<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-text-html" lang="x-unicode">
<div class="moz-text-html" lang="x-unicode">
<div class="moz-text-html" lang="x-unicode">
<div dir="ltr">
<div><font face="monospace">Hello,</font></div>
<font face="monospace"> </font>
<div><font face="monospace"><br>
</font> </div>
<font face="monospace"> </font>
<div><font face="monospace">We have just released
gnutls-3.8.1. This is a bug fix and enhancement release
on the 3.8.x branch.</font></div>
<font face="monospace"> </font>
<div><font face="monospace"><br>
</font> </div>
<font face="monospace"> </font>
<div><font face="monospace">We would like to thank everyone
who contributed in this release:</font></div>
<font face="monospace"> </font>
<div><font face="monospace">Pedro Monreal, Radostin
Stoyanov, xuraoqing, Christopher Baines,<br>
</font></div>
<font face="monospace"> </font>
<div><font face="monospace">Peter Leitmann, Yongye Zhu, Ajit
Singh, Tobias Heider,</font><font face="monospace">
Pravek Sharma</font></div>
<div><font face="monospace">Atharva S Marathe, Andreas
Metzler, Wilbur Wetterquarz,</font></div>
<div><font face="monospace">Elias Gustafsson, </font><font
face="monospace">Richard W.M. Jones, </font><font
face="monospace">Daiki Ueno and Zoltan Fridrich</font><br>
<font face="monospace"> </font></div>
<div><font face="monospace"><br>
</font> </div>
<font face="monospace"> </font>
<div><font face="monospace">The detailed list of changes
follows:</font></div>
<div><font face="monospace"><br>
</font></div>
<font face="monospace">* Version 3.8.1 (released 2023-08-03)<br>
<br>
** libgnutls: ClientHello extensions are randomized by
default</font></div>
<div dir="ltr"><font face="monospace"> To make
fingerprinting harder, TLS extensions in ClientHello</font></div>
<div dir="ltr"><font face="monospace"> messages are
shuffled. As this behavior may cause compatibility</font></div>
<div dir="ltr"><font face="monospace"> issue with legacy
applications that do not accept the last</font></div>
<div dir="ltr"><font face="monospace"> extension without
payload, the behavior can be reverted with the</font></div>
<div dir="ltr"><font face="monospace">
%NO_SHUFFLE_EXTENSIONS priority keyword.</font></div>
<div dir="ltr"><font face="monospace"><br>
</font></div>
<div dir="ltr"><font face="monospace">** libgnutls: Add
support for RFC 9258 external PSK importer.</font></div>
<div dir="ltr"><font face="monospace"> This enables to
deploy the same PSK across multiple TLS versions</font></div>
<div dir="ltr"><font face="monospace"> (TLS 1.2 and TLS 1.3)
in a secure manner. To use, the application</font></div>
<div dir="ltr"><font face="monospace"> needs to set up a
callback that formats the PSK identity using</font></div>
<div dir="ltr"><font face="monospace">
gnutls_psk_format_imported_identity().</font></div>
<div dir="ltr"><font face="monospace"><br>
</font></div>
<div dir="ltr"><font face="monospace">** libgnutls:
%GNUTLS_NO_EXTENSIONS has been renamed to</font></div>
<div dir="ltr"><font face="monospace">
%GNUTLS_NO_DEFAULT_EXTENSIONS.</font></div>
<div dir="ltr"><font face="monospace"><br>
</font></div>
<div dir="ltr"><font face="monospace">** libgnutls: Add
additional PBKDF limit checks in FIPS mode as</font></div>
<div dir="ltr"><font face="monospace"> defined in SP
800-132. Minimum salt length is 128 bits and</font></div>
<div dir="ltr"><font face="monospace"> minimum iterations
bound is 1000 for PBKDF in FIPS mode.</font></div>
<div dir="ltr"><font face="monospace"><br>
</font></div>
<div dir="ltr"><font face="monospace">** libgnutls: Add a
mechanism to control whether to enforce extended</font></div>
<div dir="ltr"><font face="monospace"> master secret (RFC
7627). FIPS 140-3 mandates the use of TLS</font></div>
<div dir="ltr"><font face="monospace"> session hash
(extended master secret, EMS) in TLS 1.2. To enforce</font></div>
<div dir="ltr"><font face="monospace"> this, a new priority
keyword %FORCE_SESSION_HASH is added and if</font></div>
<div dir="ltr"><font face="monospace"> it is set and EMS is
not set, the peer aborts the connection. This</font></div>
<div dir="ltr"><font face="monospace"> behavior is the
default in FIPS mode, though it can be overridden</font></div>
<div dir="ltr"><font face="monospace"> through the
configuration file with the "tls-session-hash" option.</font></div>
<div dir="ltr"><font face="monospace"> In either case
non-EMS PRF is reported as a non-approved operation</font></div>
<div dir="ltr"><font face="monospace"> through the FIPS
service indicator.</font></div>
<div dir="ltr"><font face="monospace"><br>
</font></div>
<div dir="ltr"><font face="monospace">** New option --attime
to specify current time.</font></div>
<div dir="ltr"><font face="monospace"> To make testing with
different timestamp to the system easier, the</font></div>
<div dir="ltr"><font face="monospace"> tools doing
certificate verification now provide a new option</font></div>
<div dir="ltr"><font face="monospace"> --attime, which takes
an arbitrary time.</font></div>
<div dir="ltr"><font face="monospace"><br>
</font></div>
<div dir="ltr"><font face="monospace">** API and ABI
modifications:</font></div>
<div dir="ltr"><font face="monospace">gnutls_psk_client_credentials_function3:
New typedef</font></div>
<div dir="ltr"><font face="monospace">gnutls_psk_server_credentials_function3:
New typedef</font></div>
<div dir="ltr"><font face="monospace">gnutls_psk_set_server_credentials_function3:
New function</font></div>
<div dir="ltr"><font face="monospace">gnutls_psk_set_client_credentials_function3:
New function</font></div>
<div dir="ltr"><font face="monospace">gnutls_psk_format_imported_identity:
New function</font></div>
<div dir="ltr"><font face="monospace">GNUTLS_PSK_KEY_EXT: New
enum member of gnutls_psk_key_flags</font></div>
<div dir="ltr"><font face="monospace"><span class="line"
id="LC8" lang="mosel"><span class="p"><br>
</span></span></font></div>
<div dir="ltr"><font face="monospace">Getting the Software<br>
================</font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace"><br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">GnuTLS may be downloaded
directly from <br>
</font> <font face="monospace"><a
href="https://www.gnupg.org/ftp/gcrypt/" target="_blank"
data-saferedirecturl="https://www.google.com/url?q=https://www.gnupg.org/ftp/gcrypt/&source=gmail&ust=1652432968350000&usg=AOvVaw3njjTg_V6cIskMjpkmAg7X">https://www.gnupg.org/ftp/<wbr>gcrypt/</a>
<br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">A list of GnuTLS mirrors
can be found at</font></div>
<font face="monospace"> </font>
<div dir="ltr"> <font face="monospace"><a
href="http://www.gnutls.org/download.html"
target="_blank"
data-saferedirecturl="https://www.google.com/url?q=http://www.gnutls.org/download.html&source=gmail&ust=1652432968350000&usg=AOvVaw1J-wc5GojHL2n94ox7b_09">http://www.gnutls.org/<wbr>download.html</a>
<br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace"><br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace"> Here are the XZ
compressed sources:<br>
</font> <font face="monospace"><a
href="https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz"
target="_blank"
data-saferedirecturl="https://www.google.com/url?q=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.4.tar.xz&source=gmail&ust=1652432968350000&usg=AOvVaw3ybeveKudYmPlqI6U8OXIO"
moz-do-not-send="true">https://www.gnupg.org/ftp/<wbr>gcrypt/gnutls/v3.8/gnutls-3.8.<wbr>1.tar.xz</a>
<br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace"><br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">Here are OpenPGP
detached signatures signed using keys:</font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">5D46CB0F763405A7053556F47A75A6</font><wbr><font
face="monospace">48B3F9220C</font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">and<br>
</font> <font face="monospace">462225C3B46F34879FC8496CD60584</font><wbr><font
face="monospace">8ED7E69871</font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace"><a
href="https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz.sig"
target="_blank"
data-saferedirecturl="https://www.google.com/url?q=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.4.tar.xz.sig&source=gmail&ust=1652432968350000&usg=AOvVaw1J49sWnCfoI9B3ou7WbdQ6"
moz-do-not-send="true">https://www.gnupg.org/ftp/<wbr>gcrypt/gnutls/v3.8/gnutls-3.8.<wbr>1.tar.xz.sig</a>
<br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace"><br>
</font> </div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace"> Note that it has been
signed with my openpgp key:<br>
pub ed25519 2021-12-23 [SC] [expires: 2023-12-23]<br>
5D46CB0F763405A7053556F47A75A6</font><wbr><font
face="monospace">48B3F9220C<br>
uid [ultimate] Zoltan Fridrich <<a
href="mailto:zfridric@redhat.com" target="_blank"
class="moz-txt-link-freetext">zfridric@redhat.com</a>><br>
sub cv25519 2021-12-23 [E] [expires: 2023-12-23]<br>
</font> <font face="monospace"><br>
</font> <font face="monospace">and Daiki Uenos openpgp key:<br>
pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25]</font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">
462225C3B46F34879FC8496CD60584</font><wbr><font
face="monospace">8ED7E69871</font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">uid [ultimate]
Daiki Ueno <<a
href="http://lists.gnupg.org/mailman/listinfo/gnutls-help"
target="_blank"
data-saferedirecturl="https://www.google.com/url?q=http://lists.gnupg.org/mailman/listinfo/gnutls-help&source=gmail&ust=1652432968350000&usg=AOvVaw18rxrVXHJCQuhzQT8ikMTN">ueno
at unixuser.org</a>></font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">uid [ultimate]
Daiki Ueno <<a
href="http://lists.gnupg.org/mailman/listinfo/gnutls-help"
target="_blank"
data-saferedirecturl="https://www.google.com/url?q=http://lists.gnupg.org/mailman/listinfo/gnutls-help&source=gmail&ust=1652432968350000&usg=AOvVaw18rxrVXHJCQuhzQT8ikMTN">ueno
at gnu.org</a>></font></div>
<font face="monospace"> </font>
<div dir="ltr"><font face="monospace">sub rsa4096 2010-02-04
[E]<br>
</font> <font face="monospace"><br>
Regards,<br>
Zoltan</font></div>
</div>
</div>
</div>
<p></p>
</body>
</html>