[gnutls-devel] gnutls 3.5.1

[Nikos Mavrogiannopoulos]

Hello, 
 I've just released gnutls 3.5.1. This is a minor feature update for
the 3.5.x branch.

* Version 3.5.1 (released 2016-06-14)

** libgnutls: The SSL 3.0 protocol support can completely be removed
   using a compile time option. The configure option is 
   --disable-ssl3-support.

** libgnutls: The SSL 2.0 client hello support can completely be 
   removed using a compile time option. The configure option is 
   --disable-ssl2-support. For info on why this is not the
   default see https://gitlab.com/gnutls/gnutls/issues/97

** libgnutls: Added support for OCSP Must staple PKIX extension. That
   is, implemented the RFC7633 TLSFeature for OCSP status request 
   extension. Feature implemented by Tim Kosse.

** libgnutls: More strict OCSP staple verification. That is, no longer
   ignore invalid or too old OCSP staples. The previous behavior was
   to rely on application use gnutls_ocsp_status_request_is_checked(),
   while the new behavior is to include OCSP verification by default
   and set the GNUTLS_CERT_INVALID_OCSP_STATUS verification flag on
   error.

** libgnutls: Treat CA certificates with the "Server Gated 
   Cryptography" key  purpose OIDs equivalent to having the
   GNUTLS_KP_TLS_WWW_SERVER OID. This improves interoperability with
   several old intermediate CA certificates carrying these legacy OIDs.

** libgnutls: Re-read the system wide priority file when needed. Patch
   by Daniel P. Berrange.

** libgnutls: Allow for fallback in system-specific initial keywords
   (prefixed with '@'). That allows to specify a keyword such as
   "@KEYWORD1,KEYWORD2" which will use the first available of these
   two keywords. Patch by Daniel P. Berrange.

** libgnutls: The SSLKEYLOGFILE environment variable can be used to log
   session keys. These session keys are compatible with the NSS Key Log
   Format and can be used to decrypt the session for debugging using
   wireshark.

** API and ABI modifications:
GNUTLS_CERT_INVALID_OCSP_STATUS: Added
gnutls_x509_crt_set_crq_extension_by_oid: Added
gnutls_x509_ext_import_tlsfeatures: Added
gnutls_x509_ext_export_tlsfeatures: Added
gnutls_x509_tlsfeatures_add: Added
gnutls_x509_tlsfeatures_init: Added
gnutls_x509_tlsfeatures_deinit: Added
gnutls_x509_tlsfeatures_get: Added
gnutls_x509_crt_get_tlsfeatures: Added
gnutls_x509_crt_set_tlsfeatures: Added
gnutls_x509_crq_get_tlsfeatures: Added
gnutls_x509_crq_set_tlsfeatures: Added
gnutls_ext_get_name: Added


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.1.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.1.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos