[gnutls-help] gnutls 3.5.7

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 8 08:04:07 CET 2016

 I've just released gnutls 3.5.7. This is the last release in the 3.5.x
branch introducing major changes. The next releases after 3.5.7 will be
marked as stable and replace the 3.4.x branch. New features will enter
at a new 3.6.x branch.

* Version 3.5.7 (released 2016-12-8)

** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
   and SECURE256 priority strings.

** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
   operate with OIDs which have elements that exceed 2^32.

** libgnutls: The DN decoding functions output the traditional DN
   format rather than the strict RFC4514 compliant textual DN. This
   reverts the 3.5.6 introduced change, and allows applications which
   depended on the previous format to continue to function. Introduced
   new functions which output the strict format by default, and can
   revert to the old one using a flag.

** libgnutls: Improved TPM key handling. Check authorization 
   requirements prior to using a key and fix issue on loop for PIN
   input. Patches by James Bottomley.

** libgnutls: In all functions accepting UTF-8 passwords, ensure that
   passwords are normalized according to RFC7613. When invalid UTF-8
   passwords are detected, they are only tolerated for decryption.
   This introduces a libunistring dependency on GnuTLS. A version of
   libunistring is included in the library for the platforms that do
   not ship it; it can be used with the '--with-included-unistring'
   option to configure script.

** libgnutls: When setting a subject alternative name in a certificate
   which is in UTF-8 format, it will transparently be converted to IDNA
   form prior to storing.

** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
   will print the SHA256 key-ID instead of a certificate fingerprint.

** libgnutls: enhance the PKCS#7 verification capabilities. In the case
   signers that are not discoverable using the trust list or input, use
   the stored list as pool to generate a trusted chain to the signer.

** libgnutls: Improved MTU calculation precision for the CBC
   ciphersuites under DTLS.

** libgnutls: [added missing news entry since 3.5.0]
   No longer tolerate certificate key usage violations for
   TLS signature verification, and decryption. That is GnuTLS will fail
   to connect to servers which incorrectly use a restricted to signing
   certificate for decryption, or vice-versa. This reverts the lax
   behavior introduced in 3.1.0, due to several such broken servers
   being available. The %COMPAT priority keyword can be used to work-
   around connecting on these servers.

** certtool: When exporting a CRQ in DER format ensure no text data are
   intermixed. Patch by Dmitry Eremin-Solenikov.

** certtool: Include the SHA-256 variant of key ID in --certificate-
   info options.

** p11tool: Introduced the --initialize-pin and --initialize-so-pin

** API and ABI modifications:
gnutls_utf8_password_normalize: Added
gnutls_ocsp_resp_get_responder2: Added
gnutls_x509_crt_get_issuer_dn3: Added
gnutls_x509_crt_get_dn3: Added
gnutls_x509_rdn_get2: Added
gnutls_x509_dn_get_str2: Added
gnutls_x509_crl_get_issuer_dn3: Added
gnutls_x509_crq_get_dn3: Added

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-help mailing list