[gnutls-devel] GnuTLS 3.5.0 released
nmav at gnutls.org
Mon May 9 10:42:54 CEST 2016
We are proud to announce a new GnuTLS release: Version 3.5.0.
GnuTLS is a modern C library that implements the standard network
security protocol Transport Layer Security (TLS), for use by network
applications. GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and as well as Windows.
The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2 (or later). The OpenSSL compatibility
library, the self tests and the command line tools are all distributed
under the GNU General Public License version 3.0 (or later). The
manual is distributed under the GNU Free Documentation License version
1.3 (or later).
The project pages of the library are available at:
Version 3.5.0 is the first stable release on the 3.5.x branch and is
the result of a year of planning and work  on the git master branch.
The GnuTLS 3.5.x branch is marked as stable-next, meaning it is
considered of stable quality but does not yet replace the current
stable releases based on 3.4.0, which will continue to be supported.
An extended summary of the most important changes is available at:
* Version 3.5.0 (released 2016-05-09)
** libgnutls: Added SHA3 based signing algorithms for DSA, RSA and
** libgnutls: Added support for curve X25519 (RFC 7748,
draft-ietf-tls-rfc4492bis-07). This curve is disabled by default as
it is still on specification status. It can be enabled using the
priority string modifier +CURVE-X25519.
** libgnutls: Added support for TLS false start
(draft-ietf-tls-falsestart-01) by introducing gnutls_init() flag
** libgnutls: Added new APIs to access the FIPS186-4 (Shawe-Taylor
based) provable RSA and DSA parameter generation from a seed.
** libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default.
This cipher is prioritized after AES-GCM.
** libgnutls: On a rehandshake ensure that the certificate of the peer
or its username remains the same as in previous handshakes. That is
to protect applications which do not check user credentials on
rehandshakes. The threat to address depends on the application
protocol. Primarily it protects against applications which
authenticate the peer initially and perform accounting using the
session's information, from being misled by a rehandshake which
switches the peer's identity. Applications can disable this
protection by using the %GNUTLS_ALLOW_ID_CHANGE flag in
** libgnutls: Be strict in TLS extension decoding. That is, do not
tolerate parsing errors in the extensions field and treat it as a
typical Hello message structure. Reported by Hubert Kario (#40).
** libgnutls: Old and unsupported version numbers in client hellos are
rejected with a "protocol_version" alert message. Reported by Hubert
** libgnutls: Lifted the limitation of calling the
gnutls_session_get_data*() functions, only on non-resumed sessions.
This brings the API in par with its usage (#79).
** libgnutls: Follow RFC5280 strictly in name constraints computation.
The permitted subtrees is intersected with any previous values.
Report and patch by Daiki Ueno.
** libgnutls: Enforce the RFC 7627 (extended master secret)
requirements on session resumption. Reported by Hubert Kario (#69).
** libgnutls: Consider the max-record TLS extension even when under
DTLS. Reported by Peter Dettman (#61).
** libgnutls: Replaced writev() system call with sendmsg().
** libgnutls: Replaced select() system call with poll() on POSIX
** libgnutls: Preload the system priority file on library load. This
allows applications that chroot() to also use the system priorities.
** libgnutls: Applications are allowed to override the built-in key and
** libgnutls: The gnutls.h header marks constant and pure functions
** certtool: Added the ability to sign certificates using SHA3.
** certtool: Added the --provable and --verify-allow-broken options.
** gnutls-cli: The --dane option will cause verification failure if
gnutls is not compiled with DANE support.
** crywrap: The tool was unbundled from gnutls' distribution. It can be
found at https://github.com/nmav/crywrap
** guile: .go files are now built and installed
** guile: Fix compatibility issue of the test suite with Guile 2.1
** guile: When --with-guile-site-dir is passed, modules are installed
in a versioned directory, typically $(datadir)/guile/site/2.0
** guile: Tests no longer leave zombie processes behind
** API and ABI modifications:
If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:
If you wish to participate in the development of GnuTLS, you are
to join our gnutls-dev mailing list, see:
The GnuTLS library messages have been translated into Czech, Dutch,
French, German, Italian, Malay, Polish, Simplified Chinese, Swedish,
and Vietnamese. We welcome the addition of more translations.
Getting the Software
GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.
Here are the XZ and LZIP compressed sources:
Here are OpenPGP detached signatures signed using key 0x96865171:
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
More information about the Gnutls-devel