[gnutls-devel] GnuTLS 3.4.0 released

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Apr 8 08:41:40 CEST 2015

We are proud to announce a new GnuTLS release: Version 3.4.0.

GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and as well as Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2 (or later).  The "extra" GnuTLS
library (which contains), the OpenSSL compatibility library, the self
tests and the command line tools are all distributed under the GNU
General Public License version 3.0 (or later).  The manual is
distributed under the GNU Free Documentation License version 1.3 (or

The project page of the library is available at:

What's New

Version 3.4.0 is the first stable release on the 3.4.x branch and is
the result of a year of planning and work [0] on the git master branch. 
The GnuTLS 3.4.x branch is marked as stable-next, meaning it is
considered of stable quality but will not yet replace the current stable
releases based on 3.3.0, which will continue to be supported.

[0]. https://gitlab.com/gnutls/gnutls/wikis/Plan3_4

* Version 3.4.0

** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and
RFC7251) ciphersuites. The former are enabled by default, the latter
need to be explicitly enabled, since they reduce the overall security

** libgnutls: Added support for Chacha20-Poly1305 ciphersuites
following draft-mavrogiannopoulos-chacha-tls-05 and
draft-irtf-cfrg-chacha20-poly1305-10. That is currently provided as
technology preview and is not enabled by default, since there are no
assigned ciphersuite points by IETF and there is no guarrantee of
compatibility between draft versions. The ciphersuite priority string
to enable it is "+CHACHA20-POLY1305".

** libgnutls: Added support for encrypt-then-authenticate in CBC
ciphersuites (RFC7366 -taking into account its errata text). This is
enabled by default and can be disabled using the %NO_ETM priority

** libgnutls: Added support for the extended master secret
(triple-handshake fix) following draft-ietf-tls-session-hash-02.

** libgnutls: Added a new simple and hard to misuse AEAD API

** libgnutls: SSL 3.0 is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like

** libgnutls: ARCFOUR (RC4) is no longer included in the default
priorities list. It has to be explicitly enabled, e.g., with a string
like "NORMAL:+ARCFOUR-128".

** libgnutls: DSA signatures and DHE-DSS are no longer included in the
default priorities list. They have to be explicitly enabled, e.g., with
a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
DSA ciphersuites were dropped because they had no deployment at all on
the internet, to justify their inclusion.

** libgnutls: The priority string EXPORT was completely removed. The
string was already defunc as support for the EXPORT ciphersuites was
removed in GnuTLS 3.2.0.

** libgnutls: Added API to utilize system specific private keys in
"gnutls/system-keys.h". It is currently provided as technology preview
and is restricted to windows CNG keys.

** libgnutls: gnutls_x509_crt_check_hostname() and friends will use
RFC6125 comparison of hostnames. That introduces a dependency on

** libgnutls: Depend on p11-kit 0.23.1 to comply with the final PKCS
#11 URLs draft (draft-pechanec-pkcs11uri-21).

** libgnutls: Depend on nettle 3.1.

** libgnutls: Use getrandom() or getentropy() when available. That
avoids the complexity of file descriptor handling and issues with
applications closing all open file descriptors on startup.

** libgnutls: Use pthread_atfork() to detect fork when available.

** libgnutls: The gnutls_handshake() process will enforce a timeout by

** libgnutls: If a key purpose (extended key usage) is specified for
verification, it is applied into intermediate certificates. The
verification result GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. 

** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in
combination with PKCS #11, or TPM URLs, it will utilize the provided
password as PIN if required. That removes the requirement for the
application to set a callback for PINs in that case.

** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
restricted to the corresponding protocols only, and the VERS-ALL string
is introduced to catch all possible protocols.

** libgnutls: Added helper functions to obtain information on PKCS #8

** libgnutls: Certificate chains which are provided to
gnutls_certificate_credentials_t will automatically be sorted instead

** libgnutls: Added functions to export and set the record state. That
allows for gnutls_record_send() and recv() to be offloaded (to kernel,
hardware or any other subsystem).

** libgnutls: Added the ability to register application specific URL
types, which express certificates and keys using

** libgnutls: Added API to override existing ciphers, digests and MACs,
e.g., to override AES-GCM using a system-specific accelerator. That is,
(crypto.h) gnutls_crypto_register_cipher(),
gnutls_crypto_register_aead_cipher(), gnutls_crypto_register_mac(), and

** libgnutls: Added gnutls_ext_register() to register custom
extensions. Contributed by Thierry Quemerais.

** libgnutls: Added gnutls_supplemental_register() to register custom
supplemental data handshake messages. Contributed by Thierry Quemerais.

** libgnutls-openssl: it is no longer built by default.

** certtool: Added --p8-info option, which will print PKCS #8
information even if the password is not available.

** certtool: --key-info option will print PKCS #8 encryption
information when available.

** certtool: Added the --key-id and --fingerprint options.

** certtool: Added the --verify-hostname, --verify-email and
--verify-purpose options to be used in certificate chain verification,
to simulate verification for specific hostname and key purpose
(extended key usage). 

** certtool: --p12-info option will print PKCS #12 MAC and cipher
information when available.

** certtool: it will print the A-label (ACE) names in addition to

** p11tool: added options --set-id and --set-label.

** gnutls-cli: added options --priority-list and --save-cert.

** guile: Deprecated priority API has been removed. The old priority
API, which had been deprecated for some time, is now gone; use
'set-session-priorities!' instead.

** guile: Remove RSA parameters and related procedures. This API had
been deprecated.  

** guile: Fix compilation on MinGW. Previously only the static version
of the 'guile-gnutls-v-2' library would be built, preventing dynamic
loading from Guile.

** API and ABI modifications:
Many new additions and removals of obsolete functions. Check the NEWS
file in the distribution.


If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:


If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:


Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list