------------------------------------------------------------------- Tue Apr 07 06:42:22 UTC 2026 - Ales Novak - Update to version 0.10+188.g61787a1: * tlshd: probe the attributes with correct data type (boo#1261309) ------------------------------------------------------------------- Fri Mar 27 15:39:48 UTC 2026 - Ales Novak - Update to version 0.10+186.ge65f3b6: * tlshd: Send fatal alert to client when there are server config issues * tlshd: Fix session leak on error paths in x509 server handshake * tlshd: Fix the error in kernel capability probe * tlshd: Add extensible kernel capability detection * tlshd: Implement atomic reload of TLS session tags * tlshd: Add handshake tags to the DONE command * tlshd: Update netlink.h * tlshd: Match ingress certificates with defined TLS session tags * tlshd: Add parsing for tag definitions * tlshd: Parse filter definitions * tlshd: Add a YAML parser * tlshd: Add tag filter types * tlshd: man update for TLS session tags * tlshd: Add init/shutdown hooks for the session tagging subsystem * tlshd: Add a SIGHUP handler * tlshd: use gnutls_handshake_write() for Session Ticket processing in quic * tlshd: support setting the record size limit * tlshd: set conn errcode to EACCES on GnuTLS failure in QUIC handshake * tlshd: leave session_status as EIO on GnuTLS failure in QUIC session setup * tlshd: Add kernel's quic.h * tlshd: fix priority cache initialization * tlshd: Clean up logic in tlshd_start_tls_handshake() * tlshd: Restore the date in tlshd.conf(5) * tlshd: Relocate /etc/tlshd.conf * Remove TLS_DEFAULT_PRIORITIES * Remove the parms::msg_status field * tlshd: Kernel should not parse incoming client certificates * tlshd: Client-side dual certificate support * tlshd: Server-side dual certificate support * tlshd: Fix priority string to allow PQC * tlshd: deduplicate client and server config functions * netlink: Handle SIGTERM like SIGINT * netlink: Introduce event loop and use signalfd to catch signals * tlshd: Dynamically allocate hostname * tlshd: Convert parms->peeraddr to a presentation address * tlshd: Store peer IDs in a GArray * tlshd: Store remote peerids in a GArray * tlshd: Add tlshd_genl_put_handshake_parms() API * tlshd: Add x509.crl option to man page. * Add client-side CRL checking * tlshd: Add server-side CRL checking * tlshd: Refactor trust store management * tlshd: Child should close the notification socket * tlshd: Child process should shut down before exiting * tlshd: Free netlink messages after fork(3) returns * tlshd: Preserve pcache during tlshd_gnutls_priority_init() * tlshd: Restore GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR * tlshd: Add tlshd_log_completion() * tlshd: Remove useless verification status report * tlshd: Show ingress certificate on successful handshake * tlshd: Check for an empty string * tlshd: Display errno message * tlshd: Don't set errno in tlshd_keyring_link_session() * tlshd: Fix silent tlshd_keyring_link_session() failures * tlshd: Handshake needs to check for CERTIFICATE_ERROR * tlshd: Relocate TLSHD_ALLPERMS * tlshd: Add default keyrings for NFS * tlshd: Fix a minor race * tlshd: remove redundant gnutls_global_deinit() * tlshd: fix a regression for certificate verification * tlshd: Define TLSHD_ACCESSPERMS instead of using ALLPERMS to fix musl build * tlshd: add 'keyring' handshake accept parameter * keyring: fixup function description for tlshd_keyring_link_session() * tlshd: use gnutls_psk_allocate_{client,server}_credentials2 (bsc#1258084) * tlshd: replace IPPROTO_QUIC with SOL_QUIC for cmsg_level in quic * tlshd: Pass ETIMEDOUT from gnutls to kernel ------------------------------------------------------------------- Fri Dec 06 13:56:33 UTC 2024 - Daniel Wagner - Update to version 0.10+33.g311d943: * tlshd: always link .nvme default keyring into the session (bsc#1229034) * tlshd: Ensure libnl-genl3 is available * tlshd: receive new session ticket msg after completing quic handshake * tlshd: use quic_config to get parameters for quic handshake * tlshd: clean up some unnecessary code in quic handshake * tlshd: improve error logging for tlshd_server_psk_cb() * tlshd: guard against possible overrun of tlshd_peername * tlshd: fix optlen passed to getsockopt() * tlshd: free pathname before it goes out of scope * tlshd: add support for quic handshake * tlshd: include socket ip_proto in tlshd_handshake_parms * tlshd: Refactor tlshd_service_socket() * config: supply meaningful error for non-existing pathnames * tlshd: Fix implicit signedness conversion * tlshd: Fix memory leaks ------------------------------------------------------------------- Thu Mar 21 21:50:44 UTC 2024 - Martin Wilck - Update to version 0.10+12.gc3923f7: * Rework priority string setting for PSK (bsc#1221437) * config: use 'authenticate' as a section name * server: add missing priority setting (gh#oracle/ktls-utils#49) ------------------------------------------------------------------- Tue Mar 5 17:24:44 UTC 2024 - Martin Wilck - Update to upstream version 0.10+9.gf28f084: * ktls: restrict hash functions to supported sizes (bsc#1218037) * tlshd: Add support for chained certs ------------------------------------------------------------------- Tue Feb 20 17:28:48 UTC 2024 - Martin Wilck - Update to upstream version 0.10: * All previously SUSE_specific patches included * tlshd: Reorganize tlshd.conf - get rid of [main] - add [debug] and move the debug-related options there - move the "keyrings" option to [authenticate] * tlshd: add 'delay' configuration parameter * tlshd: Add .conf option to specify trust store * Bug fixes and cleanups ------------------------------------------------------------------- Wed Jan 17 11:56:19 UTC 2024 - Martin Wilck - Spec file: * fix summary and license * use pkgconfig for BuildRequires * remove superfluous PreReq dependencies * use %config(noreplace) for the config file (because it may contain paths to key files) * remove BuildRoot * simplify build section ------------------------------------------------------------------- Tue Jan 9 16:12:57 UTC 2024 - Martin Wilck - Update to version 0.9+4.g01b3018 (jsc#PED-7559) * _service: move to openSUSE git repository - Patches now in git, remove them from spec file: * del 0001-netlink-de-constify-nla_policy * del 0001-tlshd-Allow-for-compilation-with-older-libnl-librari.patch * del 0002-tlshd-Check-for-gnutls_get_system_config_file.patch * del 0003-tlshd-add-delay-configuration-parameter.patch ------------------------------------------------------------------- Wed Aug 16 18:21:59 UTC 2023 - Hannes Reinecke - Reshuffle patches to match upstream submission: * Remove 0001-netlink-de-constify-nla_policy * Add 0001-tlshd-Allow-for-compilation-with-older-libnl-librari.patch * Remove 0001-Check-for-gnutls_get_system_config_file.patch * Add 0002-tlshd-Check-for-gnutls_get_system_config_file.patch * Remove 0001-Add-tlshd_delay-configuration-option.patch * Add 0003-tlshd-add-delay-configuration-parameter.patch ------------------------------------------------------------------- Wed Aug 16 17:55:46 UTC 2023 - Hannes Reinecke - Add patch to exercise handshake timeout * 0001-Add-tlshd_delay-configuration-option.patch - Add patch to allow compilation on older releases * 0001-Check-for-gnutls_get_system_config_file.patch ------------------------------------------------------------------- Sat Jul 01 20:40:46 UTC 2023 - Hannes Reinecke - Add patch for older libnl versions + 0001-netlink-de-constify-nla_policy.patch - Fix build error on 32-bit + 0001-tlshd-fix-max-config-file-size-comparison.patch ------------------------------------------------------------------- Fri Jun 30 22:58:27 UTC 2023 - Hannes Reinecke - Initial package, version 0.9