GnuTLS 3.0.0 released

Nikos Mavrogiannopoulos nmav at
Fri Jul 29 22:33:39 CEST 2011

We are proud to announce a new stable GnuTLS release: Version 3.0.0.

GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 3 (or later).  The "extra" GnuTLS
library (which contains), the OpenSSL compatibility library, the self
tests and the command line tools are all distributed under the GNU
Genera Public License version 3.0 (or later).  The manual is distributed
under the GNU Free Documentation License version 1.3 (or later).

The project page of the library is available at: and

What's New

Version 3.0.0 is the first stable release on the 3.0.x branch and is
the result of 11 months of work on the experimental 2.99.x branch.  The
GnuTLS 3.0.x branch replaces the GnuTLS 2.12.x branch as the supported
stable branch, although we will continue to support GnuTLS 2.12.x for
some time.

** libgnutls: license upgraded to LGPLv3

** libgnutls: depends on nettle 2.2.

** libgnutls: Added Datagram TLS 1.0 support.

** libgnutls: Added Elliptic curve support. Requires priority strings:
+CURVE-ALL: to add all supported curves
+ECDHE-RSA: to add ephemeral ECDHE with an RSA-signed certificate
+ECDHE-ECDSA: to add ephemeral ECDHE with an ECDSA-signed certificate
+ANON-ECDHE: to add anonymous ECDH

** libgnutls: Added ECDHE-PSK ciphersuites for TLS (RFC 5489).

** libgnutls: Added AES in GCM mode

** libgnutls: Added SUITEB128 and SUITEB192 priority
strings to enable the NSA SuiteB cryptography ciphersuites.

** libgnutls: Added AES-GCM optimizations using the PCLMULQDQ
instruction. Uses Andy Polyakov's assembly code.

** libgnutls: Added gnutls_global_set_audit_log_function() that allows
to get important auditing information including the corresponding session.
That might be useful to block DoS or other attacker from specific IPs.

** libgnutls: gnutls_transport_set_lowat() is no more.

** libgnutls: Added gnutls_certificate_set_retrieve_function2()
to set a callback to retrieve a certificate. The certificate is
received in a format that requires no processing from gnutls thus
it is suitable when performance is required.

** libgnutls: Simplified the handling of handshake messages to
be hashed. Instead of hashing during the handshake process we now
keep the data until handshake is over and hash them on request.
This uses more memory but eliminates issues with TLS 1.2 and
simplifies code.

** libgnutls: LZO support was removed.

** libgnutls: gnutls_srp_verifier() returns data allocated with
gnutls_malloc() for consistency.

** libgnutls-openssl: modified to use modern gnutls' functions.
This introduces an ABI incompatibility with previous versions.

** libgnutls: gnutls_rsa_params_t is now identical to
gnutls_x509_privkey_t to avoid thread-safety issues. Reported by Sam

** libgnutls: Added new PKCS #11 flags to force an object being private or

** libgnutls: Added gnutls_x509_crq_verify() to allow
verification of the self signature in a certificate request.
This allows verifying whether the owner of the private key
is the generator of the request.

** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies
the self signature of the request.

** libgnutls: Added gnutls_pubkey_verify_data2() that will
verify data provided the signature algorithm.

** libgnutls: Added gnutls_x509_trust_list_add_named_crt() and
gnutls_x509_trust_list_verify_named_crt() that allow having a
list of certificates in the trusted list that will be associated
with a name (e.g. server name) and will not be used as CAs.

** libgnutls: PKCS #11 back-end rewritten to use p11-kit Rewrite by
Stef Walter.

** libgnutls: Uses a single configure file and a single
gnulib library to save space.

** libgnutlsxx: The C++ interface returns exception on
every error and not only on fatal ones. This allows easier
handling of errors.

** libgnutls: Corrected issue in DHE-PSK ciphersuites that ignored
the PSK callback.

** libgnutls: SRP and PSK are no longer set on the default priorities.
They have to be explicitly set.

** libgnutls: During handshake message verification using DSS
use the hash algorithm required by it.

** libgnutls: writev_emu: stop on the first incomplete write. Patch by
Sjoerd Simons.

** libgnutls: gnutls_recv() return GNUTLS_E_PREMATURE_TERMINATION
on unexpected EOF, instead of GNUTLS_E_UNEXPECTED_PACKET_LENGTH.

** libgnutls-extra: Inner application extension was removed.
It was never standardized nor published as an RFC.

** libgnutls: Added new certificate verification functions, that
can provide more details and are more efficient. Check

** certtool: Uses the new certificate verification functions for

** certtool: Added new certificate verification functionality
using the --verify option. Combined with --load-ca-certificate
it can verify a certificate chain against a list of certificates.

** libgnutls: Fix zlib handling in gnutls.pc. Patch by Andreas

** certtool: bug fixes in certificate request generation. Patch
by Petr Písař.

** API and ABI modifications:
gnutls_pubkey_verify_data2: ADDED
gnutls_ecc_curve_get: ADDED
gnutls_x509_trust_list_add_named_crt: ADDED
gnutls_x509_trust_list_verify_named_crt: ADDED
gnutls_x509_privkey_verify_data: REMOVED
gnutls_crypto_bigint_register: REMOVED
gnutls_crypto_cipher_register: REMOVED
gnutls_crypto_digest_register: REMOVED
gnutls_crypto_mac_register: REMOVED
gnutls_crypto_pk_register: REMOVED
gnutls_crypto_rnd_register: REMOVED
gnutls_crypto_single_cipher_register: REMOVED
gnutls_crypto_single_digest_register: REMOVED
gnutls_crypto_single_mac_register: REMOVED
gnutls_certificate_get_issuer: ADDED
gnutls_x509_trust_list_get_issuer: ADDED
gnutls_x509_crq_verify: ADDED
gnutls_global_set_audit_log_function: ADDED
gnutls_ecc_curve_get_name: ADDED
gnutls_ecc_curve_get_size: ADDED
gnutls_x509_privkey_import_ecc_raw: ADDED
gnutls_x509_privkey_export_ecc_raw: ADDED
gnutls_global_set_time_function: ADDED
gnutls_dtls_set_timeouts: ADDED
gnutls_dtls_get_mtu: ADDED
gnutls_dtls_get_data_mtu: ADDED
gnutls_dtls_set_mtu: ADDED
gnutls_dtls_cookie_send: ADDED
gnutls_dtls_cookie_verify: ADDED
gnutls_dtls_prestate_set: ADDED
gnutls_x509_trust_list_verify_crt: ADDED
gnutls_x509_trust_list_add_crls: ADDED
gnutls_x509_trust_list_add_cas: ADDED
gnutls_x509_trust_list_init: ADDED
gnutls_x509_trust_list_deinit: ADDED
gnutls_cipher_add_auth: ADDED
gnutls_cipher_tag: ADDED
gnutls_pcert_list_import_x509_raw: ADDED
gnutls_psk_netconf_derive_key: REMOVED
gnutls_certificate_verify_peers: REMOVED
gnutls_session_set_finished_function: REMOVED
gnutls_ext_register: REMOVED
gnutls_certificate_get_x509_crls: REMOVED
gnutls_certificate_get_x509_cas: REMOVED
gnutls_certificate_get_openpgp_keyring: REMOVED
gnutls_session_get_server_random: REMOVED
gnutls_session_get_client_random: REMOVED
gnutls_session_get_master_secret: REMOVED
gnutls_ia_allocate_client_credentials: REMOVED
gnutls_ia_allocate_server_credentials: REMOVED
gnutls_ia_enable: REMOVED
gnutls_ia_endphase_send: REMOVED
gnutls_ia_extract_inner_secret: REMOVED
gnutls_ia_free_client_credentials: REMOVED
gnutls_ia_free_server_credentials: REMOVED
gnutls_ia_generate_challenge: REMOVED
gnutls_ia_get_client_avp_ptr: REMOVED
gnutls_ia_get_server_avp_ptr: REMOVED
gnutls_ia_handshake: REMOVED
gnutls_ia_handshake_p: REMOVED
gnutls_ia_permute_inner_secret: REMOVED
gnutls_ia_recv: REMOVED
gnutls_ia_send: REMOVED
gnutls_ia_set_client_avp_function: REMOVED
gnutls_ia_set_client_avp_ptr: REMOVED
gnutls_ia_set_server_avp_function: REMOVED
gnutls_ia_set_server_avp_ptr: REMOVED
gnutls_ia_verify_endphase: REMOVED
GNUTLS_KX_ECDHE_RSA: New key exchange method
GNUTLS_KX_ECDHE_ECDSA: New key exchange method
GNUTLS_KX_ANON_ECDH: New key exchange method
GNUTLS_KX_ECDHE_PSK: New key exchange method
GNUTLS_PK_ECC: New public key algorithm
GNUTLS_SIGN_ECDSA_SHA1: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA256: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA384: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA512: New signature algorithm
GNUTLS_SIGN_ECDSA_SHA224: New signature algorithm
GNUTLS_ECC_CURVE_INVALID: New curve definition
GNUTLS_ECC_CURVE_SECP224R1: New curve definition
GNUTLS_ECC_CURVE_SECP256R1: New curve definition
GNUTLS_ECC_CURVE_SECP384R1: New curve definition
GNUTLS_ECC_CURVE_SECP521R1: New curve definition
GNUTLS_VERIFY_DISABLE_CRL_CHECKS: New certificate verification flag.

Getting the Software

GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From <≥.  The list of GNU mirrors can be
found at <> and a list of GnuTLS mirrors
can be found at <>.

Here are the XZ compressed sources:

Here are OpenPGP detached signatures signed using key 0x96865171:

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at>>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


The GnuTLS manual is available electronically at:
and a paper copy can be obtained at:


If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:


The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Italian, Malay, Polish, Simplified Chinese, Swedish,
and Vietnamese.  We welcome the addition of more translations.

More information about the Gnutls-devel mailing list