CHANGES.txt 5.25 KB
Newer Older
1 2 3 4
0.9.12 (2021-10-20)
===================
* Fix caucase-updater crashes after a local trust anchor CA expires.

5 6 7 8
0.9.11 (2021-10-07)
===================
* Drop reliance on install-time 2to3 for py3 compatibility. Now the source is directly compatible with 2.7 and 3.x .

9
0.9.10 (2021-04-07)
10
===================
11 12
* Properly handle present but expired CA certificates.
* Properly handle CRLs whose CA certificate is missing.
13 14
* Add caucase.client.CaucaseClient.close method.

15 16
0.9.9 (2021-03-02)
==================
17 18 19
* Add AuthorityKeyIdentifier extension in CRLs.
* Accept user certificates signed by non-current CA.
* Name CA certificates after their AuthorityKeyIdentifier keyid extension instead of their serial.
20
* Produce one CRL per CA certificate, as some ssl-using services fail when there is no CRL signed by the same CA as the certificate being validated.
21
* Fix trust anchor distribution during CA renewal period: the correct trust anchor is the oldest still-valid CA.
22

Vincent Pelletier's avatar
Vincent Pelletier committed
23 24 25 26 27 28 29 30
0.9.8 (2020-06-29)
==================
* Add support for python3.
* Add support for one-CA-cert-per-file layout. For services which do not support loading multiple CA certificates from a single file.
* Fix caucase.sh authenticated usage (was broken by 0.9.4 "Make caucased https CA certificate safer").
* Avoid busy-loop in caucase-updater when it thinks a renewal is due but caucased does not offer a newer version.
* Fix tests timeouts on slower machined. Anything faster than a Raspberry Pi 1 should now pass.

Vincent Pelletier's avatar
Vincent Pelletier committed
31 32 33 34 35 36 37
0.9.7 (2020-06-04)
==================
* Fix CRL renewal:
  * teach caucased to renew CRLs ahead of their expirations.
  * make caucase-updater check CRL expiration date.
* Grant extra permissions in license.

Vincent Pelletier's avatar
Vincent Pelletier committed
38 39 40 41 42
0.9.6 (2019-05-27)
==================
* Do not use a 128bits OID arc for caucase internal use, as it is not widely supported.
* Assorted CLI usability improvements.

Vincent Pelletier's avatar
Vincent Pelletier committed
43 44 45 46 47 48 49 50 51
0.9.5 (2019-01-24)
==================
* Add --version support.
* Logging is reworked to reduce verbosity (especially in tests).
* Fix caucased sometimes crashing when renewing its https certificate.
* Make caucased logs more apache-like.
* Make caucased responses more standard-compliant ("Allow" header in 405 response and "Date" header in all responses).
* Fix unintended dependency on system timezone.

Vincent Pelletier's avatar
Vincent Pelletier committed
52 53 54 55 56 57 58 59 60
0.9.4 (2018-11-14)
==================
* Improved documentation.
* Tentative web-friendliness (not used in real life yet, so practicality is still uncertain):
  * Make caucased https CA certificate safer for adding in a trust store (ex: browser) by constraining the certificates it can sign.
  * cookie-based CORS access control with crude UI.
  * API is self-documenting using application/hal+json format.
* Tentative python3 friendliness, there may still be file IO encoding issues.

Vincent Pelletier's avatar
Vincent Pelletier committed
61
0.9.3 (2018-09-21)
Vincent Pelletier's avatar
Vincent Pelletier committed
62 63 64
==================
* Add support for listening to multiple specific addresses in caucased.
* shell implementation does not rely on an external file anymore.
Vincent Pelletier's avatar
Vincent Pelletier committed
65 66 67 68 69 70 71
* Do not start listening on https port before wrapping sockets with an ssl context
* Make caucase-updater usable by anonymous services (ex: they only need to connect to a caucase-certified service, without authenticating themselves using caucase)
* Use stricter file permissions for caucased sqlite database.
* Include caucase version in user agent header.
* Make caucased logging format more similar to apache's default.
* Fix caucased https certificate renewal. Fixes a crash which happens every 2 months.
* Make caucase-updater retry on network errors. Fixes crashes on transient network error.
Vincent Pelletier's avatar
Vincent Pelletier committed
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93

0.9.2 (2017-11-03)
==================
* Add support for migrating an existing CA to caucase: import CA cert and CRLs.
* Require CRL signature checks (bumps cryptography module version requirements).
* Provide CRL distribution point extension in CA certificates.
* Play nicer with http:
  * Catch more errors to provide nice status codes
  * Add support for "Transfer-Encoding: chunked"
  * Add support for "Expect: 100-continue"
* Produce TLS-compliant certificates (domain name must be in an alternative name extension, subject is not enough).
* Reduce speed requirements in tests.
* Add shell implementation of "caucase" command.
* Certificate renewal bypasses pending CSR limits.
* caucase-manage: new command for offline database maintenance.

0.9.1 (2017-09-21)
==================
* Documentation improvements
* Packaging improvements

0.9.0 (2017-08-02)
Vincent Pelletier's avatar
Vincent Pelletier committed
94 95 96 97 98 99
==================
* implement the "cau" half of "caucase"
* massive rework: removal of flask dependency, removal of HTML UI, rework of
  the REST API, rework of the CLI tools, rework of the WGSI application,
  incomatible redesign of the database.

Alain Takoudjou's avatar
Alain Takoudjou committed
100 101 102 103
0.1.4 (2017-07-21)
==================
* caucase web parameter 'auto-sign-csr-amount' can be used to set how many csr must be signed automatically.

Alain Takoudjou's avatar
Alain Takoudjou committed
104 105 106 107 108 109 110 111
0.1.3 (2017-06-30)
==================

* add support for backup caucase database to cli
* serial is a random unique formatted hexadecimal number get from the csr_id
* allow to set custom subject (X509Name) when signing a certificate
* add new cliweb command which when required will download/update crl file from caucase web

Alain Takoudjou's avatar
Alain Takoudjou committed
112 113 114 115 116 117
0.1.2 (2017-05-12)
==================
* cliweb: renew now takes threshold option to check if renew is required and optional on-renew script to run after certificate renewal

0.1.1 (2017-04-27)
==================
118 119

 * initial implementation of certificate authority