Version 0.5.6
-------------
Improvements:
-   Split error message whether from getsockopt() directly or inherited.
-   Cleanup man-page

Bug fixes:
-   Fix memory leak with SSL_CTX_new() found in OSG, fixed by Brian.

Version 0.5.5
-------------
Improvements:
-   For using DN+FQANs only (--use-dn-and-fqans mode): plugin now first checks
    credential data stored by other plugins, if that fails, it will try the
    plugin arguments (i.e. values stored at plugin_initialize time).
-   For using certificates: when other plugins have set a user-dn and the new 
    flag --use-dn-from-credential-data is specified, the plugin will use that
    user-dn instead of the subject DN of the certificate for the subject-x509-id
    attribute in the XACML request.

Bug fixes:
-   Replace select() with poll() since select() fails when the actual fd is
    larger than FD_SETSIZE (=1024 on Linux).
-   Prevent incorrectly logging of an "Operation now in progress" in certain
    circumstances.
-   For using DN+FQANs only (--use-dn-and-fqans mode): absence of FQANs was
    handled incorrectly.
-   Default retry count for multiple endpoint case should have been one per
    endpoint. The new default is: 2 retries for 1 endpoint, otherwise try once
    per endpoint. E.g. for 3 endpoints and random selection, we try in total 3
    endpoints. For 1 endpoint and any type of selection, we will try it twice.

Version 0.5.4
-------------
Bug fixes:
-   In case of multiple VOMS ACs attached to one proxy, they are now all send.
-   A long certificate serial number (longer than INT_MAX) is now sent
    correctly.
-   Fix for https://jira.opensciencegrid.org/browse/SOFTWARE-1507
    When setup_client_ctx() fails, we did not correctly revert to original UID
-   A few log messages had wrong format/args combinations.
-   We cannot use the built-in OpenSSL verification, since we want CRL checks
    only when they are present. Hence we MUST use our own callback since OpenSSL
    either ignores them always or fails on missing CRLs.
-   The OHs will run on obligations even if the fulfill_on does not match the
    decision.

Improvements:
-   Add support for new XACML interoperability profile obligation
	http://authz-interop.org/xacml/obligation/account
    with attributes
	http://authz-interop.org/xacml/attribute/username
	http://authz-interop.org/xacml/attribute/primary-groupname
	http://authz-interop.org/xacml/attribute/secondary-groupname
-   Also send the following XACML interoperability profile subject attributes:
    * ca-serial-number
    * ca-policy-oid (all of them)
    * cert-chain (optional, using --send-cert-chain-attribute)
-   When a subject attribute can be trusted, the issuer field is set to the
    appropriate value, when it can not be trusted, it is set to the special
    value http://authz-interop.org/issuer/none, when it is unknown, no issuer is
    set.
    For the VOMS credentials, this is determined by whether the VOMS
    verification is enabled in LCMAPS, for the other credentials and attributes,
    this has to be specified by hand with new commandline options
    --proxy-is-unverified / --proxy-has-been-verified.
-   New options --proxy-is-unverified / --proxy-has-been-verified to tell client
    whether proxy cert has or has not been verified by the client (e.g.
    verify-proxy plugin). 
-   New option --send-cert-chain-attribute to instruct to also send the
    cert-chain subject atttribute (PEM encoded). Default is not to send it.
-   Properly handle combinations of obligations:
    * when multiple obligations set a uid, they all MUST match.
    * when multiple obligations set a pgid, they all MUST match, except in the
      case that BOTH the username and uidgid obligations are provided but NOT
      the new account obligation. In that latter case, the first set pgid is
      used, which is necessary for certain GUMS servers.
-   Handle setting of too many attributes for a given obligation:
    * For uidgid obligation: fail when multiple posix-uid or multiple posix-gid
      attributes are given
    * For username obligation: fail when multiple username attributes are given
    * For account obligation: fail when multiple username or multiple
      primary-groupname attributes are given
-   Handle setting of obligations without at least attribute.
-   New option --use-dn-and-fqans to use when there is no input PEM or
    certificate chain available for obtaining the user credentials which should
    be sent in the XACML request. This option will use the DN and FQANs (when
    available) instead.
-   Add support for new XACML API, allowing us to log the
    ID/issuer/issue_instant of the outgoing request and incoming response.
    This requires XACML-1.4.3 or higher to work.
-   Add the understood obligationIDs as environment attributes. This used to be
    done by the xacml lib, but we should do this as it is profile-dependent.

Version 0.5.3
-------------
Bug fixes:
-   the second step of the SSL shutdown does not work completely correct,
    potentially resulting in an error message.

Version 0.5.2
-------------
Bug fixes:
-   Random seeds are not enough random if many clients are started in the same
    second.
Improvements:
-   Default timeout and backoff times are mentioned in the manpage and a
    build-time ./configure flag can choose between the European or USA values.
-   Simplify code-duplication which is prone to errors.
-   Cleanup manpage for round-robin behaviour.

Version 0.5.1
-------------
Improvements:
-   Fix compiler warning for OpenSSL<0.9.8k 
-   Fix a problematic unnecessary cast and compiler warnings for Solaris
-   Add better support for (default) CA certificate directory: When unset as
    commandline arg, look now also at $X509_CERT_DIR (e.g. from gLExec and/or
    LCMAPS) before falling back to /etc/grid-security/certificates.

Version 0.5.0
-------------
Bugfixes:
-   Connect using a non-blocking connect() plus a select() instead of a blocking
    connect() only. Otherwise timeout does not work properly cross-platform
    (e.g. Solaris or BSD). Note that in any case we needed SO_SNDTIMEO, not
    SO_RCVTIMEO.
-   --connection-timeout option was broken (value would be taken from
    --socket-timeout)
-   socket timeout did not work properly for connect(). Now socket timeout is
    used first for connect, then for reading.
-   behaviour for round-robin vs. retry was not working well: when one endpoint
    is down, do not retry that one straight away, but retry using next endpoint.
    Number of retries per server is still the same.
-   An SSL_ERROR_SSL from SSL_get_error() should have been an unrecoverable
    error. This is needed to prevent rerunning the callout many times in case of
    an expired CRL.
-   Free memory for overriding hostname only after we are done with it.
    This broke the effect of "--override-expected-hostname <hostname>" in an
    SSL-handshake retry.

Improvements:
-   new options --disable-server-proxy-support and --enable-server-proxy-support
    (still the default) to disable using custom verification of the server
    certificate. Do not use when the server is using a proxy cert.
-   General cleanup of code, fix numerous implicit casts, consistent usage of
    types.
-   Improve some logging: print OpenSSL error queue in case of certain errors to
    aid debugging and lower loglevel of some non-errors to LOG_DEBUG.
-   Shared code between SCAS-client and SCAS is now synchronized.

Version 0.4.0
-------------
-   Using the new API from S2X2 1.3.0 and onwards, we no longer rely on
    stdout/stderr and hence no longer break setups where LCMAPS logs on stderr.
-   Minimal version of the SAML2-XACML2-C-lib is now 1.3.0.


Version 0.3.5
-------------
-   Applying Brian's patch to capture stdout/stderr from the S2X2 library and
    log it to the LCMAPS log.


Version 0.3.4
-------------
-   Added BUGS in the man page.
-   Updated the man page to represent the flags introduced in the 0.3.3 version.


Version 0.3.3
-------------
-   Added a new option: --disable-keepalive
    Explicitly disable the TCP-keepalive feature.
-   Added a new option: --enable-keepalive
    Explicitly enable the TCP-keepalive feature.
-   Added a new option: --use-system-default-keepalive
    Leave the TCP-keepalive setting to be enforced by the system defaults.
-   Support for the XACML Subject attributes as specified in the AuthZ Interop
    document* :
    http://authz-interop.org/xacml/subject/validity-not-before
    http://authz-interop.org/xacml/subject/validity-not-after

    Sample value: 2012-02-28T06:51:56Z

*:  An XACML Attribute and Obligation Profile for Authorization
    Interoperability in Grids - version 1.2
    http://www.fnal.gov/docs/products/voprivilege/focus/AuthZInterop/info.html


Version 0.3.2
-------------
-   Removed header for the gid_list function.
-   Code clean up and code adjustment to improve read-ability.
-   Fix typo in log message
-   use LCMAPS framework lcmaps_get_gidlist() instead of local get_gidlist().
    This potentially leverages more (system specific) optimized solutions
    centrally.
-   Left over lcmaps_log() calls to numbered levels instead of syslog natively
    defined numbers.
-   Integrates a patch from Brian Bockelman that ensures that the
    -authorization-only flag doesn't register any (possibly) returned
    Obligations into LCMAPS as a result. Previously the flag only prevented a
    plugin failure when a user is indicated to be authorized by SCAS/GUMS/SAZ,
    but not providing any Obligations (and associated attributes). This was to
    support the SAZ use case. Brian's use case is slightly different as its a
    service that DOES provide Obligation to the scas-client, but these MUST be
    ignored.


Version 0.3.1
-------------
-   Added the option: --enable-keepalive to lcmaps-plugins-scas-client
-   Also prefixed all internal network related functions and setting functions
    with xacml_ where they are used as underlying transport extention to the
    libxacml.so.
-   Determine dynamic library extension in configure and use that for creating
    .mod symlinks.



Version 0.3.0
-------------
-   Changing the log messages to match the logging method used in LCMAPS version
    1.5.0, which will be using the Syslog native log priority/levels.

-   Added a default test to the configured CA path. The CA path must be
    stat()-able. In gLExec this means effective root stat-able().

-   Failing harder then the normal socket() creation and connect() failure
    when getaddrinfo() failed to resolve the IP from a DNS hostname.



Version 0.2.25
--------------
New feature and/or fixes:
- Added extraction of the EEC and first CA certificate serial number as an integer/digit. Not as a (hex encoded) string. On request by OSG (needs a GGUS ticket)
- Added relaxed socket timing and backoff/cutoff options, favoring the GUMS interaction in high-load situations, but not compromising SCAS interactions:
    --connection-timeout <seconds>          default was 1 second, changed to 25 seconds
    --socket-timeout <milliseconds>         default was 170 milliseconds, changed to 2100 milliseconds
    --incremental-backoff <milliseconds>    default was 50 milliseconds, changed to 1500 milliseconds


Build/install information:
- Capable of using the new LCMAPS api, and be backwards compatible with the old interface.
- The default installation directory is now $libdir/lcmaps in favor of $libdir/modules



===============

Plugin lcmaps-plugins-scas-client:
- Fixed file descriptor leak, found by Brian Bockelman (and team): "This should be used by anyone who calls LCMAPS repeatedly in the same process (i.e., you don't really need this for glexec or xinetd-based gridftp); it currently leaks two file descriptors per invocation.  This was problematic in Xrootd. [...]  Thanks to Matevz for making me look into this."
- Fixed memory leaks found Brian Bockelman. Found in xrootd. There were mostly cleanups of structs and objects that didn't get free'd.
- Updated the manpage, to reflect the new features
- The overriding hostname messege in the xacml_io_ssl.c file is logging on the debug setting instead of the error setting.
- Exposed the override of the expected hostname in the new option "--override-expected-hostname <hostname>"
- Fixes a problem when interacting with the GUMS service. The check to see if an essential Obligation Handler has fired lacked the situation where a GUMS service replied the Username OH. This is now fixed.
- Fixed a seg.fault situation when the FQDN in the URL doesn't match a dnsAltName entry when dnsAltNames are present. The mismatch triggered the SSL-connection to be disconnect due to this post connection check to fail.


Added new configuration options: 
--override-expected-hostname <hostname>
This option will override the expected hostname from the service it connects to. The service must present a valid host certificate, but during the validation of the hostname and the certificate the set <hostname> string will be used to check the expected host to be OK to communicate with.

--authorization-only
Skip the requirement for Obligations. Do authorization only (used by SAZ)

--enable-poolindex-fix
Add the faked poolindex to the LCMAPS framework. This is to cope with LCMAPS 1.4.6 and older.

--cert-owner <certifcate owner>
This is an optional parameter, mostly interesting for sites that use gLExec that use host certificates to authenticate the SSL connection to GUMS, SCAS or something else.

API Extentions:
Function: get_hostname_to_match_client_cert
Description:
      Gets the hostname string to which the peer certificate must match.
      Is this can not be matched automatically, then this feature can be
      used to do so.
Function: set_hostname_to_match_client_cert
Description:
          Sets the hostname string to which the peer certificate must match.
          Is this can not be matched automatically, then this feature can be
          used to do so.
Function: free_hostname_to_match_client_cert
Description:
          Sets the hostname string to which the peer certificate must match.
          Is this can not be matched automatically, then this feature can be
          used to do so.


Generic to all components:

- adjusted to be able to use EPEL, EMI and gLite packages and system native library installations
- cleanup of unused files and support for distribution tarball.
- provide pkg-config files
- All LCMAPS public header files are all in ${includeDir}/lcmaps/*.h


