1 0.0.13 Thu 28, May, 2015 2 Update default host to google.com - www.ptb.de randomized timestamps 3 0.0.12 Sun 26, Oct, 2014 4 Fix AppArmor for tlsdated: allow unprivileged helper to read the time. 5 Update tlsdated systemd service file. 6 Various little fixes and an early release to make the Debian Freeze! 7 0.0.11 Mon 20, Oct, 2014 8 Fix routeup flushing when using stdout (Avery Pennarun). 9 Update AppArmor profile to support multiarch systems. 10 Instruct syslog to properly output tlsdated and pid information. 11 (This closes: https://github.com/ioerror/tlsdate/issues/144 ) 12 Fix -Wsizeof-pointer-memaccess in build of tlsdated unit test. 13 FreeBSD build improvements (Fabian Keil). 14 Update man pages. 15 Update AppArmor profile to remove unused stanzas. 16 Fix seccomp filter support on x86 systems (Will Drewry). 17 Refactor chatty tlsdated logging output to make it quiet. 18 Close syslog after tlsdated finishes using it. 19 Update systemd and init.d scripts for Debian. 20 0.0.10 Fri 26, Sep, 2014 21 tlsdated removed from /usr/bin and now is only in /usr/sbin 22 This release is because 0.0.9 had two trivial bugs. Argh. 23 0.0.9 Fri 25, Sep, 2014 24 Fix missing function prototype. 25 major libevent refactor by Will Drewry and Elly Fong-Jones of Google. 26 tlsdated should now function properly on ChromeOS and Debian GNU/Linux 27 Add ability to set COMPILE_DATE at configure/build time. 28 Add support for deterministic builds on Debian GNU/*. 29 0.0.8 Sun 14, Sep, 2014 30 Add Debian GNU/Hurd and Debian GNU/kFreeBSD build support. 31 Fix build on FreeBSD 10 and 11. 32 Add FreeBSD (9.2 & 11-CURRENT) support for tlsdate and 33 tlsdate-helper. (Fabian Keil). 34 Update man pages (Kartik Mistry, Holger Levsen). 35 tlsdate will now abort if time fetch has a long delay (Avery Pennarun). 36 Updates for tlsdate related systemd service (Holger Levsen). 37 Check previously unchecked return codes (Brian Aker). 38 Update headers to reflect the correct location (Brian Aker). 39 Addition of various TODO items. 40 Update git tag to reference new GnuPG key 41 Key fingerprint = D2C6 7D20 E9C3 6C2A C5FE 74A2 D255 D3F5 C868 227F 42 Update tlsdate HTTPS user-agent to reflect proper version number 43 0.0.7 Sat 2 Nov, 2013 44 Add tentative -plan9.[ch] versions of tlsdate-helper. 45 Add -x option to tlsdated to override source proxies. 46 Correctly check SANs against target host when using proxies. 47 Fix a race in tlsdate-dbus-announce that can cause signal drops. 48 Support -l argument to tlsdated. 49 Pass -l and -v arguments from tlsdated to tlsdate. 50 Log more verbosely at tlsdated startup. 51 Add FreeBSD support for tlsdate and tlsdate-helper. 52 Add Android build support with Android NDK for tlsdate. 53 Add NetBSD 6.0.1 support for tlsdate and tlsdate-helper. 54 Add OpenBSD 5.2 support for tldate and tlsdate-helper. 55 Add official support for Debian, Ubuntu, CentOS, Fedora, RHEL, OpenSUSE, 56 and Arch GNU/Linux distros. 57 Add Mac OS X 10.8.3 support 58 Extensive setup/install documentation is now present in INSTALL for most OSes 59 Add DragonFly BSD 3.3 support 60 Refactored subprocess watching. 61 Added integration tests. Run with ./run-tests 62 Refactored event loop. 63 Added suspend/resume RTC corruption detection. 64 Add -w option to get time from HTTPS header instead of from TLS ServerHello 65 Update AppArmor profile 66 Add simple systemd service file 67 Extra verbose output available with -vv; useful verbosity is -v 68 0.0.6 Mon 18 Feb, 2013 69 Ensure that tlsdate compiles with g++ by explicit casting rather than 70 implicit casting by whatever compiler is compiling tlsdate. 71 Fix a logic bug in CN parsing caught by Ryan Sleevi of the Google Chrome Team 72 Further fixes by Thijs Alkemade 73 Add PolarSSL support (We no longer require OpenSSL to function!) 74 Thanks to Paul Bakker and the PolarSSL team! 75 Experimental Mac OS X (10.8.2) support 76 Thanks to Brian Aker and Ingy dt Net for pair programming time 77 0.0.5 Web 23 Jan, 2013 78 Fix spelling error in tlsdate-helper 79 Update man pages formatting 80 Add Seccomp-BPF policies to be used with Minijail 81 Update CA cert file to remove TRKTRUST 82 Support both CA certificate files or directories full of CA certs 83 Currently /etc/tlsdate/ca-roots/tlsdate-ca-roots.conf 84 Support announcing time updates over DBus with --enable-dbus 85 This introduces the 'tlsdate-dbus-announce' utility 86 Add support for lcov/gcov at build time 87 See ./configure --enable-code-coverage-checks and make lcov 88 Don't hardfail if DEFAULT_RTC_DEVICE cannot be opened, even if desired 89 Raspberry PI users rejoice (if the fix works) 90 Support -j to add jitter to tlsdated time checks. 91 Exponential backoff when TLS connections fail. 92 Add config file support (have a look at man/tlsdated.conf.5) 93 Support multiple hosts for time fetches 94 Add multiple hosts to your tlsdated.conf file today 95 Add simple AppArmor profile for /usr/bin/tlsdate-dbus-announce 96 Update AppArmor profile for tlsdated 97 0.0.4 Wed 7 Nov, 2012 98 Fixup CHANGELOG and properly tag 99 Version Numbers Are Free! Hooray! 100 Update certificate data in ca-roots/ 101 tlsdate will now call tlsdate-helper with an absolute path 102 Pointed out ages ago by 0xabad1dea and others as a better execlp path 103 forward for execution. 104 0.0.3 Mon 5 Nov, 2012 105 Add tlsdate-routeup man page 106 Update all man pages to reference other related man pages 107 Fix deb Makefile target 108 Update documentation 109 misc src changes (retab, formatting, includes, etc) 110 Update AppArmor profiles 111 Add HTTP/socks4a/socks5 proxy support and update man page documentation 112 0.0.2 Mon 29 Oct, 2012 113 Released at the Metalab in Vienna during their third #CryptoParty 114 Add '-n' and '--dont-set-clock' option to fetch but not set time 115 Add '-V' and '--showtime' option to display remote time 116 Add '-t' and '--timewarp' option 117 If the local clock is before RECENT_COMPILE_DATE; we set the clock to the 118 RECENT_COMPILE_DATE. If the local clock is after RECENT_COMPILE_DATE, we 119 leave the clock alone. Clock setting is performed as the first operation 120 and will impact certificate verification. Specifically, this option is 121 helpful if on first boot, the local system clock is set back to the era 122 of Disco and Terrible Hair. This should ensure that 123 X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED are not 124 encountered because of a broken RTC or the lack of a local RTC; we assume 125 that tlsdate is recompiled yearly and that all certificates are otherwise 126 considered valid. 127 Add '-l' and '--leap' 128 Normally, the passing of time or time yet to come ensures that SSL verify 129 functions will fail to validate certificates. Commonly, 130 X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED are painfully 131 annoying but still very important error states. When the only issue with 132 the certificates in question is the timing information, this option allows 133 one to trust the remote system's time, as long as it is after 134 RECENT_COMPILE_DATE and before MAX_REASONABLE_TIME. The connection will 135 only be trusted if X509_V_ERR_CERT_NOT_YET_VALID and/or 136 X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are the only errors encountered. The 137 SSL verify function will not return X509_V_OK if there are any other 138 issues, such as self-signed certificates or if the user pins to a CA that 139 is not used by the remote server. This is useful if your RTC is broken on 140 boot and you are unable to use DNSSEC until you've at least had some kind 141 of leap of cryptographically assured data. 142 Update usage documentation 143 Move {*.c,h} into src/ 144 Move *.1 into man/ 145 Update TODO list to reflect desired changes 146 Update AppArmor profile to restrict {tlsdate,tlsdate-helper,tlsdated,tlsdate-routeup} 147 Update AUTHORS file to include a new email address 148 Update CHANGELOG 149 Added proper date for the 0.0.1 release 150 (Added all of the above items, obviously) 151 Print key bit length and key type information 152 Update Copyright headers to include the Great Christian Grothoff 153 Ensure key bit length and key type values are reasonable 154 Add CommonName and SAN checking 155 Add enumeration and printing of other x.509 extensions in SAN checking 156 Add SAN checking for iPAddress field per RFC2818 157 Various small bug fixes 158 Fixed various tiny memory leaks 159 Added compat layer library for future multi-platform support by David Goulet 160 Compile output is now largely silent by default 161 Wildcard certificate verification per RFC 2595 162 Add list of trusted CA certs to /etc/tlsdate/tlsdate-ca-roots.conf 163 Add Makefile target to update trusted CA certs from Mozilla's NSS trust root 164 Add tlsdated daemon 165 Add tlsdated documentation 166 167 0.0.1 Fri Jul 13, 2012 168 First git tagged release 169