From nmav at gnutls.org Sat Oct 21 09:41:38 2017
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 21 Oct 2017 09:41:38 +0200
Subject: [gnutls-help] gnutls 3.5.16
Message-ID: <1508571698.3494.1.camel@gnutls.org>
Hello,?
?I've just released gnutls 3.5.16. This is a bug fix release on the
current stable branch. Note that, I've also switched the release
cadence to bi-monthly as less and less bug fixes/updates accumulate
each month on this branch.
* Version 3.5.16 (released 2017-10-21)
** libgnutls: Fixed issue which causes 1-byte handshake fragments to be refused.
???Reported by Bal?zs K?ri.
** libgnutls: Refuse to resume a session which had a different SNI advertised. That
???improves RFC6066 support in server side. Reported by Thomas Klute.
** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
???used. Resolves gitlab issue #259.
** libgnutls: When selecting a client side signature algorithm, prefer the signature
???schemes in the enabled list (Since 3.5.5 client certificates can be used even
???if they contain disallowed algorithms for a session, to allow utilizing old
???client certificates -like DSA-SHA1 without enabling DSA for the server certificate).
** p11tool: The options --set-pin and --set-so-pin can be used with all operations
???not only with --initialize.
** p11tool: Mark all generated objects as sensitive by default.
** certtool: Enable certificate fingerprint generation with sha512 (#295).
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
.??A list of GnuTLS mirrors can be
found at .
Here are the XZ compressed sources:
? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.16.tar.xz
Here are OpenPGP detached signatures signed using key 0x96865171:
? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.16.tar.xz.sig
Note that it has been signed with my openpgp key:
pub???3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid??????????????????Nikos Mavrogiannopoulos gnutls.org>
uid??????????????????Nikos Mavrogiannopoulos
gmail.com>
sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Sat Oct 21 09:51:47 2017
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 21 Oct 2017 09:51:47 +0200
Subject: [gnutls-help] gnutls 3.6.1
Message-ID: <1508572307.3494.3.camel@gnutls.org>
Hello,?
?I've just released gnutls 3.6.1. This is a bug fix release for
the 3.6.x branch. The releases on this branch will continue on a
bi-monthly period.
* Version 3.6.1 (released 2017-10-21)
** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
???used. Resolves gitlab issue #259.
** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
???gnutls_x509_crq_sign, were modified to sign with a better algorithm than
???SHA1. They will now sign with an algorithm that corresponds to the security
???level of the signer's key.
** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
???accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
???the function to auto-detect an appropriate hash algorithm to use.
** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
???TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
???in TLS 1.2. As such, no reason to keep supporting it.
** libgnutls: Refuse to use client certificates containing disallowed
???algorithms for a session. That reverts a change on 3.5.5, which allowed
???a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
???to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
???The previous approach was to allow a smooth move for client infrastructure
???after the DSA algorithm became disabled by default, and is no longer necessary
???as DSA is now being universally depracated.
** libgnutls: Refuse to resume a session which had a different SNI advertised. That
improves RFC6066 support in server side. Reported by Thomas Klute.
** p11tool: Mark all generated objects as sensitive by default.
** p11tool: added options --sign-params and --hash. This allows testing
???signature with multiple algorithms, including RSA-PSS.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
.??A list of GnuTLS mirrors can be
found at .
Here are the XZ compressed sources:
? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.6.1.tar.xz
Here are OpenPGP detached signatures signed using key 0x96865171:
? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.6.1.tar.xz.sig
Note that it has been signed with my openpgp key:
pub???3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid??????????????????Nikos Mavrogiannopoulos gnutls.org>
uid??????????????????Nikos Mavrogiannopoulos
gmail.com>
sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos