simon at josefsson.org
Fri Dec 14 13:31:42 CET 2007
We are pleased to announce a new stable GnuTLS release: Version 2.2.0.
GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications. GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.
The core GnuTLS library is distribute under the terms of the GNU Lesser
General Public License version 2.1 (or later). The "extra" GnuTLS
libraries -- which contains OpenPGP and TLS/IA support, LZO compression,
the OpenSSL compatibility library -- and the self tests and command line
tools are distributed under the GNU General Public License version 3.0
(or later). The manual is distributed under the GNU Free Documentation
License version 1.2 (or later).
The project page of the library is available at:
Major changes compared to the v2.0 branch:
* SRP support aligned with newly published RFC 5054.
* OpenPGP support aligned with newly published RFC 5081.
* Support for DSA2 keys.
* Support for Camellia cipher.
* Support for Opaque PRF Input extension.
* PKCS#8 parser now handle DSA keys.
* Change from GPLv2 to GPLv3 for command-line tools, libgnutls-extra,
etc. Notice that liblzo2 2.02 is licensed under GPLv2 only. Earlier
versions, such as 2.01 which is included with GnuTLS, is available under
GPLv2 or later. If this incompatibility causes problems, we recommend
you to disable LZO using --without-lzo. LZO compression is not a
standard TLS compression algorithm, so the impact should be minimal.
* Functions for disabling record protocol padding.
Works around bugs on Nokia/Ericsson phones.
* New functions gnutls_priority_set() for setting cipher priorities easily.
Priorities like "COMPAT" also enables other work arounds, such as
* Other minor improvements and bug fixes.
Minor changes compared to the latest v2.1.8 release candidate:
* Update internal copy of libtasn1 to version 1.2.
* Certtool --verify-chain now handle inputs larger than 64kb.
This fixes the self-test "rsa-md5-collision" under MinGW+Wine with
recent versions of libgcrypt. The problem was that Wine with the
libgcrypt RNG generates huge amounts of debugging output.
* Translation updates.
Added Dutch translation. Updated Polish and Swedish translation.
Backwards incompatible API/ABI changes in GnuTLS 2.2
To adapt to changes in the TLS extension specifications for OpenPGP
and SRP, the GnuTLS API had to be modified. This means breaking the
API and ABI backwards compatibility. That is something we try to
avoid unless it is necessary. We decided to also remove the already
deprecated stub functions for X.509 to XML conversion and TLS
authorization (see below) when we had the opportunity.
Generally, most applications does not need to be modified. Just
re-compile them against the latest GnuTLS release, and it should work
Applications that use the OpenPGP or SRP features needs to be
modified. Below is a list of the modified APIs and discussion of what
the minimal things you need to modify in your application to make it
work with GnuTLS 2.2.
Note that GnuTLS 2.2 also introduces new APIs -- such as
gnutls_set_priority() that is superior to
gnutls_set_default_priority() -- that you may want to start using.
However, using those new APIs is not required to use GnuTLS 2.2 since
the old functions continue are still supported. This text only
discuss what you minimally have to modify.
XML related changes
The function `gnutls_x509_crt_to_xml' has been removed. It has been
deprecated and only returned an error code since GnuTLS version
1.2.11. Nobody has complained, so users doesn't seem to miss the
functionality. We don't know of any other library to convert X.509
certificates into XML format, but we decided (long ago) that GnuTLS
isn't the right place for this kind of functionality. If you want
help to find some other library to use here, please explain and
discuss your use case on help-gnutls at gnu.org.
TLS Authorization related changes
Everything related to TLS authorizations have been removed, they were
only stub functions that returned an error code:
SRP related changes
The callback gnutls_srp_client_credentials_function has a new
prototype, and its semantic has changed. You need to rewrite the
callback, see the updated function documentation and SRP example code
(doc/examples/ex-client-srp.c and doc/examples/ex-serv-srp.c) for more
The alert codes GNUTLS_A_MISSING_SRP_USERNAME and
GNUTLS_A_UNKNOWN_SRP_USERNAME are no longer used by the SRP
specification, instead the GNUTLS_A_UNKNOWN_PSK_IDENTITY alert is
used. There are #define's to map the old names to the new. You may
run into problems if you have a switch-case with cases for both SRP
alerts, since they are now mapped to the same value. The solution is
to drop the SRP alerts from such switch cases, as they are now
deprecated in favor of GNUTLS_A_UNKNOWN_PSK_IDENTITY.
OpenPGP related changes
The function `gnutls_certificate_set_openpgp_keyserver' have been
removed. There is no replacement functionality inside GnuTLS. If you
need keyserver functionality, consider using the GnuPG tools.
All functions, types, and error codes related to OpenPGP trustdb
format have been removed. The trustdb format is a non-standard
GnuPG-specific format, and we recommend you to use key rings instead.
The following have been removed:
The following functions has an added parameter of the (new) type
`gnutls_openpgp_crt_fmt_t'. The type specify the format of the data
(binary or base64). The functions are:
To improve terminology and align with the X.509 interface, some
functions have been renamed. Compatibility mappings exists. The old
and new names of the affected functions and types are:
Old name New name
Getting the Software
GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnutls.org/pub/gnutls/>. The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>. Note, that GnuPG is
not available at ftp.gnu.org.
Here are the BZIP2 compressed sources (4.8MB):
Here are OpenPGP detached signatures signed using key 0xB565716F:
Note, that we don't distribute gzip compressed tarballs.
In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature. You can use the command
gpg --verify gnutls-2.2.0.tar.bz2.sig
This checks whether the signature file matches the source file. You
should see a message indicating that the signature is good and made by
that signing key. Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key. The signing
key can be identified with the following information:
pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30]
Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
uid Simon Josefsson <simon at josefsson.org>
uid Simon Josefsson <jas at extundo.com>
sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30]
The key is available from:
Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values. The values are for SHA-1 and SHA-224 respectively:
The manual is available online at:
In particular the following formats are available:
For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:
If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:
If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:
GnuTLS has been ported to the Windows operating system, and a binary
installer is available. The installer contains DLLs for application
development, manuals, examples, and source code. The installer consists
of libgpg-error 1.6, libgcrypt 1.4.0, libtasn1 1.2, opencdk 0.6.6, and
For more information about GnuTLS for Windows:
The Windows binary installer and PGP signature:
The checksum values for SHA-1 and SHA-224 are:
GnuTLS messages have been translated into Dutch, German, Malay, Polish
and Swedish. We welcome the addition of more translations.
Improving GnuTLS is costly, but you can help! We are looking for
organizations that find GnuTLS useful and wish to contribute back. You
can contribute by reporting bugs, improve the software, or donate money
Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm
based privately held company, is currently funding GnuTLS maintenance.
We are always looking for interesting development projects. See
http://josefsson.org/ for more details.
The GnuTLS service directory is available at:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 419 bytes
Desc: not available
More information about the Gnutls-devel