[gnutls-devel] gnutls 3.6.6

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Jan 25 09:02:50 CET 2019

 I've just released gnutls 3.6.6. This is a bug fix release on the
3.6.x branch. It introduces support for raw public keys, fixes several
small issues and issues related to TLS1.3 support.

I'd like to thank everyone who contributed in this release:
Tim Rühsen, Daiki Ueno, Dmitry Eremin-Solenikov, Hugo Beauzée-Luyssen,
Peter Wu, Andreas Metzler, Fabrice Fontaine, Alon Bar-Lev,
Maks Naumov, Marga Manterola and Tom Vrancken.

The detailed list of changes follows; they can be seen in more detail
in our milestone tracker:


* Version 3.6.6 (released 2019-01-25)

** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
   on the public key (#640).

** libgnutls: Added support for raw public-key authentication as defined in RFC7250.
   Raw public-keys can be negotiated by enabling the corresponding certificate
   types via the priority strings. The raw public-key mechanism must be explicitly
   enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).

** libgnutls: When on server or client side we are sending no extensions we do
   not set an empty extensions field but we rather remove that field competely.
   This solves a regression since 3.5.x and improves compatibility of the server
   side with certain clients.

** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
   the CKA_SIGN is not set (#667).

** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
   disable extensions at all cases, while providing a functional session. This
   also implies that when specified, TLS1.3 is disabled.

** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
   The previous definition was non-functional (#609).

** API and ABI modifications:
GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK) 

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can
be found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list