* Support for UNIX domain socket connections. A backend endpoint can now
be specified as a UNIX domain socket, via backend = "/path/to/socket".
* New configuration file settings pem-dir and pem-dir-glob. pem-dir can
be used to specify a directory for loading certificates, without
specifying each file individually.
* Support for TLS 1.3. Thanks to Lasse Karstensen.
* Fixed a bug that would cause a crash on reload if ocsp-dir was changed.
* Add log-level. This supersedes the previous quiet setting,
which is now deprecated.
* Add proxy-tlv. This enables extra reporting of cipher and protocol as
part of the PROXYv2 protocol.
* Drop TLSv1.1 from the default TLS protocols list.
Use Python 3 during build and make tests depend on the current version while
here.
- always call pledge(2) with a string literal, instead of subtracting
promises from a mutable string. Makes it easier to see what privileges
remain.
- call pledge(2) later in the initialization, so that we don't need to
care about too many promises eg "flock".
- always use "cpath" in the main process - needed at least if --pidfile
is passed.
Tested in basic setup, started as root with chroot and started as
_hitch, config reload still works.
ok kn@ (maintainer)
thousands of connections efficiently on multicore machines.
It supports ALPN, SNI, PROXY protocol, automatic OCSP stapling as well as
seamless configuration reloads of certificates and listen endpoints.
Feedback and OK jca
