[gnutls-devel] gnutls 3.6.2

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Feb 16 08:43:15 CET 2018

 I've just released gnutls 3.6.2. This is a bug fix release for
the 3.6.x branch. 

* Version 3.6.2 (released 2018-02-16)

** libgnutls: When verifying against a self signed certificate ignore issuer.
   That is, ignore issuer when checking the issuer's parameters strength, resolving
   issue #347 which caused self signed certificates to be additionally marked as of
   insufficient security level.

** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
   MTU calculation now, it correctly accounts for the fixed overhead due to
   padding (as 1 byte), while at the same time considers the rest of the
   padding as part of data MTU.

** libgnutls: Address issue of loading of all PKCS#11 modules on startup
   on systems with a PKCS#11 trust store (as opposed to a file trust store).
   Introduced a multi-stage initialization which loads the trust modules, and
   other modules are deferred for the first pure PKCS#11 request.

** libgnutls: The SRP authentication will reject any parameters outside
   RFC5054. This protects any client from potential MitM due to insecure
   parameters. That also brings SRP in par with the RFC7919 changes to

** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
   for SRP authentication.

** libgnutls: Addressed issue in the accelerated code affecting interoperability
   with versions of nettle >= 3.4.

** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.

** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
   Vitezslav Cizek).

** srptool: the --create-conf option no longer includes 1024-bit parameters.

** p11tool: Fixed the deletion of objects in batch mode.

** API and ABI modifications:
No changes since last version.

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list