[gnutls-devel] gnutls 3.3.12

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jan 17 09:19:48 CET 2015

 I've just released gnutls 3.3.12. This is a bug-fix release on
the current stable branch. It also fixes compatibility issues with
servers which reject clients with an SSL 3.0 record version, which 
merely indicates the format of the record not the negotiated version.
After this version GnuTLS will set TLS 1.0 as the record version number,
unless only SSL 3.0 is enabled. 

* Version 3.3.12 (released 2015-01-17)

** libgnutls: When negotiating TLS use the lowest enabled version in
the client hello, rather than the lowest supported. In addition, do
not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0
is the only protocol supported. That addresses issues with servers that
immediately drop the connection when the encounter SSL 3.0 as the record
version number. See:

** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters.

** libgnutls: Handle zero length plaintext for VIA PadLock functions.
This solves a potential crash on AES encryption for small size plaintext.
Patch by Matthias-Christian Ott.

** libgnutls: In DTLS don't combine multiple packets which exceed MTU.
Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715

** libgnutls: In DTLS decode all handshake packets present in a record
packet, in a single pass. Reported by Andreas Schultz.

** libgnutls: When importing a CA file with a PKCS #11 URL, simply
import the certificates, if the URL specifies objects, rather than
treating it as trust module.

** libgnutls: When importing a PKCS #11 URL and we know the type of
object we are importing, don't require the object type in the URL.

** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2
was used by the server.

** guile: Fix compilation on MinGW. Previously only the static version of the 
'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.

** guile: Fix harmless warning during compilation of gnutls.scm
Initially reported at <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>.

** certtool: --pubkey-info will also attempt to load a public key
from stdin.

** gnutls-cli: Added --starttls-proto option. That allows to specify a
protocol for starttls negotiation.

** API and ABI modifications:
No changes since last version.

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list