[gnutls-help] gnutls 3.8.1

Zoltan Fridrich zfridric at redhat.com
Fri Aug 4 12:32:17 CEST 2023


Hello,

We have just released gnutls-3.8.1. This is a bug fix and enhancement 
release on the 3.8.x branch.

We would like to thank everyone who contributed in this release:
Pedro Monreal, Radostin Stoyanov, xuraoqing, Christopher Baines,
Peter Leitmann, Yongye Zhu, Ajit Singh, Tobias Heider,Pravek Sharma
Atharva S Marathe, Andreas Metzler, Wilbur Wetterquarz,
Elias Gustafsson, Richard W.M. Jones, Daiki Ueno and Zoltan Fridrich

The detailed list of changes follows:

* Version 3.8.1 (released 2023-08-03)

** libgnutls: ClientHello extensions are randomized by default
    To make fingerprinting harder, TLS extensions in ClientHello
    messages are shuffled. As this behavior may cause compatibility
    issue with legacy applications that do not accept the last
    extension without payload, the behavior can be reverted with the
%NO_SHUFFLE_EXTENSIONS priority keyword.

** libgnutls: Add support for RFC 9258 external PSK importer.
    This enables to deploy the same PSK across multiple TLS versions
    (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
    needs to set up a callback that formats the PSK identity using
gnutls_psk_format_imported_identity().

** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
%GNUTLS_NO_DEFAULT_EXTENSIONS.

** libgnutls: Add additional PBKDF limit checks in FIPS mode as
    defined in SP 800-132. Minimum salt length is 128 bits and
    minimum iterations bound is 1000 for PBKDF in FIPS mode.

** libgnutls: Add a mechanism to control whether to enforce extended
    master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
    session hash (extended master secret, EMS) in TLS 1.2. To enforce
    this, a new priority keyword %FORCE_SESSION_HASH is added and if
    it is set and EMS is not set, the peer aborts the connection. This
    behavior is the default in FIPS mode, though it can be overridden
    through the configuration file with the "tls-session-hash" option.
    In either case non-EMS PRF is reported as a non-approved operation
    through the FIPS service indicator.

** New option --attime to specify current time.
    To make testing with different timestamp to the system easier, the
    tools doing certificate verification now provide a new option
    --attime, which takes an arbitrary time.

** API and ABI modifications:
gnutls_psk_client_credentials_function3: New typedef
gnutls_psk_server_credentials_function3: New typedef
gnutls_psk_set_server_credentials_function3: New function
gnutls_psk_set_client_credentials_function3: New function
gnutls_psk_format_imported_identity: New function
GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags

Getting the Software
================

GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/ <https://www.gnupg.org/ftp/gcrypt/>
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html <http://www.gnutls.org/download.html>

Here are the XZ compressed sources:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz>

Here are OpenPGP detached signatures signed using keys:
5D46CB0F763405A7053556F47A75A648B3F9220C
and
462225C3B46F34879FC8496CD605848ED7E69871
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz.sig 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz.sig>

Note that it has been signed with my openpgp key:
pub   ed25519 2021-12-23 [SC] [expires: 2023-12-23]
       5D46CB0F763405A7053556F47A75A648B3F9220C
uid           [ultimate] Zoltan Fridrich <zfridric at redhat.com>
sub   cv25519 2021-12-23 [E] [expires: 2023-12-23]

and Daiki Uenos openpgp key:
pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
462225C3B46F34879FC8496CD605848ED7E69871
uid           [ultimate] Daiki Ueno <ueno at unixuser.org 
<http://lists.gnupg.org/mailman/listinfo/gnutls-help>>
uid           [ultimate] Daiki Ueno <ueno at gnu.org 
<http://lists.gnupg.org/mailman/listinfo/gnutls-help>>
sub rsa4096 2010-02-04 [E]

Regards,
Zoltan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20230804/c7a9f905/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x7A75A648B3F9220C.asc
Type: application/pgp-keys
Size: 669 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20230804/c7a9f905/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20230804/c7a9f905/attachment-0001.sig>


More information about the Gnutls-help mailing list