Version 1.5.4
-------------
-   Added the option --disallow-limited-proxy on request by Igor Sfiligoi to be
    able to disallow limited proxies. The man page is updated with this
    inclusion.
-   Added full support for RFC and GT3 proxies. Properly detecting the proxy
    types, including limited proxies is now fully supported. RESTRICTED and
    INDEPENDENT in (pre-)RFC proxies WILL be treated as an IMPERSONATION proxy
    type, which is the default.
-   Malformed certificate chains (CA -> EEC -> RFC -> GT3 -> RFC -> ...) were
    tolerated in previous versions because the detection was not fully
    complete. It is now tested to be fully compliant and we can safely enable
    strict certificate chain checking.


Version 1.5.3
-------------
-   Brain Bockelman reported a verification failure when a certificate chain
    contains at least two limited proxies. This version exclusively fixes this
    problem.
-   The add-on verification routines to semantically check the certificate
    chain was not launched when the X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error
    was set. Only OpenSSL versions older then 0.9.8 would have this #ifdef
    enable.
-   OpenSSL casts an X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED where it doesn't
    make sense as the test used a non-RFC3820 proxy. OpenSSL is not capable of
    extracting a path length constraint out of non-RFC proxy.  OpenSSL also
    tagged all  certificates in the chain to be showing the
    X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error. The add-on evaluator performs
    a proper check to compensate.
-   The add-on verification routines did not take limited proxies into account.
    This mistake was gracefully neglected, because proxy chains with only one
    Limited proxy at the end was perfectly tolerated. A double limited proxy or
    proxy certificate chain with at least two (or more) Limited proxy
    delegations of the RFC3820 and old-style proxy type would fail the
    verification with the previously mentioned anomalies.
-   The first delegation can now be a GT2/old-style Limited proxy.
-   See BUGS for the known bugs and caveats.


Version 1.5.2
-------------
-   An internally restructured verify-proxy plugin fixing several memory
    handling problem. It solved several memory leakages and quite a lot
    potential segmentation fault situation.
    There should be no noticable change, besides the lowered memory leakage
    proper checking.


Version 1.5.1
-------------
No report


Version 1.5.0
-------------
-   Changing the log messages to match the logging method used in LCMAPS
    version 1.5.0, which will be using the Syslog native log priority/levels.
-   The plugin will fail to initialize when the configured -cadir or -certdir
    directory does not exist. This was a run-time error.
-   Fixed the ability to use the plugin for life-time checking from a GT4 or
    GT5 service. The requirement for a private key MUST be explicitly disabled
    with either the configuration of "--only-enforce-lifetime-checks" or
    "--discard_private_key_absence". The internally used environment variable
    $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of
    "--discard_private_key_absence". The environment variable can be
    countered/muted by "--never_discard_private_key_absence".
-   New feature to be able to REQUIRE the final certificate in a chain to be a
    LIMITED proxy.  Enable the option "--require-limited-proxy" to enforce
    this.
    This version DOES NOT WORK with RFC3820 limited proxy. This will be added
    in an update.
-   Man page is now packaged with the source.




Version 1.4.12
--------------
The new certificate type detection function makes it possible to detect the
proxy certificate type more cleanly and now properly distinghuishes RFC 3820
and old-style certificates reliable. A wrongly constructed chain is a rare
occurance, but is now properly detected and will result in an
X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.

The certificate rejection is only triggered when the following #define is
enabled: USE_STRICT_PATH_VALIDATION. Without it, the condition will be treated
as a warning only seen on a verbose loglevel.

Also, the grid_verifyPathLenConstraints() function is now called when the
X509_verify() reaches the final certificate in the chain in its verification
cycle. This will dysect the certificate chain properly and trigger on the right
errors.

A bunch of useless debugging messages are no longer visable in the log file.
They can be revived when you upgrade the loglevel for more verbosity.


Version 1.4.11
--------------
Implemented my own Path Length Constraint check that is capable of checking
both the Path Length Constraint in CA certificates and RFC proxy certificates.
Fixing GGUS ticket 67040 - https://ggus.eu/ws/ticket_info.php?ticket=67040


Version: 1.4.10
---------------
Plugin lcmaps-plugins-verify-proxy:
- Fixing path length constraint problem for TERENA eScience Peronsal CA users.


Version: 1.4.9
--------------
Plugin lcmaps-plugins-verify-proxy:
- Fixed the Proxy Life Time Policy enforcement functionality.
- Fixed the VOMS Life Time Policy enforcement functionality.
- To cope with Subordinate CAs we have to extend the verification depth to be
  able to hold the certificate chain (could contain a lot of delegations) and
  all the CA certificate, which might not be added to the certificate chain
  itself but would still be lingering in the X509 CA directory lookup
  functions. OpenSSL uses a default depth of 9.

Resurrected an option with a different name:
--only-enforce-lifetime-checks

When this option is set the verification routines are skipped to enforce the
proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools
like GridFTPd and the Gatekeeper as they already perform full authentication on
the SSL layer. In gLExec this plug-in MUST run in full mode.


Generic to all components
-------------------------
- adjusted to be able to use EPEL, EMI and gLite packages and system native
  library installations
- cleanup of unused files and support for distribution tarball.
- provide pkg-config files
- All LCMAPS public header files are all in ${includeDir}/lcmaps/*.h


