We decided there wasn’t enough suspense about the 0.9.0 release yet, so we’ve decided to issue another release candidate to keep you on your toes.
In fact, some of the changes we made for rc3 to keep compatible with the new LuaSocket 3.0 didn’t compile on some platforms. This should now be fixed.
We also realised that although we have set a number of new defaults for our TLS configuration (see previous release notes), we had not set a list of acceptable ciphers, which led some clients and servers to negotiate ciphers that might be considered weak. From this version we specifically only ask OpenSSL to offer only strong ciphers now, but it needs more testing for client compatibility. Let us know if you encounter any problems.
Summary of changes:
- Fix compilation on BSD and Windows
- Tighten up default SSL/TLS cipher list
- Improve reporting of DNS errors
- Fix handling of errors caused on component and BOSH connections
- Fix ‘Get list of online users’ ad-hoc command
- Include port in HTTP host header for HTTP requests (for compliance)
Also note that this and future source releases shall be signed with a new
7BDD6BFE, available on a keyserver near you or at
matthewwild.co.uk/pgp.asc. Debian packages are not affected.