[gnutls-help] gnutls 3.3.8
nmav at gnutls.org
Thu Sep 18 14:10:09 CEST 2014
I've just released gnutls 3.3.8. This is a bug-fix release on
the next-stable branch. An important aspect of this release is that it
completes support for the p11-kit trust module, allowing gnutls to
utilize attached extensions in the system CA certificates (e.g. to
restrict a CA certificate to certain domain names, or for a specific
scope). I'll provide details on that feature on a follow up e-mail.
* Version 3.3.8 (released 2014-09-18)
** libgnutls: Updates in the name constraints checks. No name constraints
will be checked for intermediate certificates. As our support for name
constraints is limited to e-mail addresses in DNS names, it is pointless
to check them on intermediate certificates.
** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
object listing would fail completely if a single object could not be exported.
** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
by retrieving them in large batches. Report and suggestion by David
** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.
** libgnutls: when comparing a CA certificate with the trusted list compare
the name and key only instead of the whole certificate. That is to handle
cases where a CA certificate was superceded by a different one with the same
name and the same key.
** libgnutls: when verifying a certificate against a p11-kit trusted
module, use the attached extensions in the module to override the CA's
extensions (that requires p11-kit 0.20.7).
** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
of MTU split. Reported by Manuel Pégourié-Gonnard.
** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
verifying using a hostname and a purpose (extended key usage). That
enhances PKCS #11 trust module verification, as it can now check the purpose
when this function is used.
** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.
** libgnutls: added option --disable-padlock to allow disabling the padlock
** p11tool: when listing tokens, list their type as well.
** p11tool: when listing objects from a trust module print any attached
extensions on certificates.
** API and ABI modifications:
Getting the Software
GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.
Here are the XZ and LZIP compressed sources:
Here are OpenPGP detached signatures signed using key 0x96865171:
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
More information about the Gnutls-help