Draft release notes for 2.10.0

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Apr 22 13:29:16 CEST 2010


On Thu, Apr 22, 2010 at 10:17 AM, Simon Josefsson <simon at josefsson.org> wrote:

Hi,

> We need to write a section about the new TLS safe renegotiation support,
> and ideas on what to write here is appreciated.  I think we need to
> point to other documents explaining the problem, and describe what this
> release adds to mitigate the problem.  And describe our semantics when
> talking with old servers...

A proper discussion would be more proper in the documentation rather
in the release notes.
A quick note might say that gnutls implements the TLS safe
renegotiation counter-measures as described in RFC5746, against a
plaintext injection attack that affects TLS as is currently used by
HTTP(S) protocol. More information about the vulnerability at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
Unfortunately fully deployment of the solution requires breaking
backwards compatibility with older servers and clients. For that
reason gnutls enables it but does not enforce its security features
unless the peer also supports safe renegotiation, to maintain
compatibility with existing software. This decision will be
reconsidered once the majority of internet servers/clients that use
TLS have adopted safe renegotiation.

> ** libgnutls: Added cryptodev support (/dev/crypto).
> Tested with http://www.logix.cz/michal/devel/cryptodev/.  Added
[...]
Please use this link for the release notes:
http://home.gna.org/cryptodev-linux/

regards,
Nikos





More information about the Gnutls-devel mailing list