[gnutls-help] gnutls 2.12.24
nmav at gnutls.org
Fri Nov 4 08:13:19 CET 2016
I've just released gnutls 2.12.24. This is an update on the long-time
deprecated 2.12.x branch. It fixes several interoperatibility issues
present at this branch, removes support for legacy protocols and
ciphersuites, and improves TLS 1.2 support.
The update on this branch does not put 2.12.x into the maintained
branches but it is rather a one-time update (sponsored by Red Hat) to
extend the lifetime of systems which cannot upgrade to newer supported
releases due to the ABI breakage. There are no other planned updates.
Version 2.12.24 (released 2016-11-04)
** libgnutls: Fix in TLS server hello parsing (GNUTLS-SA-2014-3)
** libgnutls: Fix in TLS record decoding (GNUTLS-SA-2013-2)
** libgnutls: Fix in certificate verification (GNUTLS-SA-2014-1,
** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
Karthikeyan Bhargavan (GNUTLS-SA-2015-2).
** libgnutls: Separated the logic of supported signature algorithms for
CertificateRequest message and ClientHello. This allows the former
be restricted to SHA1 and SHA256 due to internal limitations, while the
latter can utilize any supported algorithms.
** libgnutls: Be less strict in TLS 1.2 signature algorithm adherence. This
improves compatibility with sites that have a certificate with an enabled
hash algorithm but necessarily enabled for TLS negotiation.
** libgnutls: No longer set SSL 3.0 as the record layer version by default
This improves interoperability against broken servers which
assume that this version is supported by the client.
** libgnutls: No longer include SSL 3.0 to the default protocol list.
SSL 3.0 it must be explicitly enabled using a priority string.
** libgnutls: Prohibit DSA2 signatures when used with the libgcrypt
backend. There are interoperability issues, and these algorithms are
too rare to require a proper fix.
** libgnutls: The minimum Diffie-Hellman bits size was raised to 1023 from
** libgnutls: Removed support for EXPORT ciphersuites. The EXPORT priority
string becomes an alias to NORMAL.
** libgnutls: Disabled random padding in the TLS protocol to improve compatibility
with various broken servers.
** libgnutls: the ARCFOUR-128 cipher was removed from the default priority lists.
** libgnutls: Do not call the post client hello callback twice when resuming
using session tickets.
** libgnutls: Corrected the setting of PSK hint for DHE-PSK ciphersuites.
** libgnutls: Do not link with libpthread unless necessary.
** libgnutls: Introduced the priority strings KX-ALL, VERS-ALL, CURVE-ALL (no-op)
to improve compatibility with later versions of gnutls.
** API and ABI modifications:
No changes since last version.
Getting the Software
GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.
Here are the XZ compressed sources:
Here are OpenPGP detached signatures signed using key 0x96865171:
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
More information about the Gnutls-help