Updated draft release notes for 2.10.0
simon at josefsson.org
Mon Jun 7 17:49:41 CEST 2010
I've updated the release notes, see below for current draft. Note in
particular the rewritten section 'TLS Renegotiation Attack' and the new
section 'Call to application authors'.
Let's put 2.9.11 to the test, and hopefully we can release 2.10.0 within
a week or two!
To: help-gnutls at gnu.org, gnutls-devel at gnu.org, info-gnu at gnu.org
Subject: GnuTLS 2.10.0 released
We are proud to announce a new stable GnuTLS release: Version 2.10.0.
GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications. GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.
The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later). The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later). The manual is distributed
under the GNU Free Documentation License version 1.3 (or later).
The project page of the library is available at:
Version 2.10.0 is the first stable release on the 2.10.x branch and is
the result of over 12 months of work on the experimental 2.9.x branch.
The GnuTLS 2.10.x branch replaces the GnuTLS 2.8.x branch as the
supported stable branch, although we will continue to support GnuTLS
2.8.x for some time.
** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746)
Solves the issue discussed in:
Note that to allow connecting to unpatched servers the full protection
is only enabled if the priority string %SAFE_RENEGOTIATION is
specified. You can check whether protection is in place by querying
gnutls_safe_renegotiation_status(). New error codes
** libgnutls: Time verification extended to trusted certificate list.
Unless new constant GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is
** certtool: Display postalCode and Name X.509 DN attributes correctly.
Based on patch by Pavan Konjarla. Adds new constant
GNUTLS_OID_X520_POSTALCODE and GNUTLS_OID_X520_NAME.
** libgnutls: When checking openpgp self signature also check the signatures
** of all subkeys.
Ilari Liusvaara noticed and reported the issue and provided test
vectors as well.
** libgnutls: Added cryptodev support (/dev/crypto).
Tested with http://home.gna.org/cryptodev-linux/. Added
benchmark utility for AES. Adds new error codes
GNUTLS_E_CRYPTODEV_IOCTL_ERROR and GNUTLS_E_CRYPTODEV_DEVICE_ERROR.
** libgnutls: Exported API to access encryption and hash algorithms.
The new API functions are gnutls_cipher_decrypt, gnutls_cipher_deinit,
gnutls_cipher_init, gnutls_hash, gnutls_hash_deinit, gnutls_hash_fast,
gnutls_hash_get_len, gnutls_hash_init, gnutls_hash_output,
gnutls_hmac, gnutls_hmac_deinit, gnutls_hmac_fast,
gnutls_hmac_get_len, gnutls_hmac_init, gnutls_hmac_output. New API
constants are GNUTLS_MAC_SHA224 and GNUTLS_DIG_SHA224.
** libgnutls: Added gnutls_certificate_set_verify_function() to allow
verification of certificate upon receipt rather than waiting until the
end of the handshake.
** libgnutls: Don't send alerts during handshake.
Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added.
** certtool: Corrected two issues that affected certificate request generation.
(1) Null padding is added on integers (found thanks to Wilankar Trupti),
(2) In optional SignatureAlgorithm parameters field for DSA keys the DSA
parameters were added. Those were rejected by Verisign. Gnutls no longer adds
those parameters there since other implementations don't do either and having
them does not seem to offer anything (anyway you need the signer's certificate
to verify thus public key will be available). Found thanks to Boyan Kasarov.
This however has the side-effect that public key IDs shown by certtool are
now different than previous gnutls releases.
(3) the option --pgp-certificate-info will verify self signatures
** certtool: Allow exporting of Certificate requests on DER format.
** certtool: New option --no-crq-extensions to avoid extensions in CSRs.
** gnutls-cli: Handle reading binary data from server.
Reported by and tiny patch from Vitaly Mayatskikh
<v.mayatskih at gmail.com> in
** minitasn1: Upgraded to libtasn1 version 2.6.
** doc: The GTK-DOC manual is significantly improved.
** doc: a PDF version of the API reference manual (GTK-DOC) is now built.
** doc: Terms 'GNUTLS' and 'GNU TLS' were changed to 'GnuTLS' for consistency.
** libgnutls: Cleanups and several bug fixes.
Found by Steve Grubb and Tomas Mraz.
** Link libgcrypt explicitly to certtool, gnutls-cli, gnutls-serv.
** Fix --disable-valgrind-tests.
Reported by Ingmar Vanhassel in
** libgnutls: Fix for memory leaks on interrupted handshake.
Reported by Tang Tong.
** libgnutls: Addition of support for TLS 1.2 signature algorithms
** extension and certificate verify field.
This requires changes for TLS 1.2 servers and clients that use
callbacks for certificate retrieval. They are now required to check
with gnutls_sign_algorithm_get_requested() whether the certificate
they send complies with the peer's preferences in signature
** libgnutls: In server side when resuming a session do not overwrite the
** initial session data with the resumed session data.
** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8
This affects also PKCS #12 encoded files. This adds the following new
enums: GNUTLS_CIPHER_AES_192_CBC, GNUTLS_PKCS_USE_PBES2_AES_128,
** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.". Problem
introduced for the v2.8.x branch in 2.7.6.
** certtool: Added the --pkcs-cipher option.
To explicitely specify the encryption algorithm to use.
** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions.
** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler at downhill.at.eu.org> in
** tests: Fix expired cert in chainverify self-test.
** libgnutls: TLS 1.2 server mode fixes.
Now interoperates against Opera. Contributed by Daiki Ueno.
** libgnutlsxx: Fix link problems.
Tiny patch from Boyan Kasarov <bkasarov at gmail.com>.
** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes at laas.fr>.
** libgnutls: Enable Camellia ciphers by default.
** libgnutls: Add new functions to extract X.509 Issuer Alternative Names.
The new functions are gnutls_x509_crt_get_issuer_alt_name2,
gnutls_x509_crt_get_issuer_alt_othername_oid. Contributed by Brad
Hards <bradh at frogmouth.net>.
** libgnutls: Client-side TLS 1.2 and SHA-256 ciphersuites now works.
The new supported ciphersuites are AES-128/256 in CBC mode with
ANON-DH/RSA/DHE-DSS/DHE-RSA. Contributed by Daiki Ueno. Further,
SHA-256 is now the preferred default MAC (however it is only used with
** libgnutls: Make OpenPGP hostname checking work again.
The patch to resolve the X.509 CN/SAN issue accidentally broken
OpenPGP hostname comparison.
** libgnutls: When printing X.509 certificates, handle XMPP SANs better.
Reported by Howard Chu <hyc at symas.com> in
** Fix use of deprecated types internally.
Use of deprecated types in GnuTLS from now on will lead to a compile
error, to prevent this from happening again.
** libgnutls: Support for TLS tickets was contributed by Daiki Ueno.
The new APIs are gnutls_session_ticket_enable_client,
** gnutls-cli, gnutls-serv: New parameter --noticket to disable TLS tickets.
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger at redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4] [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false. Reported by Peter Hendrickson
<pdh at wiredyne.com> in
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse at filezilla-project.org> in
** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs. Reported by "Kukosa,
Tomas" <tomas.kukosa at siemens-enterprise.com> in
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh at wiredyne.com> in
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse at filezilla-project.org> in
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md at linux.it> via Andreas Metzler
<ametzler at downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** tests: Added new self-test pkcs12_s2k_pem to detect MPI bit length error.
** tests: Improved test vectors in self-test pkcs12_s2k.
** tests: Added new self-test dn2 to detect off-by-one size error.
** tests: Fix failure in "chainverify" because a certificate have expired.
** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
Forwarded by Martin von Gagern <Martin.vGagern at gmx.net> from
** Reduce stack usage for some CRQ functions.
** Doc fixes for CRQ functions.
TLS Renegotiation Attack
Some application protocols and implementations uses the TLS
renegotiation feature in a manner that enables attackers to insert
content of his choice in the beginning of a TLS session.
One easy to understand vulnerability is HTTPS when servers request
client certificates optionally for certain parts of a web site. The
attack works by having the attacker simulate a client and connect to a
server, with server-only authentication, and send some data intended to
cause harm. When the proper client attempts to contact the server, the
attacker hijacks that connection and uses the TLS renegotiation feature
with the server and splices in the client connection to the already
established connection between the attacker and server. The attacker
will not be able to read the data exchanged between the client and the
server. However, the server will (incorrectly) assume that the data
sent by the attacker was sent by the now authenticated client. The
result is a prefix plain-text injection attack.
The above is just one example. Other vulnerabilities exists that do
not rely on the TLS renegotiation to change the client's authenticated
status (either TLS or application layer).
While fixing these application protocols and implementations would be
one natural reaction, an extension to TLS has been designed that
cryptographically binds together any renegotiated handshakes with the
initial negotiation. When the extension is used, the attack is
detected and the session can be terminated. The extension is specified
GnuTLS supports the safe renegotiation extension. The default behavior
is as follows. Clients will attempt to negotiate the safe
renegotiation extension when talking to servers. Servers will accept
the extension when presented by clients. Clients and servers will
permit an initial handshake to complete even when the other side does
not support the safe renegotiation extension. Clients and servers will
refuse renegotiation attempts when the extension has not been
Note that permitting clients to connect to servers even when the safe
renegotiation extension is not negotiated open up for some attacks.
Changing this default behaviour would prevent interoperability against
the majority of deployed servers out there. We will reconsider this
default behaviour in the future when more servers have been upgraded.
Note that it is easy to configure clients to always require the safe
renegotiation extension from servers (see below on the
`%SAFE_RENEGOTIATION' priority string).
To modify the default behaviour, we have introduced some new priority
strings. The priority strings can be used by applications (see
gnutls_priority_set) and end users (e.g., `--priority' parameter to
`gnutls-cli' and `gnutls-serv').
The `%UNSAFE_RENEGOTIATION' priority string permits (re-)handshakes
even when the safe renegotiation extension was not negotiated. The
default behavior is `%PARTIAL_RENEGOTIATION' that will prevent
renegotiation with clients and servers not supporting the extension.
This is secure for servers but leaves clients vulnerable to some
attacks, but this is a tradeoff between security and compatibility with
old servers. The `%SAFE_RENEGOTIATION' priority string makes clients
and servers require the extension for every handshake. The latter is
the most secure option for clients, at the cost of not being able to
connect to legacy servers. Servers will also deny clients that do not
support the extension from connecting.
It is possible to disable use of the extension completely, in both
clients and servers, by using the `%DISABLE_SAFE_RENEGOTIATION'
priority string however we strongly recommend you to only do this for
debugging and test purposes.
The default values if the flags above are not specified are:
For applications we have introduced a new API related to safe
renegotiation. The gnutls_safe_renegotiation_status function is used
to check if the extension has been negotiated on a session, and can be
used both by clients and servers.
Call to application authors
Please use the priority string interface, and make it possible for
users to supply a priority string!
Several parts of GnuTLS, including the new safe renegotiation
behaviour, can be configured through priority strings. However, if
the application do not publish this interface to users, it will not be
possible to configure GnuTLS the way a user wants.
The new defaults for GnuTLS with regard to the safe renegotiation bug
is to be insecure by default. This is something we reluctantly and
after carefuly consideration decided to do, for interoperability
reasons. We'd like to close this security gap as soon as possible,
hopefully even for the GnuTLS 2.12.x branch.
For this transition to be as smooth as possible, users of GnuTLS
applications needs to be able to provide a priority string when a TLS
session is initialized. Preferrably it should be possible to do on a
domain name or IP basis, to only modify the defaults for a particular
server and not generally.
Once the GnuTLS defaults have changed to be secure by default, users
may want to be able to provide a %PARTIAL_RENEGOTIATION or even an
%UNSAFE_RENEGOTIATION priority string, to be able to talk with certain
clients or servers. This will not be possible unless you, as
application author, export this ability to your users.
Technically, you would replace a call like this:
with a call like this:
gnutls_priority_set_direct (session, string, NULL);
where 'string' is a character string read from your configuration
files, and the default should be 'NORMAL'. It is fine for string to
be NULL if you didn't read any configuration from the user, then
'NORMAL' will be used.
For more information see:
API/ABI changes in GnuTLS 2.10
No offically supported interfaces have been modified or removed. The
library should be completely backwards compatible on both the source
and binary level.
The following symbols have been added to the library:
In addition to the functions above, the following non-function
definitions have been added to the header files:
GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h.
GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h.
GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h.
GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h.
Getting the Software
GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>. The list of mirrors can be found at
Here are the BZIP2 compressed sources (6.0MB):
Here are OpenPGP detached signatures signed using key 0xB565716F:
Note, that we don't distribute gzip compressed tarballs.
In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature. You can use the command
gpg --verify gnutls-2.10.0.tar.bz2.sig
This checks whether the signature file matches the source file. You
should see a message indicating that the signature is good and made by
that signing key. Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key. The signing
key can be identified with the following information:
pub 1280R/B565716F 2002-05-05 [expires: 2011-03-30]
Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
uid Simon Josefsson <jas at extundo.com>
uid Simon Josefsson <simon at josefsson.org>
sub 1280R/4D5D40AE 2002-05-05 [expires: 2011-03-30]
The key is available from:
Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values. The values are for SHA-1 and SHA-224 respectively:
The manual is available online at:
In particular the following formats are available:
For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:
If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:
If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:
GnuTLS has been ported to the Windows operating system, and a binary
installer is available. The installer contains DLLs for application
development, manuals, examples, and source code. The installer uses
libgpg-error v1.7, libgcrypt v1.4.5, libtasn1 v2.6, and GnuTLS
For more information about GnuTLS for Windows:
The Windows binary installer and PGP signature:
The checksum values for SHA-1 and SHA-224 are:
A ZIP archive containing the Windows binaries:
A Debian mingw32 package is also available:
The checksum values for SHA-1 and SHA-224 are:
The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Italian, Malay, Polish, Simplified Chinese, Swedish,
and Vietnamese. We welcome the addition of more translations.
Improving GnuTLS is costly, but you can help! We are looking for
organizations that find GnuTLS useful and wish to contribute back. You
can contribute by reporting bugs, improve the software, or donate money
Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance. We are always looking for interesting development
projects. See http://josefsson.org/ for more details.
The GnuTLS service directory is available at:
More information about the Gnutls-devel