[gnutls-help] gnutls 3.6.4

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Sep 24 17:51:54 CEST 2018 

Hello, 
 I've just released gnutls 3.6.4. This release adds support for the
final TLS 1.3 protocol version, and enables it by default. The more
detailed list of changes follows.


* Version 3.6.4 (released 2018-09-24)

** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.

** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
   gnutls_certificate_set_retrieve_function() which could not handle the case where
   no certificates were returned, or the callbacks were set to NULL (see #528).

** libgnutls: gnutls_handshake() on server returns early on handshake when no
   certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
   is specified.

** libgnutls: Added session ticket key rotation on server side with TOTP.
   The key set with gnutls_session_ticket_enable_server() is used as a
   master key to generate time-based keys for tickets. The rotation
   relates to the gnutls_db_set_cache_expiration() period.

** libgnutls: The 'record size limit' extension is added and preferred to the
   'max record size' extension when possible.

** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
   This addresses the problem where the CA certificate doesn't have a subject key
   identifier whereas the end certificates have an authority key identifier (#569)

** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
   gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
   and export GOST parameters in the "native" little endian format used for these
   curves. This is an intentional incompatible change with 3.6.3.

** libgnutls: Added support for seperately negotiating client and server certificate types
   as defined in RFC7250. This mechanism must be explicitly enabled via the
   GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

** gnutls-cli: enable CRL validation on startup (#564)

** API and ABI modifications:
GNUTLS_ENABLE_EARLY_START: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Added
GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
gnutls_ctype_target_t: New enumeration
gnutls_record_set_max_early_data_size: Added
gnutls_certificate_type_get2: Added
gnutls_priority_certificate_type_list2: Added
gnutls_ffdhe_6144_group_prime: Added
gnutls_ffdhe_6144_group_generator: Added
gnutls_ffdhe_6144_key_bits: Added


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.4.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.4.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos

More information about the Gnutls-help mailing list