[gnutls-help] gnutls 3.7.5

Zoltan Fridrich zfridric at redhat.com
Fri May 13 09:12:34 CEST 2022


We have just released gnutls-3.7.5. This is a bug fix and enhancement 
release on the 3.7.x branch.

We would like to thank everyone who contributed in this release:
Tim Kosse, Tatsuhiro Tsujikawa, Brian Wickman, František Krenželok, 
Andreas Metzler,
Benjamin Herrenschmidt, Pedro Monreal, Tobias Heider, Sam James, Daiki 
Ueno and Zoltan Fridrich

The detailed list of changes follows:

* Version 3.7.5 (released 2022-05-15)

** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 
     modifier have been added to disable session ticket usage in TLS 1.2 
     it does not provide forward secrecy (#477). On the other hand, 
since session
     tickets in TLS 1.3 do provide forward secrecy, the PFS priority 
string now
     only disables session tickets in TLS 1.2. Future backward 
     in the next major release of GnuTLS, we plan to remove those flag and
     modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect 
TLS 1.2.

** gnutls-cli, gnutls-serv: Channel binding for printing information
     has been changed from tls-unique to tls-exporter as tls-unique is
     not supported in TLS 1.3.

** libgnutls: Certificate sanity checks has been enhanced to make
     gnutls more RFC 5280 compliant (!1583).
     Following changes were included:
- critical extensions are parsed when loading x509
       certificate to prohibit any random octet strings.
       Requires strict-x509 configure option to be enabled
     - garbage bits in Key Usage extension are prohibited
- empty DirectoryStrings in Distinguished name structures
       of Issuer and Subject name are prohibited

** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
     According to the section 2 of SP800-131A Rev.2, 3DES algorithm
     will be disallowed for encryption after December 31, 2023:

** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
     The existing AEAD API that works in a scatter-gather fashion
     (gnutls_aead_cipher_encryptv2) has been extended to support 
     For further optimization, new function (gnutls_aead_cipher_set_key) 
has been
     added to set key on the existing AEAD handle without re-allocation.

** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
     when used in TLS (#1311).

** The configure arguments for Brotli and Zstandard (zstd) support
     have changed to reflect the previous help text: they are now
     --with-brotli/--with-zstd respectively (#1342).

** Detecting the Zstandard (zstd) library in configure has been
     fixed (#1343).

** API and ABI modifications:
gnutls_aead_cipher_set_key: New function

Getting the Software

GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/ <https://www.gnupg.org/ftp/gcrypt/>
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html <http://www.gnutls.org/download.html>

Here are the XZ compressed sources:

Here are OpenPGP detached signatures signed using keys:

Note that it has been signed with my openpgp key:
pub   ed25519 2021-12-23 [SC] [expires: 2023-12-23]
uid           [ultimate] Zoltan Fridrich <zfridric at redhat.com>
sub   cv25519 2021-12-23 [E] [expires: 2023-12-23]

and Daiki Uenos openpgp key:
pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
uid           [ultimate] Daiki Ueno <ueno at unixuser.org 
uid           [ultimate] Daiki Ueno <ueno at gnu.org 
sub rsa4096 2010-02-04 [E]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20220513/5fc3a725/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x7A75A648B3F9220C.asc
Type: application/pgp-keys
Size: 669 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20220513/5fc3a725/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20220513/5fc3a725/attachment-0001.sig>

More information about the Gnutls-help mailing list