GnuTLS 2.8.0
Jeff Cai
Jeff.Cai at Sun.COM
Mon Jun 1 07:26:33 CEST 2009
I can not find the COPYING.LIB in the source tarball.
Jeff
在 2009-05-28四的 10:10 +0200,Simon Josefsson写道:
> We are proud to announce a new stable GnuTLS release: Version 2.8.0.
>
> GnuTLS is a modern C library that implements the standard network
> security protocol Transport Layer Security (TLS), for use by network
> applications. GnuTLS is developed for GNU/Linux, but works on many
> Unix-like systems and comes with a binary installer for Windows.
>
> The GnuTLS library is distributed under the terms of the GNU Lesser
> General Public License version 2.1 (or later). The "extra" GnuTLS
> library (which contains TLS/IA support, LZO compression and Libgcrypt
> FIPS-mode handler), the OpenSSL compatibility library, the self tests
> and the command line tools are all distributed under the GNU General
> Public License version 3.0 (or later). The manual is distributed
> under the GNU Free Documentation License version 1.3 (or later).
>
> The project page of the library is available at:
> http://www.gnu.org/software/gnutls/
>
> What's New
> ==========
>
> Version 2.8.0 is the first stable release on the 2.8.x branch and is the
> result of 7 months of work on the experimental 2.7.x branch. The GnuTLS
> 2.8.x branch replaces the GnuTLS 2.6.x branch as the supported stable
> branch, although we will continue to support GnuTLS 2.6.x for some time.
>
> ** lib: Linker version scripts reduces number of exported symbols.
> The linker version script now lists all exported ABIs explicitly, to
> avoid accidentally exporting unintended functions. Compared to
> before, most symbols beginning with _gnutls* are no longer exported.
> These functions have never been intended for use by applications, and
> there were no prototypes for these function in the public header
> files. Thus we believe it is possible to do this without incrementing
> the library ABI version which normally has to be done when removing an
> interface.
>
> ** lib: Limit exported symbols on systems without LD linker scripts.
> Before all symbols were exported. Now we limit the exported symbols
> to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
> _gnutls*. This is a superset of the actual supported ABI, but still
> an improvement compared to before. This is implemented using Libtool
> -export-symbols-regex. It is more portable than linker version
> scripts.
>
> ** libgnutls: Fix namespace issue with version symbols.
> The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
> LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
> LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
> GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
> GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to
> work but are deprecated.
>
> ** libgnutls: Fix namespace issue with version symbol for libgnutls-extra.
> The symbol LIBGNUTLS_EXTRA_VERSION were renamed to
> GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is
> deprecated.
>
> ** libgnutls: Add functions to verify a hash against a certificate.
> gnutls_x509_crt_verify_hash: ADDED
> gnutls_x509_crt_get_verify_algorithm: ADDED
>
> ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
>
> ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
> It is currently only used by the core library. This will enable a new
> domain 'gnutls' for translations of the command line tools.
>
> ** certtool: Query for multiple dnsName subjectAltName in interactive mode.
> This applies both to generating certificates and certificate requests.
>
> ** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
> Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
> be used for chain verification.
>
> ** gnutls-serv: No longer disable MAC padding by default.
> Use --priority NORMAL:%COMPAT to disable MAC padding again.
>
> ** gnutls-cli: Certificate information output format changed.
> The tool now uses libgnutls' functions to print certificate
> information. This avoids code duplication.
>
> ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
> ** and %VERIFY_ALLOW_X509_V1_CA_CRT.
> They can be used to override the default certificate chain validation
> behaviour.
>
> ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
>
> ** libgnutls: gnutls_openpgp_crt_print supports oneline mode.
>
> ** libgnutls: gnutls_handshake when sending client hello during a
> rehandshake, will not offer a version number larger than the current.
>
> ** libgnutls: New interface to get key id for certificate requests.
> gnutls_x509_crq_get_key_id: ADDED.
>
> ** libgnutls: gnutls_x509_crq_print will now also print public key id.
>
> ** certtool: --verify-chain now prints results of using library verification.
> Earlier, certtool --verify-chain used its own validation algorithm
> which wasn't guaranteed to give the same result as the libgnutls
> internal validation algorithm. Now this command print a new final
> line with header 'Chain verification output:' that contains the result
> From using the internal verification algorithm on the same chain.
>
> ** libgnutls: Libgcrypt initialization changed.
> If libgcrypt has not already been initialized, GnuTLS will now
> initialize libgcrypt with disabled secure memory. Initialize
> libgcrypt explicitly in your application if you want to enable secure
> memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory
> allocation functions, which doesn't use secure memory, so there is no
> real change in behaviour.
>
> ** libgnutls: Small byte reads via gnutls_record_recv() optimized.
>
> ** gnutls-cli: Return non-zero exit code on error conditions.
>
> ** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
>
> ** certtool: allow setting arbitrary key purpose object identifiers.
>
> ** libgnutls: Change detection of when to use a linker version script.
> Use --enable-ld-version-script or --disable-ld-version-script to
> override auto-detection logic.
>
> ** Fix warnings and build GnuTLS with more warnings enabled.
>
> ** New API to set X.509 credentials from PKCS#12 memory structure.
> gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
>
> ** Old libgnutls.m4 and libgnutls-config scripts removed.
> Please use pkg-config instead.
>
> ** libgnutls: Added functions to handle CRL extensions.
> gnutls_x509_crl_get_authority_key_id: ADDED
> gnutls_x509_crl_get_number: ADDED
> gnutls_x509_crl_get_extension_oid: ADDED
> gnutls_x509_crl_get_extension_info: ADDED
> gnutls_x509_crl_get_extension_data: ADDED
> gnutls_x509_crl_set_authority_key_id: ADDED
> gnutls_x509_crl_set_number: ADDED
>
> ** libgnutls: Added functions to handle X.509 extensions in Certificate
> Requests.
> gnutls_x509_crq_get_key_rsa_raw: ADDED
> gnutls_x509_crq_get_attribute_info: ADDED
> gnutls_x509_crq_get_attribute_data: ADDED
> gnutls_x509_crq_get_extension_info: ADDED
> gnutls_x509_crq_get_extension_data: ADDED
> gnutls_x509_crq_get_key_usage: ADDED
> gnutls_x509_crq_get_basic_constraints: ADDED
> gnutls_x509_crq_get_subject_alt_name: ADDED
> gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
> gnutls_x509_crq_get_extension_by_oid: ADDED
> gnutls_x509_crq_set_subject_alt_name: ADDED
> gnutls_x509_crq_set_basic_constraints: ADDED
> gnutls_x509_crq_set_key_usage: ADDED
> gnutls_x509_crq_get_key_purpose_oid: ADDED
> gnutls_x509_crq_set_key_purpose_oid: ADDED
> gnutls_x509_crq_print: ADDED
> gnutls_x509_crt_set_crq_extensions: ADDED
>
> ** certtool: Print and set CRL and CRQ extensions.
>
> ** minitasn1: Internal copy updated to libtasn1 v2.1.
> GnuTLS should work fine with libtasn1 v1.x and that is still
> supported.
>
> ** examples: Now released into the public domain.
> This makes the license of the example code compatible with more
> licenses, including the (L)GPL.
>
> ** The Texinfo and GTK-DOC manuals were improved.
>
> ** Several self-tests were added and others improved.
>
> API/ABI changes in GnuTLS 2.8
> =============================
>
> No offically supported interfaces have been modified or removed. The
> library should be completely backwards compatible on both the source
> and binary level.
>
> The shared library no longer exports some symbols that have never been
> officially supported, i.e., not mentioned in any of the header files.
> The symbols are:
>
> _gnutls*
> gnutls_asn1_tab
>
> Normally when symbols are removed, the shared library version has to
> be incremented. This leads to a significant cost for everyone using
> the library. Because none of the above symbols have ever been
> intended for use by well-behaved applications, we decided that the it
> would be better for those applications to pay the price rather than
> incurring problems on the majority of applications.
>
> If it turns out that applications have been using unofficial
> interfaces, we will need to release a follow-on release on the v2.8
> branch to exports additional interfaces. However, initial testing
> suggests that few if any applications have been using any of the
> internal symbols.
>
> Although not a new change compared to 2.6.x, we'd like to remind you
> interfaces have been modified so that X.509 chain verification now
> also checks activation/expiration times on certificates. The affected
> functions are:
>
> gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
> gnutls_certificate_verify_peers: Likewise.
> gnutls_certificate_verify_peers2: Likewise.
> GNUTLS_CERT_NOT_ACTIVATED: ADDED.
> GNUTLS_CERT_EXPIRED: ADDED.
> GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
>
> This change in behaviour was made during the GnuTLS 2.6.x cycle, and
> we gave our rationale for it in earlier release notes.
>
> The following symbols have been added to the library:
>
> gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
> gnutls_x509_crl_get_authority_key_id: ADDED
> gnutls_x509_crl_get_extension_data: ADDED
> gnutls_x509_crl_get_extension_info: ADDED
> gnutls_x509_crl_get_extension_oid: ADDED
> gnutls_x509_crl_get_number: ADDED
> gnutls_x509_crl_set_authority_key_id: ADDED
> gnutls_x509_crl_set_number: ADDED
> gnutls_x509_crq_get_attribute_data: ADDED
> gnutls_x509_crq_get_attribute_info: ADDED
> gnutls_x509_crq_get_basic_constraints: ADDED
> gnutls_x509_crq_get_extension_by_oid: ADDED
> gnutls_x509_crq_get_extension_data: ADDED
> gnutls_x509_crq_get_extension_info: ADDED
> gnutls_x509_crq_get_key_id: ADDED.
> gnutls_x509_crq_get_key_purpose_oid: ADDED
> gnutls_x509_crq_get_key_rsa_raw: ADDED
> gnutls_x509_crq_get_key_usage: ADDED
> gnutls_x509_crq_get_subject_alt_name: ADDED
> gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
> gnutls_x509_crq_print: ADDED
> gnutls_x509_crq_set_basic_constraints: ADDED
> gnutls_x509_crq_set_key_purpose_oid: ADDED
> gnutls_x509_crq_set_key_usage: ADDED
> gnutls_x509_crq_set_subject_alt_name: ADDED
> gnutls_x509_crt_get_verify_algorithm: ADDED
> gnutls_x509_crt_set_crq_extensions: ADDED
> gnutls_x509_crt_verify_hash: ADDED
>
> The following interfaces have been added to the header files:
>
> GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
> GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
> GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
> GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
> GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
> GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
>
> The following interfaces have been deprecated:
>
> LIBGNUTLS_VERSION: DEPRECATED.
> LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
> LIBGNUTLS_VERSION_MINOR: DEPRECATED.
> LIBGNUTLS_VERSION_PATCH: DEPRECATED.
> LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
> LIBGNUTLS_EXTRA_VERSION: DEPRECATED.
>
> Getting the Software
> ====================
>
> GnuTLS may be downloaded from one of the mirror sites or direct from
> <ftp://ftp.gnu.org/gnu/gnutls/>. The list of mirrors can be found at
> <http://www.gnu.org/software/gnutls/download.html>.
>
> Here are the BZIP2 compressed sources (6.0MB):
>
> ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2
> http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2
>
> Here are OpenPGP detached signatures signed using key 0xB565716F:
>
> ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig
> http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig
>
> Note, that we don't distribute gzip compressed tarballs.
>
> In order to check that the version of GnuTLS which you are going to
> install is an original and unmodified one, you should verify the OpenPGP
> signature. You can use the command
>
> gpg --verify gnutls-2.8.0.tar.bz2.sig
>
> This checks whether the signature file matches the source file. You
> should see a message indicating that the signature is good and made by
> that signing key. Make sure that you have the right key, either by
> checking the fingerprint of that key with other sources or by checking
> that the key has been signed by a trustworthy other key. The signing
> key can be identified with the following information:
>
> pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21]
> Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
> uid Simon Josefsson <simon at josefsson.org>
> uid Simon Josefsson <jas at extundo.com>
> sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]
>
> The key is available from:
> http://josefsson.org/key.txt
> dns:b565716f.josefsson.org?TYPE=CERT
>
> Alternatively, after successfully verifying the OpenPGP signature of
> this announcement, you could verify that the files match the following
> checksum values. The values are for SHA-1 and SHA-224 respectively:
>
> 7c102253bb4e817f393b9979a62c647010312eac gnutls-2.8.0.tar.bz2
>
> 57ee306f261ed331b8386baf854f737fbf24da7b3bcc32331d34176b gnutls-2.8.0.tar.bz2
>
> Documentation
> =============
>
> The manual is available online at:
>
> http://www.gnu.org/software/gnutls/documentation.html
>
> In particular the following formats are available:
>
> HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
> PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf
>
> For developers there is a GnuTLS API reference manual formatted using
> the GTK-DOC tools:
>
> http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html
>
> Community
> =========
>
> If you need help to use GnuTLS, or want to help others, you are invited
> to join our help-gnutls mailing list, see:
>
> http://lists.gnu.org/mailman/listinfo/help-gnutls
>
> If you wish to participate in the development of GnuTLS, you are invited
> to join our gnutls-dev mailing list, see:
>
> http://lists.gnu.org/mailman/listinfo/gnutls-devel
>
> Windows installer
> =================
>
> GnuTLS has been ported to the Windows operating system, and a binary
> installer is available. The installer contains DLLs for application
> development, manuals, examples, and source code. The installer uses
> libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.0.
>
> For more information about GnuTLS for Windows:
> http://josefsson.org/gnutls4win/
>
> The Windows binary installer and PGP signature:
> http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB)
> http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig
>
> The checksum values for SHA-1 and SHA-224 are:
>
> 8a7965168c542edec3259469b6c0e87a9a2b4626 gnutls-2.8.0.exe
>
> 5f76c907eac768b714dc7187a17f87c0393439cf1ef44ab145aab6e3 gnutls-2.8.0.exe
>
> A ZIP archive containing the Windows binaries:
> http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB)
> http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig
>
> A Debian mingw32 package is also available:
> http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB)
>
> The checksum values for SHA-1 and SHA-224 are:
>
> aca9f9f1adba09b952e095039595d4c5d9e67d46 mingw32-gnutls_2.8.0-1_all.deb
>
> 269020738a9f36135e3f231a94cdb2cabc0edd3658092d76b87c27dc mingw32-gnutls_2.8.0-1_all.deb
>
> Internationalization
> ====================
>
> The GnuTLS library messages have been translated into Czech, Dutch,
> French, German, Malay, Polish, Swedish, and Vietnamese. We welcome the
> addition of more translations.
>
> Support
> =======
>
> Improving GnuTLS is costly, but you can help! We are looking for
> organizations that find GnuTLS useful and wish to contribute back. You
> can contribute by reporting bugs, improve the software, or donate money
> or equipment.
>
> Commercial support contracts for GnuTLS are available, and they help
> finance continued maintenance. Simon Josefsson Datakonsult AB, a
> Stockholm based privately held company, is currently funding GnuTLS
> maintenance. We are always looking for interesting development
> projects. See http://josefsson.org/ for more details.
>
> The GnuTLS service directory is available at:
>
> http://www.gnu.org/software/gnutls/commercial.html
>
> Happy Hacking,
> Simon
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel
--
Jeff Cai <jeff.cai at sun.com>
More information about the Gnutls-devel
mailing list