Skip to content

CHANGELOG.md

Latest commit

 

History

History
173 lines (119 loc) · 6.49 KB

CHANGELOG.md

File metadata and controls

173 lines (119 loc) · 6.49 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog. This project doesn't adhere to Semantic Versioning.

Unreleased

Changed

  • javascript: replace bootstrap with bootstrap.native for Copy button tooltip
  • javascript: preserve bootstrap 4 CSS; remove bootstrap, popper, jquery
  • javascript: update packages
  • javascript: remove highlight.js
  • javascript: remove Handlebars; convert .hbs templates to .js per server
  • javascript: parse semantic versions, with exception for parsing openssl < 3.0
  • haproxy: prefer ssl-min-ver with haproxy 2.2+
  • apache,oraclehttp: explicit SSLProtocol list
  • lighttpd: explicit protocol list for openssl 1.0.2
  • lighttpd: simplify configs when handled by lighttpd defaults
  • nginx: allow ssl_session_tickets for nginx ≥1.23.2
  • nginx: wrap server in http context
  • nginx: disable stateful ssl_session_cache if TLSv1.3
  • nginx: add comment for OCSP stapling config
  • postfix: add smtp_tls_*
  • google analytics: change UA to GA4 ID
  • support rendering site with older guideline version, if specified in URL

Added

  • initial intro text rather than defaulting to nginx config
  • add eolBefore before versions; update current vers
  • add warning to header for versions < eolBefore
  • configure TLSv1.3 key exchange groups/curves (where supported)
  • support OpenSSL 3.x: need SECLEVEL=0 to support Old config using TLSv1 and TLSv1.1
  • haproxy: OpenSSL 3.x: ssl-security-level to support Old config with dhParamSize 1024

Fixed

  • caddy: fix syntax
  • apache,oraclehttp: avoid double-percent-encode in rewrite
  • stunnel: fix syntax; prefer sslVersionMin when available
  • oraclehttp: OHS uses mod_ossl, based on custom RSA implementation
  • oraclehttp: use IANA naming for ciphers; set usesOpenssl to false
  • jetty: TLSv1.3 IncludeCipherSuites
  • tomcat: set tls13 ciphersuites when tls12 ciphers defined
  • dovecot: always set ssl_dh if usesDhe; revert an earlier change

[5.7.1] - 2024-01-04

Changed

  • nginx: add http2 directive
  • use Webpack 5
  • use CDN hosted fonts instead of local ones

Added

  • support for stunnel
  • support for coturn

Fixed

  • proftpd TLSStaplingCache directive syntax

5.7 - 2023-05-15

Changed

  • intermediate configuration in order to append TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 to the bottom of the cipher list for iana and openssl. mozilla/server-side-tls#285

5.6 - 2020-07-24

Added

  • support for caddy

Fixed

  • incorrect cipher ordering for the intermediate configuration for go and iana

5.5 - 2020-07-22

Added

  • recommended_certificate_lifespan of 90

Changed

  • maximum_certificate_lifespan from 730 to 366

5.4 - 2020-01-21

Changed

  • intermediate and old configuration's certificate_curves list from null to prime256v1 and secp384r1
  • intermediate configuration rsa_key_size from 2048 to null

5.3 - 2020-01-02

Changed

  • intermediate and old configuration's tls_curves list, replacing secp256r1 with prime256v1

5.2 - 2019-08-20

Added

  • support for go

5.1 - 2019-07-16

This release has breaking changes due to the renaming of some JSON keys

Added

  • a new ciphers key to contain lists of ciphers for various clients
  • support for iana cipherFormat, an alternative to openssl

Changed

  • the openssl_ciphersuites key to be called ciphersuites
  • the openssl_ciphers key to be a child of the new ciphers key and rename it from openssl_ciphers to openssl

5.0 - 2019-06-28

Added

  • three certificate_signatures to the intermediate configuration : ecdsa-with-SHA256, ecdsa-with-SHA384 and ecdsa-with-SHA512
  • the ecdsa certificate_type to the intermediate configuration
  • Safari 9 to the list of oldest_clients for the intermediate configuration
  • the new maximum_certificate_lifespan key
  • the new ocsp_staple key
  • the new server_preferred_order key

Changed

  • the ciphersuites key, renaming it to openssl_ciphers
  • the hsts_min_age value for all configurations from 15768000 to 63072000
  • the tls_curves for the intermediate and modern configurations, removing secp521r1 and adding X25519 to the top
  • the openssl_ciphersuites key from containing a colon-delimited string to containing a list
  • the tls_versions for the intermediate configuration, removing TLSv1 and TLSv1.1 and adding TLSv1.3
  • the tls_versions for the modern configuration from TLSv1.2 to TLSv1.3
  • the tls_versions for the old configuration, removing SSLv3 and adding TLSv1.3
  • all of the oldest_clients in the modern configuration
  • and added to the list of oldest_clients in the old configuration
  • the entire order and list of openssl_ciphers and openssl_ciphersuites for all configurations. This was a very significant change.

Removed

  • sha256WithRSAEncryption from the modern certificate_signatures list
  • secp521r1 from the modern configuration's certificate_curves list

4.0 - 2016-02-13

Initial version