[gnutls-help] gnutls 3.3.8

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Sep 18 14:10:09 CEST 2014

 I've just released gnutls 3.3.8. This is a bug-fix release on
the next-stable branch. An important aspect of this release is that it
completes support for the p11-kit trust module, allowing gnutls to
utilize attached extensions in the system CA certificates (e.g. to
restrict a CA certificate to certain domain names, or for a specific
scope). I'll provide details on that feature on a follow up e-mail.

* Version 3.3.8 (released 2014-09-18)

** libgnutls: Updates in the name constraints checks. No name constraints
will be checked for intermediate certificates. As our support for name
constraints is limited to e-mail addresses in DNS names, it is pointless
to check them on intermediate certificates.

** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
object listing would fail completely if a single object could not be exported.

** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
by retrieving them in large batches. Report and suggestion by David

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: when comparing a CA certificate with the trusted list compare
the name and key only instead of the whole certificate. That is to handle
cases where a CA certificate was superceded by a different one with the same
name and the same key.

** libgnutls: when verifying a certificate against a p11-kit trusted
module, use the attached extensions in the module to override the CA's
extensions (that requires p11-kit 0.20.7).

** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
of MTU split. Reported by Manuel Pégourié-Gonnard.

** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
verifying using a hostname and a purpose (extended key usage). That
enhances PKCS #11 trust module verification, as it can now check the purpose
when this function is used.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.

** libgnutls: added option --disable-padlock to allow disabling the padlock
CPU acceleration.

** p11tool: when listing tokens, list their type as well.

** p11tool: when listing objects from a trust module print any attached
extensions on certificates.

** API and ABI modifications:
gnutls_x509_crq_get_extension_by_oid2: Added
gnutls_x509_crt_get_extension_by_oid2: Added
gnutls_x509_trust_list_verify_crt2: Added
gnutls_x509_ext_print: Added
gnutls_x509_ext_deinit: Added
gnutls_x509_othername_to_virtual: Added
gnutls_pkcs11_obj_get_exts: Added

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-help mailing list