head 1.3; access; symbols pkgsrc-2024Q1:1.3.0.46 pkgsrc-2024Q1-base:1.3 pkgsrc-2023Q4:1.3.0.44 pkgsrc-2023Q4-base:1.3 pkgsrc-2023Q3:1.3.0.42 pkgsrc-2023Q3-base:1.3 pkgsrc-2023Q2:1.3.0.40 pkgsrc-2023Q2-base:1.3 pkgsrc-2023Q1:1.3.0.38 pkgsrc-2023Q1-base:1.3 pkgsrc-2022Q4:1.3.0.36 pkgsrc-2022Q4-base:1.3 pkgsrc-2022Q3:1.3.0.34 pkgsrc-2022Q3-base:1.3 pkgsrc-2022Q2:1.3.0.32 pkgsrc-2022Q2-base:1.3 pkgsrc-2022Q1:1.3.0.30 pkgsrc-2022Q1-base:1.3 pkgsrc-2021Q4:1.3.0.28 pkgsrc-2021Q4-base:1.3 pkgsrc-2021Q3:1.3.0.26 pkgsrc-2021Q3-base:1.3 pkgsrc-2021Q2:1.3.0.24 pkgsrc-2021Q2-base:1.3 pkgsrc-2021Q1:1.3.0.22 pkgsrc-2021Q1-base:1.3 pkgsrc-2020Q4:1.3.0.20 pkgsrc-2020Q4-base:1.3 pkgsrc-2020Q3:1.3.0.18 pkgsrc-2020Q3-base:1.3 pkgsrc-2020Q2:1.3.0.16 pkgsrc-2020Q2-base:1.3 pkgsrc-2020Q1:1.3.0.12 pkgsrc-2020Q1-base:1.3 pkgsrc-2019Q4:1.3.0.14 pkgsrc-2019Q4-base:1.3 pkgsrc-2019Q3:1.3.0.10 pkgsrc-2019Q3-base:1.3 pkgsrc-2019Q2:1.3.0.8 pkgsrc-2019Q2-base:1.3 pkgsrc-2019Q1:1.3.0.6 pkgsrc-2019Q1-base:1.3 pkgsrc-2018Q4:1.3.0.4 pkgsrc-2018Q4-base:1.3 pkgsrc-2018Q3:1.3.0.2 pkgsrc-2018Q3-base:1.3 pkgsrc-2018Q2:1.2.0.14 pkgsrc-2018Q2-base:1.2 pkgsrc-2018Q1:1.2.0.12 pkgsrc-2018Q1-base:1.2 pkgsrc-2017Q4:1.2.0.10 pkgsrc-2017Q4-base:1.2 pkgsrc-2017Q3:1.2.0.8 pkgsrc-2017Q3-base:1.2 pkgsrc-2017Q2:1.2.0.4 pkgsrc-2017Q2-base:1.2 pkgsrc-2017Q1:1.2.0.2 pkgsrc-2017Q1-base:1.2 pkgsrc-2016Q4:1.1.0.4 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.2 pkgsrc-2016Q3-base:1.1; locks; strict; comment @# @; 1.3 date 2018.09.07.13.54.45; author fhajny; state Exp; branches; next 1.2; commitid 5xtA27R0C7xx4bRA; 1.2 date 2017.01.09.13.02.20; author fhajny; state Exp; branches; next 1.1; commitid 7yHiVmZ1ZJwegiBz; 1.1 date 2016.08.22.09.34.40; author fhajny; state Exp; branches; next ; commitid DsEgpQTvGS7ZBhjz; desc @@ 1.3 log @security/hitch: Update to 1.4.8. hitch-1.4.8 (2018-04-19) ------------------------ - Reworked the dynamic backend bits. - Update docs to recommend running Hitch as a separate non-privileged user. hitch-1.4.7 (2018-01-11) ------------------------ - Massive test suite refactor and update. - Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in the test suite, switch from sockstat(1) to fstat(1) - Add an OCSP refresh timeout parameter - Autotools polish - Random usage of config section if reduntant - Support for separate key files - Fix logging to syslog even when set to syslog = off - Making log-filename, recv-bufsize and send-bufsize parameters available though command line and config file. - Fix: global backaddr is assumed to be static - Add support for session-cache in config file and as cmdline option - Plug file descriptor leak: killing worker processes would leave the pipe's write end open, leaking one file descriptor per worker upon reload @ text @$NetBSD: patch-hitch.conf.example,v 1.2 2017/01/09 13:02:20 fhajny Exp $ Sane default options. --- hitch.conf.example.orig 2018-04-19 09:02:26.000000000 +0000 +++ hitch.conf.example @@@@ -2,7 +2,7 @@@@ frontend = { - host = "*" + host = "127.0.0.1" port = "443" } backend = "[127.0.0.1]:6086" # 6086 is the default Varnish PROXY port. @@@@ -12,8 +12,8 @@@@ daemon = on # We strongly recommend you create a separate non-privileged hitch # user and group -user = "hitch" -group = "hitch" +user = "@@HITCH_USER@@" +group = "@@HITCH_GROUP@@" # Enable to let clients negotiate HTTP/2 with ALPN. (default off) # alpn-protos = "h2, http/1.1" @@@@ -21,4 +21,6 @@@@ group = "hitch" # run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY .. write-proxy-v2 = on # Write PROXY header - +pem-file = { + cert = "@@HITCH_CERTS@@" +} @ 1.2 log @Update security/hitch to 1.4.4. hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure. @ text @d1 1 a1 1 $NetBSD: patch-hitch.conf.example,v 1.1 2016/08/22 09:34:40 fhajny Exp $ d5 1 a5 1 --- hitch.conf.example.orig 2016-11-14 13:13:10.000000000 +0000 d7 1 a7 1 @@@@ -2,15 +2,15 @@@@ d16 1 a16 1 workers = 4 # number of CPU cores d18 4 a21 3 daemon = on -user = "nobody" -group = "nogroup" d26 2 a27 2 # alpn-protos = "http/2, http/1.1" @@@@ -18,4 +18,6 @@@@ group = "nogroup" @ 1.1 log @Update security/hitch to 1.3.1. hitch-1.3.1 (2016-08-16) - Fixes a bug in the autotools configuration which led to man pages not being built. hitch-1.3.0 (2016-08-16) - Fix a bug where we crashed in the OCSP handling if there was no default SSLCTX configured. - Minor documentation fix. hitch-1.3.0-beta3 (2016-07-26) - Fully automated retrieval and refreshes of OCSP responses (see configuration.md for details). - New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo. - Cleanup of various log messages. - Verification of OCSP staples. Enabled by setting ocsp-verify-staple = on. - Make rst2man an optional requirement (#93). Thanks to Barry Allard. - Avoid stapling expired OCSP responses - A few fixes to the shared cache updating code. Thanks to Piyush Dewnani hitch-1.3.0-beta2 (2016-05-31) - Options given on the command line now take presedence over configuration file settings. I.e. there is no longer a need to specify --config first to get this behavior. - Config file regression: "yes" and "no" are now accepted by the config file parser as boolean values. - Documentation improvements and spelling fixes. - Various minor autotools build fixes. hitch-1.3.0-beta1 (2016-05-11) - Support for OCSP stapling (see configuration.md for details) - Initialize OpenSSL locking callback if an engine is loaded. Some SSL accelerator cards have their custom SSL engine running in a multithreaded context. For these to work correctly, Hitch needs to initialize a set of mutexes utilized by the OpenSSL library. - #82: A mistake in the SNI lookup code caused us to inspect the wrong list when looking for wildcard certificate matches. @ text @d1 1 a1 1 $NetBSD: patch-hitch.conf.ex,v 1.1 2016/05/25 20:15:35 fhajny Exp $ d5 1 a5 1 --- hitch.conf.example.orig 2016-08-15 13:51:51.000000000 +0000 d7 1 a7 6 @@@@ -43,7 +43,7 @@@@ backend = "[127.0.0.1]:6081" # only available for a specific listen endpoint. # # type: string -pem-file = "" +pem-file = "@@HITCH_CERTS@@" d9 12 a20 7 # OCSP settings # @@@@ -120,12 +120,12 @@@@ chroot = "" # Set uid after binding a socket # # type: string -user = "" a21 5 # Set gid after binding a socket # # type: string -group = "" d24 5 a28 17 # Quiet execution, report only error messages # @@@@ -135,7 +135,7 @@@@ quiet = off # Use syslog for logging # # type: boolean -syslog = off +syslog = on # Syslog facility to use # @@@@ -145,7 +145,7 @@@@ syslog-facility = "daemon" # Run as daemon # # type: boolean -daemon = off +daemon = on d30 4 a33 2 # Report client address by writing IP before sending data # @