.
  240 - its possible to change the #, @ and : characters used to
  241   separate the username, hostname and port and to disable
  242   data encryption, see README for details.
  244 0.7 beta3
  245 - forgot to initialize a flag structure when reusing objects,
  246   could probably cause a crash.
  247 - added -h argument to specify ip or hostname to bind the
  248   listening socket. The default is now, so you
  249   who used it remotely *MUST* specify another IP to listen
  250   to!
  252 0.7 beta2
  253 - changed the buffer size to 8192 bytes.
  254 - don't mess with the TCP buffer sizes
  255 - oops, had an abort() left in the code, no wonder it coredumped...
  256   should fix everyone's "crash" problems!
  257 - removed some unnecessary crap from tls.c
  259 0.7 beta1
  261 - added support for EPSV (Extended Passive Mode)
  262 - wait to forward the control channel until a \n is found, fixes a
  263   bug with badly written ftp servers (hi glftpd-TLS) that send a
  264   packet for each character!
  265 - don't try to calculate the max fd, just use FD_SETSIZE
  268 0.6
  270 - Use inet_addr() if inet_aton() doesn't exist.
  271 - Added support for a entropy gathering daemon.
  272 - Lots of changes to make it as portable as possible.
  274 0.6 pre3
  276 - Added a check for RAND_status() to the configure script to work with
  277   OpenSSL 0.9.4. Other misc fixes and changes.
  279 0.6 pre2
  281 - If the username starts with #, only encrypt control channel (for "FXP"
  282   or "ftp proxy" use).