[gnutls-devel] gnutls 3.5.6

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Nov 4 08:28:02 CET 2016

 I've just released gnutls 3.5.6. This is an enhancements and
bugfix release for the 3.5.x branch.

* Version 3.5.6 (released 2016-11-04)

** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
   (pre-rfc5652) structures with arbitrary encapsulated content.

** libgnutls: Introduced a function group to set known DH parameters
   using groups from RFC7919.

** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
   Now the generated textual DN is in reverse order according to RFC4514,
   and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
   set the expected DN (reverse of the provided string).

** libgnutls: Introduced time and constraints checks in the end certificate
   in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()

** libgnutls: Set limits on the maximum number of alerts handled. That is,
   applications using gnutls could be tricked into an busy loop if the
   peer sends continuously alert messages. Applications which set a maximum
   handshake time (via gnutls_handshake_set_timeout) will eventually recover
   but others may remain in a busy loops indefinitely. This is related but
   not identical to CVE-2016-8610, due to the difference in alert handling
   of the libraries (gnutls delegates that handling to applications).

** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* 
   functions return an index (introduced in 3.5.5), to avoid affecting programs
   which explicitly check success of the function as equality to zero. In order
   for these functions to return an index an explicit call to gnutls_certificate_set_flags
   with the GNUTLS_CERTIFICATE_API_V2 flag is now required.

** libgnutls: Reverted the behavior of sending a status request extension even
   without a response (introduced in 3.5.5). That is, we no longer reply to a
   client's hello with a status request, with a status request extension. Although
   that behavior is legal, it creates incompatibility issues with releases in
   the gnutls 3.3.x branch.

** libgnutls: Delayed the initialization of the random generator at
   the first call of gnutls_rnd(). This allows applications to load
   on systems which getrandom() would block, without blocking until
   real random data are needed.

** certtool: --get-dh-params will output parameters from the RFC7919

** p11tool: improvements in --initialize option.

** API and ABI modifications:
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
gnutls_x509_crt_check_key_purpose: Added

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list