v0.14.0
----------------------------------------------------------------------------------------------------
 * Updated to rustls-ffi 0.14.0 by @cpu.

v0.13.0
----------------------------------------------------------------------------------------------------
 * align version somewhat with rustls-ffi version supported
 * move module from Apache httpd to its own github repository
 * fix tests to run on locally build mod_tls, no install necessary
 * adapted to rustls-ffi thanks for @cpu.

v0.8.2
----------------------------------------------------------------------------------------------------
 * Adapted to the new API in rustls-ffi v0.8.2
 * Brought in Apache's pyhttpd test framework and adjusted test cases to its use.

v0.8.1
----------------------------------------------------------------------------------------------------
 * Support for machine certificates in proxy conections. Use `TLSProxyMachineCertificate`
   similar to `TLSCertificate` to configure a certificate to use for authentication
   against a proxied backend server.
   As with `TLSCertificate` more than one certificate may be configured and the
   first compatible is chosen by the `rustls` library for the connection.

v0.8.0
----------------------------------------------------------------------------------------------------
 * Fixed the case where client authentication (currently disabled) on a server
   would prevent ACME challenges from working.
 * Fixed test configuration to accommodate for installations on debian with static modules
   and directories used.
 * Updated docker image "debian-test" to use the apache2 package instead of a local
   compiled httpd.
 * Fixed a missing flush at the end of a connection that makes sure the connection close
   is clean and immediate and that short linger times apply.
 * Added `TLSProxyCiphersPrefer` and `TLSProxyCiphersSuppress` for proxy connections.
 * Added `TLSProxyProtocl` to set the minimum TLS version to use in proxy connections.
 * Renamed `TLSProtocls` to `TLSProtocol` to less confusing when migrating from mod_ssl.
 * All TLS filters trigger initialization and handshake processing on demand
   when invoked, in both input and output handling.
 * The whole setup of the rustls connection handling is delayed until I/O
   filters are called. This allows for last minute changes in connection notes.
   This way, ALPN signalling to the backend can be done for mod_proxy_http2.
 * Added test for TLSProxy connections without any special flavour
   except providing a CA PEM file for trusted root.
 * loading of native trust anchors disabled since rustls crashes on MacOS for this.
   Issue opened at <https://github.com/kornelski/rust-security-framework/issues/136>.
 * Adding support for new ssl/proxy interworking PR in apache trunk.

v0.7.1
----------------------------------------------------------------------------------------------------
 * Renamed `TLSListen` configuration directive to `TLSEngine` after feedback
   from early tester (thanks @djc!).

v0.7.0
----------------------------------------------------------------------------------------------------
 * Disabled all client certificate related configurations and test. Client certificates
   are unsupported in mod_tls for the time being, as there is no Rust revocation
   mechanism currently available. See also README.md.

v0.6.1
----------------------------------------------------------------------------------------------------
 * Added `TLSOptions ExportCertData` to export the certificates PEM data to the request env.
 * Added `TLSOptions Defaults` to reset options settings in a location.
 * Adding test cases for http and https proxy setups
 * Intercepting mod_ssl/mod_proxy calling to avoid enabling mod_tls on proxy connections.

v0.6.0
----------------------------------------------------------------------------------------------------
 * Adapted to the new read/write callbacks in crustls

v0.5.0
----------------------------------------------------------------------------------------------------
 * Supporting more variables as defined in mod_ssl. Adding test cases for those.
 * Adapted the the recent additions in crustls for client verifiers.
   Keeping central registry of cert stores and verifiers, released when
   configuration of servers is done.
 * Client CA is loaded as new rustls_root_cert_store (PR tbd) and is used
   in building session configs.
 * Presence of a client certificate is checked when client auth is required.
 * variable SSL_CLIENT_S_DN_CN added with fake data since we are not able to dissect
   the client certificate DER data yet.
 * Implemented support for OCSP stapling using the new ap_ssl_ocsp* functions
   in the patched Apache httpd and a development branch of crustls.
 * Transferred repository to abetterinternet org.
 * Added Docker support for setting up an images based on debian sid,
   build current apache 2.4.x patch, current crustls PR branch and the
   local mod_tls sources and have the test suite run in the image.
 * Updated documentation on protocol version/cipher configuring.
 * Changed numerical names to include `0x`, for example `TLS_CIPHER_0xc024`,
   to avoid ambiguities.
 * Added OpenSSL names for ciphers as well-known alternative to the IANA
   assigned names for TLSv1.2+ ciphers.
 * Implemented checks on minimum TLS version and suppressed ciphers when
   serving requests to server A on a connection opened on server B.
 * A warning will be logged when TLS ciphers are configured for preference, but
   not supported by rustls. Test cases added.
 * Successful run with the `mod_md` extended test suite that allows specification
   of the ssl module to test with.
 * Fixed various edge cases about vhost selection, fallback and challenge certificates
   and added a new directive `TLSStrictSNI` to allow relaxed checks of client
   host names for people who run "catch all" servers.
 * First tests with the latest mod_md to enable supplying static certificates
   to mod_tls.
 * TLSProtocols now takes only one argument and that is the minimum TLS protocol
   to use: `TLSv1.2+`, `TLSv1.3+` or `TLSvXXXX+` where XXXX is the hexadecimal
   protocol version. Specifying 'default' will use all protocols supported by
   rustls and that is also the default.
 * Added test case for session storage in TLSv1.2 using openssl. TLSv1.3
   test is incomplete and disabled for now.
 * Added support for new session store feature in my crustls branch.
 * Added test case for timeout handling during TLS handshake.
 * new config Directive `TLSOptions` similar for mod_ssl's `SSLOptions`.
   Only open so far is 'StdEnvVars' which adds a (currently limited) list
   of TLS related environment variables to CGI handlers.
 * `TLSCertificate` can also be used with a single argument, given one file
   that contains all PEM data.
 * Configuration directives 'TLSProtocols' and 'TLSCiphers' implemented. Test
   cases added.
 * Added support for setting challenge certificates using the new (apache trunk)
   hooks and functions. ACME tls-alpn-01 support incoming.
 * The module now also allows certificate configuration via the new central
   hooks. A future mod_md will provide ACME certificate this way.
 * Updated patch file for the Apache httpd 2.4.x release line with the latest
   necessary changes to run the module.
 * Fixes in output handling to pass meta buckets in their proper location down
   to the network.
 * Test can be run with another mpm by setting the environment variable MPM:
   > MPM=worker pytest
 * All buffers passed to rustls for writing to are now initialized via 'calloc()',
   as Rust requires. There is no concept of a write-only array, unfortunately.
 * Added a patch file for the Apache httpd 2.4.x release line with the - so far -
   necessary changes to the server. Make mod_tls compile against httpd trunk and
   a patched branches/2.4.x.
 * More load test scenarios.
 * Adding the first load test scenario for comparing transfer speeds between mod_tls
   and mod_ssl on a single connection for various resource sizes. Use `make loadtest`
   to run.
 * Fixed a bug that caused the connection to close after the first request had been
   handled.
 * Improved the passing of encrypted data to the network to involve a bit less buffering.
 * Started load test scenarios to measure performance and resource usage.
 * ALPN negotiation implemented. Curl in test cases now speaks HTTP/2 with mod_tls
   when configured.
 * Use of the new Apache httpd API for SSL related queries (available only in trunk
   for now). Other modules can query if the connection is protected by SSL encryption
   as if mod_ssl were loaded. Also, some first SSL related variables are exposed for
   querying.
 * rustls_cipher_certified_keys are used when configuring sessions, so that more
   than one certificate can be configured for a server. The rustls session will
   select the first certificate that is compatible with the clients hello
   settings.
 * Experimental client hello C callback implemented in local crustls version.
 * SNI host selection implemented. Foundation in place for vhost specific TLS settings.
   Missing: ALPN handling, selection from several certificates for a vhost, adding
   of dynamic certificates.
 * Extending our Test CA to create also Elliptic Curve keys for ECDSA certificates.
 * Mixing old-skool OpenSSL PEM format for RSA and newer PKCS8 PEM for EC keys
   to have variety on what rustls is able to parse.
 * Using python module "trustme" to generate certificates from a local CA. Using
   the CA to verify TLS connections in curl and get rid of the "--insecure" setting
   that disables several other checks as well.
 * New directive `TLSProtocol` to set the minimum version of the TLS protocol to
   use on a host/the server. Does not have an effect as the support in crustls
   is not there yet.
 * Adjusting filter buffer sizes for TLS and plain data to allow generation of
   max-length TLS messages without for security and efficiency reasons.
 * Testing SNI invalid name. Proper shutdown of the connection on failures
   during handshake implemented.
 * First checks on connection sharing.
   - requests against a virtual hosts server are only allowed if the client uses SNI.
   - requests to domain B on a connection to domain A are only allowed if there
     are no relevant differences between the TLS configurations. This does exclude
     the certificates configured, since it is the client's responsibility to check
     if B falls under the certificate from A.
 * New directive `TLSHonorClientOrder on|off` with default off, to make the
   server session honor client cipher ordering.
 * Checks on SNI selected host against request selected host started.
 * vhost is detected based on client supplied SNI hostname. Unknown SNI hostnames
   are not prevented from connecting as it is the clients obligation if it trust
   the supplied server certificate.
 * base filter handling performs retrieval of JSON resource file. test_03_get succeeds.
 * mod_tls does first successful handshake with a MacOS curl (libressl) using
   TLS v1.2 and an RSA 2048 certificate, self signed.
 * mod_tls loads single certificate (first configured) into rustls
 * test case creates self-signed certificate, configures it for mod_tls
 * created skeleton module and autoconf/make files.
