1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
0.0.7 TBD
Add -x option to tlsdated to override source proxies.
Correctly check SANs against target host when using proxies.
Fix a race in tlsdate-dbus-announce that can cause signal drops.
Support -l argument to tlsdated.
Pass -l and -v arguments from tlsdated to tlsdate.
Add FreeBSD support for tlsdate and tlsdate-helper.
0.0.6 Mon 18 Feb, 2013
Ensure that tlsdate compiles with g++ by explicit casting rather than
implicit casting by whatever compiler is compiling tlsdate.
Fix a logic bug in CN parsing caught by Ryan Sleevi of the Google Chrome Team
Further fixes by Thijs Alkemade
Add PolarSSL support (We no longer require OpenSSL to function!)
Thanks to Paul Bakker and the PolarSSL team!
Experimental Mac OS X (10.8.2) support
Thanks to Brian Aker and Ingy döt Net for pair programming time
0.0.5 Web 23 Jan, 2013
Fix spelling error in tlsdate-helper
Update man pages formatting
Add Seccomp-BPF policies to be used with Minijail
Update CA cert file to remove TÜRKTRUST
Support both CA certificate files or directories full of CA certs
Currently /etc/tlsdate/ca-roots/tlsdate-ca-roots.conf
Support announcing time updates over DBus with --enable-dbus
This introduces the 'tlsdate-dbus-announce' utility
Add support for lcov/gcov at build time
See ./configure --enable-code-coverage-checks and make lcov
Don't hardfail if DEFAULT_RTC_DEVICE cannot be opened, even if desired
Raspberry PI users rejoice (if the fix works)
Support -j to add jitter to tlsdated time checks.
Exponential backoff when TLS connections fail.
Add config file support (have a look at man/tlsdated.conf.5)
Support multiple hosts for time fetches
Add multiple hosts to your tlsdated.conf file today
Add simple AppArmor profile for /usr/bin/tlsdate-dbus-announce
Update AppArmor profile for tlsdated
0.0.4 Wed 7 Nov, 2012
Fixup CHANGELOG and properly tag
Version Numbers Are Free! Hooray!
Update certificate data in ca-roots/
tlsdate will now call tlsdate-helper with an absolute path
Pointed out ages ago by 0xabad1dea and others as a better execlp path
forward for execution.
0.0.3 Mon 5 Nov, 2012
Add tlsdate-routeup man page
Update all man pages to reference other related man pages
Fix deb Makefile target
Update documentation
misc src changes (retab, formatting, includes, etc)
Update AppArmor profiles
Add HTTP/socks4a/socks5 proxy support and update man page documentation
0.0.2 Mon 29 Oct, 2012
Released at the Metalab in Vienna during their third #CryptoParty
Add '-n' and '--dont-set-clock' option to fetch but not set time
Add '-V' and '--showtime' option to display remote time
Add '-t' and '--timewarp' option
If the local clock is before RECENT_COMPILE_DATE; we set the clock to the
RECENT_COMPILE_DATE. If the local clock is after RECENT_COMPILE_DATE, we
leave the clock alone. Clock setting is performed as the first operation
and will impact certificate verification. Specifically, this option is
helpful if on first boot, the local system clock is set back to the era
of Disco and Terrible Hair. This should ensure that
X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED are not
encountered because of a broken RTC or the lack of a local RTC; we assume
that tlsdate is recompiled yearly and that all certificates are otherwise
considered valid.
Add '-l' and '--leap'
Normally, the passing of time or time yet to come ensures that SSL verify
functions will fail to validate certificates. Commonly,
X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED are painfully
annoying but still very important error states. When the only issue with
the certificates in question is the timing information, this option allows
one to trust the remote system's time, as long as it is after
RECENT_COMPILE_DATE and before MAX_REASONABLE_TIME. The connection will
only be trusted if X509_V_ERR_CERT_NOT_YET_VALID and/or
X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are the only errors encountered. The
SSL verify function will not return X509_V_OK if there are any other
issues, such as self-signed certificates or if the user pins to a CA that
is not used by the remote server. This is useful if your RTC is broken on
boot and you are unable to use DNSSEC until you've at least had some kind
of leap of cryptographically assured data.
Update usage documentation
Move {*.c,h} into src/
Move *.1 into man/
Update TODO list to reflect desired changes
Update AppArmor profile to restrict {tlsdate,tlsdate-helper,tlsdated,tlsdate-routeup}
Update AUTHORS file to include a new email address
Update CHANGELOG
Added proper date for the 0.0.1 release
(Added all of the above items, obviously)
Print key bit length and key type information
Update Copyright headers to include the Great Christian Grothoff
Ensure key bit length and key type values are reasonable
Add CommonName and SAN checking
Add enumeration and printing of other x.509 extensions in SAN checking
Add SAN checking for iPAddress field per RFC2818
Various small bug fixes
Fixed various tiny memory leaks
Added compat layer library for future multi-platform support by David Goulet
Compile output is now largely silent by default
Wildcard certificate verification per RFC 2595
Add list of trusted CA certs to /etc/tlsdate/tlsdate-ca-roots.conf
Add Makefile target to update trusted CA certs from Mozilla's NSS trust root
Add tlsdated daemon
Add tlsdated documentation
0.0.1 Fri Jul 13, 2012
First git tagged release
|
