| 0.0.5 Web 23 Jan, 2013 |
| Fix spelling error in tlsdate-helper |
| Update man pages formatting |
| Add Seccomp-BPF policies to be used with Minijail |
| Update CA cert file to remove TÜRKTRUST |
| Support both CA certificate files or directories full of CA certs |
| Currently /etc/tlsdate/ca-roots/tlsdate-ca-roots.conf |
| Support announcing time updates over DBus with --enable-dbus |
| This introduces the 'tlsdate-dbus-announce' utility |
| Add support for lcov/gcov at build time |
| See ./configure --enable-code-coverage-checks and make lcov |
| Don't hardfail if DEFAULT_RTC_DEVICE cannot be opened, even if desired |
| Raspberry PI users rejoice (if the fix works) |
| Support -j to add jitter to tlsdated time checks. |
| Exponential backoff when TLS connections fail. |
| Add config file support (have a look at man/tlsdated.conf.5) |
| Support multiple hosts for time fetches |
| Add multiple hosts to your tlsdated.conf file today |
| Add simple AppArmor profile for /usr/bin/tlsdate-dbus-announce |
| Update AppArmor profile for tlsdated |
| 0.0.4 Wed 7 Nov, 2012 |
| Fixup CHANGELOG and properly tag |
| Version Numbers Are Free! Hooray! |
| Update certificate data in ca-roots/ |
| tlsdate will now call tlsdate-helper with an absolute path |
| Pointed out ages ago by 0xabad1dea and others as a better execlp path |
| forward for execution. |
| 0.0.3 Mon 5 Nov, 2012 |
| Add tlsdate-routeup man page |
| Update all man pages to reference other related man pages |
| Fix deb Makefile target |
| Update documentation |
| misc src changes (retab, formatting, includes, etc) |
| Update AppArmor profiles |
| Add HTTP/socks4a/socks5 proxy support and update man page documentation |
| 0.0.2 Mon 29 Oct, 2012 |
| Released at the Metalab in Vienna during their third #CryptoParty |
| Add '-n' and '--dont-set-clock' option to fetch but not set time |
| Add '-V' and '--showtime' option to display remote time |
| Add '-t' and '--timewarp' option |
| If the local clock is before RECENT_COMPILE_DATE; we set the clock to the |
| RECENT_COMPILE_DATE. If the local clock is after RECENT_COMPILE_DATE, we |
| leave the clock alone. Clock setting is performed as the first operation |
| and will impact certificate verification. Specifically, this option is |
| helpful if on first boot, the local system clock is set back to the era |
| of Disco and Terrible Hair. This should ensure that |
| X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED are not |
| encountered because of a broken RTC or the lack of a local RTC; we assume |
| that tlsdate is recompiled yearly and that all certificates are otherwise |
| considered valid. |
| Add '-l' and '--leap' |
| Normally, the passing of time or time yet to come ensures that SSL verify |
| functions will fail to validate certificates. Commonly, |
| X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED are painfully |
| annoying but still very important error states. When the only issue with |
| the certificates in question is the timing information, this option allows |
| one to trust the remote system's time, as long as it is after |
| RECENT_COMPILE_DATE and before MAX_REASONABLE_TIME. The connection will |
| only be trusted if X509_V_ERR_CERT_NOT_YET_VALID and/or |
| X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are the only errors encountered. The |
| SSL verify function will not return X509_V_OK if there are any other |
| issues, such as self-signed certificates or if the user pins to a CA that |
| is not used by the remote server. This is useful if your RTC is broken on |
| boot and you are unable to use DNSSEC until you've at least had some kind |
| of leap of cryptographically assured data. |
| Update usage documentation |
| Move {*.c,h} into src/ |
| Move *.1 into man/ |
| Update TODO list to reflect desired changes |
| Update AppArmor profile to restrict {tlsdate,tlsdate-helper,tlsdated,tlsdate-routeup} |
| Update AUTHORS file to include a new email address |
| Update CHANGELOG |
| Added proper date for the 0.0.1 release |
| (Added all of the above items, obviously) |
| Print key bit length and key type information |
| Update Copyright headers to include the Great Christian Grothoff |
| Ensure key bit length and key type values are reasonable |
| Add CommonName and SAN checking |
| Add enumeration and printing of other x.509 extensions in SAN checking |
| Add SAN checking for iPAddress field per RFC2818 |
| Various small bug fixes |
| Fixed various tiny memory leaks |
| Added compat layer library for future multi-platform support by David Goulet |
| Compile output is now largely silent by default |
| Wildcard certificate verification per RFC 2595 |
| Add list of trusted CA certs to /etc/tlsdate/tlsdate-ca-roots.conf |
| Add Makefile target to update trusted CA certs from Mozilla's NSS trust root |
| Add tlsdated daemon |
| Add tlsdated documentation |
| |
| 0.0.1 Fri Jul 13, 2012 |
| First git tagged release |