[gnutls-devel] GnuTLS | Backport bug fixes from master to gnutls_3_6_x (!1317)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Aug 31 12:39:15 CEST 2020




Alexander Sosedkin commented:


Went through the list, my thoughts:

FIPS DH changes warrant a changelog entry, but are limited to FIPS-aware scenarios,
and are a future compliance issue so that's OK to backport them.

Out of the rest, the following has caught my attention:

`5ec267d2 p12: do not encrypt encrypt certificate bag with empty password` \
`47714178 certtool: do not ask for private key password if it was provided` \
change the certool behaviour while not bringing new possibilities to the table. \
Not sure what's the expected stability of certool's interface though, maybe it's fine.

`b4bfe1a8 pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig()` \
is unlikely to break someone's setup, but still might be worth mentioning in the changelog.

`022d36a8 cert-session: fail hard if mandatory stapling is not honored` \
`9b2732d4 serv, cli: ensure that invalid flag is always set` \
are definitely worth documenting.

`29c3e00b gnutls_x509_crt_export2: return 0 instead of the length` \
should be documented.

`dea420fa cert-session: check OCSP error responses` \
I don't like this one, guess I don't understand OCSP.
Does this make OCSP-responder validation best-effort?

`4e2571b7 handshake: check TLS version against modified server priorities` \
should be documented

The others are unlikely to pose any issue to an updating user.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1317#note_404560288
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200831/73fb304d/attachment-0001.html>


More information about the Gnutls-devel mailing list